f1caa523026d5a742676556b6f61319fba2f2887d4682ce1985facc25611737b

Analysis

max time kernel
2s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06d9cee988ec6c86636207bcad00b769.exe
Size

1.9MB
MD5

06d9cee988ec6c86636207bcad00b769
SHA1

0c222db56c339bb1f1d418c656da72e27c7e75c3
SHA256

f1caa523026d5a742676556b6f61319fba2f2887d4682ce1985facc25611737b
SHA512

cb9d09dd95591c0b5a3a1580f8c8d03cd93b1cbe2b12ec4c9855b9b654b5527b42fdaf54994ce362ad2b99a70d14af25491d086c100ad15ae0a12f7eaa082292
SSDEEP

24576:Bm0BmmvFimm0MTP7hm0BmmvFimm0YBk6Fm0BmmvFimm0MTP7hm0BmmvFimm0G:5iLi9Bk6FiLiz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	06d9cee988ec6c86636207bcad00b769.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	06d9cee988ec6c86636207bcad00b769.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imfdff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgjmapi.exe

Executes dropped EXE 6 IoCs

pid	Process
1348	Emhkdmlg.exe
3044	Hkmefd32.exe
4988	Icgjmapi.exe
4900	Ickchq32.exe
4360	Imfdff32.exe
3120	Jedeph32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nabqkgan.dll	Ickchq32.exe
File created	C:\Windows\SysWOW64\Jedeph32.exe	Imfdff32.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Hkmefd32.exe	Emhkdmlg.exe
File created	C:\Windows\SysWOW64\Iledokkp.dll	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Icgjmapi.exe	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Ceacpg32.dll	Hkmefd32.exe
File opened for modification	C:\Windows\SysWOW64\Ickchq32.exe	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Imfdff32.exe	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Imfdff32.exe
File created	C:\Windows\SysWOW64\Ghkebndc.dll	06d9cee988ec6c86636207bcad00b769.exe
File created	C:\Windows\SysWOW64\Ieakglmn.dll	Emhkdmlg.exe
File created	C:\Windows\SysWOW64\Ickchq32.exe	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Heapdjlp.exe	06d9cee988ec6c86636207bcad00b769.exe
File opened for modification	C:\Windows\SysWOW64\Heapdjlp.exe	06d9cee988ec6c86636207bcad00b769.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Jmmjgejj.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Dmamoe32.dll	Jedeph32.exe
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Emhkdmlg.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Hkmefd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6908	8180	WerFault.exe	429

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	06d9cee988ec6c86636207bcad00b769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	06d9cee988ec6c86636207bcad00b769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	06d9cee988ec6c86636207bcad00b769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	06d9cee988ec6c86636207bcad00b769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ickchq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	06d9cee988ec6c86636207bcad00b769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	06d9cee988ec6c86636207bcad00b769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll"	Hkmefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imfdff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jedeph32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1348	4756	06d9cee988ec6c86636207bcad00b769.exe	322
PID 4756 wrote to memory of 1348	4756	06d9cee988ec6c86636207bcad00b769.exe	322
PID 4756 wrote to memory of 1348	4756	06d9cee988ec6c86636207bcad00b769.exe	322
PID 1348 wrote to memory of 3044	1348	Emhkdmlg.exe	28
PID 1348 wrote to memory of 3044	1348	Emhkdmlg.exe	28
PID 1348 wrote to memory of 3044	1348	Emhkdmlg.exe	28
PID 3044 wrote to memory of 4988	3044	Hkmefd32.exe	29
PID 3044 wrote to memory of 4988	3044	Hkmefd32.exe	29
PID 3044 wrote to memory of 4988	3044	Hkmefd32.exe	29
PID 4988 wrote to memory of 4900	4988	Icgjmapi.exe	30
PID 4988 wrote to memory of 4900	4988	Icgjmapi.exe	30
PID 4988 wrote to memory of 4900	4988	Icgjmapi.exe	30
PID 4900 wrote to memory of 4360	4900	Ickchq32.exe	31
PID 4900 wrote to memory of 4360	4900	Ickchq32.exe	31
PID 4900 wrote to memory of 4360	4900	Ickchq32.exe	31
PID 4360 wrote to memory of 3120	4360	Imfdff32.exe	32
PID 4360 wrote to memory of 3120	4360	Imfdff32.exe	32
PID 4360 wrote to memory of 3120	4360	Imfdff32.exe	32

C:\Users\Admin\AppData\Local\Temp\06d9cee988ec6c86636207bcad00b769.exe
"C:\Users\Admin\AppData\Local\Temp\06d9cee988ec6c86636207bcad00b769.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\Heapdjlp.exe
  C:\Windows\system32\Heapdjlp.exe
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\Hkmefd32.exe
    C:\Windows\system32\Hkmefd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\Icgjmapi.exe
      C:\Windows\system32\Icgjmapi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        8⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        9⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        11⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        12⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        13⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        14⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        15⤵
        
        PID:2284

C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
1⤵
PID:2404
- C:\Windows\SysWOW64\Kdgljmcd.exe
  C:\Windows\system32\Kdgljmcd.exe
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\Llemdo32.exe
    C:\Windows\system32\Llemdo32.exe
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\Llgjjnlj.exe
      C:\Windows\system32\Llgjjnlj.exe
      4⤵
      PID:3952

C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
1⤵
PID:4452
- C:\Windows\SysWOW64\Medgncoe.exe
  C:\Windows\system32\Medgncoe.exe
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    PID:4620
  - - C:\Windows\SysWOW64\Migjoaaf.exe
      C:\Windows\system32\Migjoaaf.exe
      4⤵
      PID:224

C:\Windows\SysWOW64\Ncfdie32.exe
C:\Windows\system32\Ncfdie32.exe
1⤵
PID:2400
- C:\Windows\SysWOW64\Njciko32.exe
  C:\Windows\system32\Njciko32.exe
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\Oponmilc.exe
    C:\Windows\system32\Oponmilc.exe
    3⤵
    PID:3604
  - - C:\Windows\SysWOW64\Ogkcpbam.exe
      C:\Windows\system32\Ogkcpbam.exe
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        5⤵
        
        PID:4296

C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
1⤵
PID:4540
- C:\Windows\SysWOW64\Pmannhhj.exe
  C:\Windows\system32\Pmannhhj.exe
  2⤵
  PID:216

C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
1⤵
PID:3428
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  PID:2016

C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
1⤵
PID:2284
- C:\Windows\SysWOW64\Qddfkd32.exe
  C:\Windows\system32\Qddfkd32.exe
  2⤵
  PID:376
- - C:\Windows\SysWOW64\Aeiofcji.exe
    C:\Windows\system32\Aeiofcji.exe
    3⤵
    PID:3944
  - - C:\Windows\SysWOW64\Aabmqd32.exe
      C:\Windows\system32\Aabmqd32.exe
      4⤵
      PID:1504
    - - C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        5⤵
        
        PID:3876
      - C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        6⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        7⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        9⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        10⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        12⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        14⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        15⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Eajeon32.exe
        
        C:\Windows\system32\Eajeon32.exe
        16⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Eobocb32.exe
        
        C:\Windows\system32\Eobocb32.exe
        17⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Feocelll.exe
        
        C:\Windows\system32\Feocelll.exe
        18⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Fhpmgg32.exe
        
        C:\Windows\system32\Fhpmgg32.exe
        19⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Fkqeib32.exe
        
        C:\Windows\system32\Fkqeib32.exe
        20⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Fehfljca.exe
        
        C:\Windows\system32\Fehfljca.exe
        21⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ghipne32.exe
        
        C:\Windows\system32\Ghipne32.exe
        22⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ggnlobej.exe
        
        C:\Windows\system32\Ggnlobej.exe
        23⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ghniielm.exe
        
        C:\Windows\system32\Ghniielm.exe
        24⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ghpendjj.exe
        
        C:\Windows\system32\Ghpendjj.exe
        25⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Gkaopp32.exe
        
        C:\Windows\system32\Gkaopp32.exe
        26⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Hnagak32.exe
        
        C:\Windows\system32\Hnagak32.exe
        27⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Hbpphi32.exe
        
        C:\Windows\system32\Hbpphi32.exe
        28⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Hdpiid32.exe
        
        C:\Windows\system32\Hdpiid32.exe
        29⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Hgabkoee.exe
        
        C:\Windows\system32\Hgabkoee.exe
        30⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Ikokan32.exe
        
        C:\Windows\system32\Ikokan32.exe
        31⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Iomcgl32.exe
        
        C:\Windows\system32\Iomcgl32.exe
        32⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Ibpiogmp.exe
        
        C:\Windows\system32\Ibpiogmp.exe
        33⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Jkkjmlan.exe
        
        C:\Windows\system32\Jkkjmlan.exe
        34⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Jiaglp32.exe
        
        C:\Windows\system32\Jiaglp32.exe
        35⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Jieagojp.exe
        
        C:\Windows\system32\Jieagojp.exe
        36⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Kpbfii32.exe
        
        C:\Windows\system32\Kpbfii32.exe
        37⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Kngcje32.exe
        
        C:\Windows\system32\Kngcje32.exe
        38⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Kpgodhkd.exe
        
        C:\Windows\system32\Kpgodhkd.exe
        39⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Kfcdfbqo.exe
        
        C:\Windows\system32\Kfcdfbqo.exe
        40⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Lnqeqd32.exe
        
        C:\Windows\system32\Lnqeqd32.exe
        41⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Locbfd32.exe
        
        C:\Windows\system32\Locbfd32.exe
        42⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Lpbopfag.exe
        
        C:\Windows\system32\Lpbopfag.exe
        43⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Loglacfo.exe
        
        C:\Windows\system32\Loglacfo.exe
        44⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mhbmphjm.exe
        
        C:\Windows\system32\Mhbmphjm.exe
        45⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Mlpeff32.exe
        
        C:\Windows\system32\Mlpeff32.exe
        46⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        47⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Nemcjk32.exe
        
        C:\Windows\system32\Nemcjk32.exe
        48⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Niklpj32.exe
        
        C:\Windows\system32\Niklpj32.exe
        49⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ngaionfl.exe
        
        C:\Windows\system32\Ngaionfl.exe
        50⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Nookip32.exe
        
        C:\Windows\system32\Nookip32.exe
        51⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        45⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        16⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        17⤵
        
        PID:7520
- C:\Windows\SysWOW64\Hblkjo32.exe
  C:\Windows\system32\Hblkjo32.exe
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\Iebngial.exe
    C:\Windows\system32\Iebngial.exe
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\Iibccgep.exe
      C:\Windows\system32\Iibccgep.exe
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        5⤵
        
        PID:5236
      - C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        6⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        7⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        9⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        11⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        12⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        13⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        14⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        15⤵
        
        PID:1960

C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
1⤵
PID:1492

C:\Windows\SysWOW64\Mlhbal32.exe
C:\Windows\system32\Mlhbal32.exe
1⤵
PID:316

C:\Windows\SysWOW64\Kfoafi32.exe
C:\Windows\system32\Kfoafi32.exe
1⤵
PID:3804

C:\Windows\SysWOW64\Ocmconhk.exe
C:\Windows\system32\Ocmconhk.exe
1⤵
PID:3504
- C:\Windows\SysWOW64\Ohlimd32.exe
  C:\Windows\system32\Ohlimd32.exe
  2⤵
  PID:5284
- - C:\Windows\SysWOW64\Opemca32.exe
    C:\Windows\system32\Opemca32.exe
    3⤵
    PID:6200
  - - C:\Windows\SysWOW64\Pgbbek32.exe
      C:\Windows\system32\Pgbbek32.exe
      4⤵
      PID:6248
    - - C:\Windows\SysWOW64\Phelcc32.exe
        
        C:\Windows\system32\Phelcc32.exe
        5⤵
        
        PID:6300
      - C:\Windows\SysWOW64\Pjgebf32.exe
        
        C:\Windows\system32\Pjgebf32.exe
        6⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Plhnda32.exe
        
        C:\Windows\system32\Plhnda32.exe
        7⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        8⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        9⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ajqgidij.exe
        
        C:\Windows\system32\Ajqgidij.exe
        10⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Afghneoo.exe
        
        C:\Windows\system32\Afghneoo.exe
        11⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Aggegh32.exe
        
        C:\Windows\system32\Aggegh32.exe
        12⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Aijnep32.exe
        
        C:\Windows\system32\Aijnep32.exe
        13⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Aimkjp32.exe
        
        C:\Windows\system32\Aimkjp32.exe
        14⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Biogppeg.exe
        
        C:\Windows\system32\Biogppeg.exe
        15⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Biadeoce.exe
        
        C:\Windows\system32\Biadeoce.exe
        16⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        17⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Bqmeal32.exe
        
        C:\Windows\system32\Bqmeal32.exe
        18⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Cqpbglno.exe
        
        C:\Windows\system32\Cqpbglno.exe
        19⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Cpeohh32.exe
        
        C:\Windows\system32\Cpeohh32.exe
        20⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Cpglnhad.exe
        
        C:\Windows\system32\Cpglnhad.exe
        21⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Cceddf32.exe
        
        C:\Windows\system32\Cceddf32.exe
        22⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Cpleig32.exe
        
        C:\Windows\system32\Cpleig32.exe
        23⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Dgejpd32.exe
        
        C:\Windows\system32\Dgejpd32.exe
        24⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Dikpbl32.exe
        
        C:\Windows\system32\Dikpbl32.exe
        25⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Ddadpdmn.exe
        
        C:\Windows\system32\Ddadpdmn.exe
        26⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        27⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Edemkd32.exe
        
        C:\Windows\system32\Edemkd32.exe
        28⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Edhjqc32.exe
        
        C:\Windows\system32\Edhjqc32.exe
        29⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        30⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Efkphnbd.exe
        
        C:\Windows\system32\Efkphnbd.exe
        31⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        32⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Fineoi32.exe
        
        C:\Windows\system32\Fineoi32.exe
        33⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Fknbil32.exe
        
        C:\Windows\system32\Fknbil32.exe
        34⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Fkpool32.exe
        
        C:\Windows\system32\Fkpool32.exe
        35⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Fkbkdkpp.exe
        
        C:\Windows\system32\Fkbkdkpp.exe
        36⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Gdmmbq32.exe
        
        C:\Windows\system32\Gdmmbq32.exe
        37⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Gkiaej32.exe
        
        C:\Windows\system32\Gkiaej32.exe
        38⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Ginnfgop.exe
        
        C:\Windows\system32\Ginnfgop.exe
        39⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Giqkkf32.exe
        
        C:\Windows\system32\Giqkkf32.exe
        40⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Hncmmd32.exe
        
        C:\Windows\system32\Hncmmd32.exe
        41⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Hdpbon32.exe
        
        C:\Windows\system32\Hdpbon32.exe
        42⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Iklgah32.exe
        
        C:\Windows\system32\Iklgah32.exe
        43⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Iahlcaol.exe
        
        C:\Windows\system32\Iahlcaol.exe
        44⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        45⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Ijhjcchb.exe
        
        C:\Windows\system32\Ijhjcchb.exe
        46⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Jnfcia32.exe
        
        C:\Windows\system32\Jnfcia32.exe
        47⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        48⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Jnpfop32.exe
        
        C:\Windows\system32\Jnpfop32.exe
        49⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Kkjlic32.exe
        
        C:\Windows\system32\Kkjlic32.exe
        50⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Leenhhdn.exe
        
        C:\Windows\system32\Leenhhdn.exe
        51⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        52⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        53⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        54⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Mbenmk32.exe
        
        C:\Windows\system32\Mbenmk32.exe
        55⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Mjbogmdb.exe
        
        C:\Windows\system32\Mjbogmdb.exe
        56⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Mjellmbp.exe
        
        C:\Windows\system32\Mjellmbp.exe
        57⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Naaqofgj.exe
        
        C:\Windows\system32\Naaqofgj.exe
        58⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        59⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Niooqcad.exe
        
        C:\Windows\system32\Niooqcad.exe
        60⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Nhdlao32.exe
        
        C:\Windows\system32\Nhdlao32.exe
        61⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        62⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        63⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        64⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Oimkbaed.exe
        
        C:\Windows\system32\Oimkbaed.exe
        65⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Piphgq32.exe
        
        C:\Windows\system32\Piphgq32.exe
        66⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Pefhlaie.exe
        
        C:\Windows\system32\Pefhlaie.exe
        67⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        68⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        69⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        70⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Qofcff32.exe
        
        C:\Windows\system32\Qofcff32.exe
        71⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        72⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        73⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Aomifecf.exe
        
        C:\Windows\system32\Aomifecf.exe
        74⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        75⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Aoabad32.exe
        
        C:\Windows\system32\Aoabad32.exe
        76⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Bhldpj32.exe
        
        C:\Windows\system32\Bhldpj32.exe
        77⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Bljlfh32.exe
        
        C:\Windows\system32\Bljlfh32.exe
        78⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Bhamkipi.exe
        
        C:\Windows\system32\Bhamkipi.exe
        79⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Bombmcec.exe
        
        C:\Windows\system32\Bombmcec.exe
        80⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Bkdcbd32.exe
        
        C:\Windows\system32\Bkdcbd32.exe
        81⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Cjgpfk32.exe
        
        C:\Windows\system32\Cjgpfk32.exe
        82⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        83⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Cjliajmo.exe
        
        C:\Windows\system32\Cjliajmo.exe
        84⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Cjnffjkl.exe
        
        C:\Windows\system32\Cjnffjkl.exe
        85⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        86⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        87⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        88⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Dlghoa32.exe
        
        C:\Windows\system32\Dlghoa32.exe
        89⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Dikihe32.exe
        
        C:\Windows\system32\Dikihe32.exe
        90⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        91⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Epikpo32.exe
        
        C:\Windows\system32\Epikpo32.exe
        92⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Ecgcfm32.exe
        
        C:\Windows\system32\Ecgcfm32.exe
        93⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Eblpgjha.exe
        
        C:\Windows\system32\Eblpgjha.exe
        94⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        95⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        96⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        97⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        98⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        99⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        100⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        101⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        102⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        103⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        104⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        105⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Hpofii32.exe
        
        C:\Windows\system32\Hpofii32.exe
        106⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        107⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Hcblpdgg.exe
        
        C:\Windows\system32\Hcblpdgg.exe
        108⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        109⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        110⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Innfnl32.exe
        
        C:\Windows\system32\Innfnl32.exe
        111⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        112⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        113⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        114⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        115⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        116⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        117⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        118⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Kcejco32.exe
        
        C:\Windows\system32\Kcejco32.exe
        119⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        120⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        121⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        122⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Mglfplgk.exe
        
        C:\Windows\system32\Mglfplgk.exe
        123⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        124⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        125⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        126⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        127⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        128⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        129⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        130⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        131⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        132⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        133⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        134⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        135⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        136⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        137⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        138⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        139⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        140⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        141⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        142⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        143⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        145⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        73⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        51⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        52⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        53⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        54⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        55⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        56⤵
        
        PID:5744

C:\Windows\SysWOW64\Lqkqhm32.exe
C:\Windows\system32\Lqkqhm32.exe
1⤵
PID:5760
- C:\Windows\SysWOW64\Ljhnlb32.exe
  C:\Windows\system32\Ljhnlb32.exe
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\Mjjkaabc.exe
    C:\Windows\system32\Mjjkaabc.exe
    3⤵
    PID:5232
  - - C:\Windows\SysWOW64\Mqfpckhm.exe
      C:\Windows\system32\Mqfpckhm.exe
      4⤵
      PID:5920
    - - C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        6⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        7⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        9⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        10⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        11⤵
        
        PID:5740

C:\Windows\SysWOW64\Akpoaj32.exe
C:\Windows\system32\Akpoaj32.exe
1⤵
PID:1816
- C:\Windows\SysWOW64\Cpbjkn32.exe
  C:\Windows\system32\Cpbjkn32.exe
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\Dhphmj32.exe
    C:\Windows\system32\Dhphmj32.exe
    3⤵
    PID:5352

C:\Windows\SysWOW64\Dqbcbkab.exe
C:\Windows\system32\Dqbcbkab.exe
1⤵
PID:5432
- C:\Windows\SysWOW64\Egohdegl.exe
  C:\Windows\system32\Egohdegl.exe
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\Ekonpckp.exe
    C:\Windows\system32\Ekonpckp.exe
    3⤵
    PID:5484

C:\Windows\SysWOW64\Edionhpn.exe
C:\Windows\system32\Edionhpn.exe
1⤵
PID:3588
- C:\Windows\SysWOW64\Fdnhih32.exe
  C:\Windows\system32\Fdnhih32.exe
  2⤵
  PID:6216
- - C:\Windows\SysWOW64\Fbdehlip.exe
    C:\Windows\system32\Fbdehlip.exe
    3⤵
    PID:6316
  - - C:\Windows\SysWOW64\Gnnccl32.exe
      C:\Windows\system32\Gnnccl32.exe
      4⤵
      PID:5312

C:\Windows\SysWOW64\Gkdpbpih.exe
C:\Windows\system32\Gkdpbpih.exe
1⤵
PID:2840
- C:\Windows\SysWOW64\Gacepg32.exe
  C:\Windows\system32\Gacepg32.exe
  2⤵
  PID:7900
- - C:\Windows\SysWOW64\Hahokfag.exe
    C:\Windows\system32\Hahokfag.exe
    3⤵
    PID:5464

C:\Windows\SysWOW64\Hejqldci.exe
C:\Windows\system32\Hejqldci.exe
1⤵
PID:3300
- C:\Windows\SysWOW64\Ipbaol32.exe
  C:\Windows\system32\Ipbaol32.exe
  2⤵
  PID:6752
- - C:\Windows\SysWOW64\Ieagmcmq.exe
    C:\Windows\system32\Ieagmcmq.exe
    3⤵
    PID:5708
  - - C:\Windows\SysWOW64\Ipihpkkd.exe
      C:\Windows\system32\Ipihpkkd.exe
      4⤵
      PID:6672
    - - C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        5⤵
        
        PID:6612
      - C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        6⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        7⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        8⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        9⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        11⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        12⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        13⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        14⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        15⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        16⤵
        
        PID:648
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        17⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        18⤵
        
        PID:6164

C:\Windows\SysWOW64\Hbihjifh.exe
C:\Windows\system32\Hbihjifh.exe
1⤵
PID:6708

C:\Windows\SysWOW64\Oophlo32.exe
C:\Windows\system32\Oophlo32.exe
1⤵
PID:6272
- C:\Windows\SysWOW64\Pfccogfc.exe
  C:\Windows\system32\Pfccogfc.exe
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\Pidlqb32.exe
    C:\Windows\system32\Pidlqb32.exe
    3⤵
    PID:7104
  - - C:\Windows\SysWOW64\Qapnmopa.exe
      C:\Windows\system32\Qapnmopa.exe
      4⤵
      PID:6788

C:\Windows\SysWOW64\Aimogakj.exe
C:\Windows\system32\Aimogakj.exe
1⤵
PID:6196
- C:\Windows\SysWOW64\Aiplmq32.exe
  C:\Windows\system32\Aiplmq32.exe
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\Aplaoj32.exe
    C:\Windows\system32\Aplaoj32.exe
    3⤵
    PID:4140

C:\Windows\SysWOW64\Ampaho32.exe
C:\Windows\system32\Ampaho32.exe
1⤵
PID:5840
- C:\Windows\SysWOW64\Ajdbac32.exe
  C:\Windows\system32\Ajdbac32.exe
  2⤵
  PID:7056
- - C:\Windows\SysWOW64\Bpqjjjjl.exe
    C:\Windows\system32\Bpqjjjjl.exe
    3⤵
    PID:5444

C:\Windows\SysWOW64\Biiobo32.exe
C:\Windows\system32\Biiobo32.exe
1⤵
PID:7092
- C:\Windows\SysWOW64\Bdocph32.exe
  C:\Windows\system32\Bdocph32.exe
  2⤵
  PID:6604
- - C:\Windows\SysWOW64\Bbdpad32.exe
    C:\Windows\system32\Bbdpad32.exe
    3⤵
    PID:5712
  - - C:\Windows\SysWOW64\Binhnomg.exe
      C:\Windows\system32\Binhnomg.exe
      4⤵
      PID:5156

C:\Windows\SysWOW64\Cpogkhnl.exe
C:\Windows\system32\Cpogkhnl.exe
1⤵
PID:6968
- C:\Windows\SysWOW64\Cgiohbfi.exe
  C:\Windows\system32\Cgiohbfi.exe
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\Cmbgdl32.exe
    C:\Windows\system32\Cmbgdl32.exe
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\Cpacqg32.exe
      C:\Windows\system32\Cpacqg32.exe
      4⤵
      PID:4616

C:\Windows\SysWOW64\Cgklmacf.exe
C:\Windows\system32\Cgklmacf.exe
1⤵
PID:4668
- C:\Windows\SysWOW64\Cpcpfg32.exe
  C:\Windows\system32\Cpcpfg32.exe
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\Ckidcpjl.exe
    C:\Windows\system32\Ckidcpjl.exe
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\Cacmpj32.exe
      C:\Windows\system32\Cacmpj32.exe
      4⤵
      PID:812

C:\Windows\SysWOW64\Dgbanq32.exe
C:\Windows\system32\Dgbanq32.exe
1⤵
PID:856
- C:\Windows\SysWOW64\Dpjfgf32.exe
  C:\Windows\system32\Dpjfgf32.exe
  2⤵
  PID:6348
- - C:\Windows\SysWOW64\Dnngpj32.exe
    C:\Windows\system32\Dnngpj32.exe
    3⤵
    PID:7380

C:\Windows\SysWOW64\Dckoia32.exe
C:\Windows\system32\Dckoia32.exe
1⤵
PID:6568
- C:\Windows\SysWOW64\Dnqcfjae.exe
  C:\Windows\system32\Dnqcfjae.exe
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\Dcnlnaom.exe
    C:\Windows\system32\Dcnlnaom.exe
    3⤵
    PID:1940

C:\Windows\SysWOW64\Djgdkk32.exe
C:\Windows\system32\Djgdkk32.exe
1⤵
PID:6952
- C:\Windows\SysWOW64\Ddmhhd32.exe
  C:\Windows\system32\Ddmhhd32.exe
  2⤵
  PID:6988
- - C:\Windows\SysWOW64\Eaaiahei.exe
    C:\Windows\system32\Eaaiahei.exe
    3⤵
    PID:5600

C:\Windows\SysWOW64\Egpnooan.exe
C:\Windows\system32\Egpnooan.exe
1⤵
PID:7116
- C:\Windows\SysWOW64\Eddnic32.exe
  C:\Windows\system32\Eddnic32.exe
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\Edfknb32.exe
    C:\Windows\system32\Edfknb32.exe
    3⤵
    PID:3148

C:\Windows\SysWOW64\Ekqckmfb.exe
C:\Windows\system32\Ekqckmfb.exe
1⤵
PID:7064
- C:\Windows\SysWOW64\Fclhpo32.exe
  C:\Windows\system32\Fclhpo32.exe
  2⤵
  PID:6344
- - C:\Windows\SysWOW64\Fncibg32.exe
    C:\Windows\system32\Fncibg32.exe
    3⤵
    PID:7740
  - - C:\Windows\SysWOW64\Fcbnpnme.exe
      C:\Windows\system32\Fcbnpnme.exe
      4⤵
      PID:1140
    - - C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        5⤵
        
        PID:2884
      - C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        6⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        7⤵
        
        PID:3400

C:\Windows\SysWOW64\Gbhhieao.exe
C:\Windows\system32\Gbhhieao.exe
1⤵
PID:6668
- C:\Windows\SysWOW64\Ggepalof.exe
  C:\Windows\system32\Ggepalof.exe
  2⤵
  PID:4848

C:\Windows\SysWOW64\Gdiakp32.exe
C:\Windows\system32\Gdiakp32.exe
1⤵
PID:7472
- C:\Windows\SysWOW64\Gbmadd32.exe
  C:\Windows\system32\Gbmadd32.exe
  2⤵
  PID:8180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 412
    3⤵
    - Program crash
    PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 8180 -ip 8180
1⤵
PID:7952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
1.5MB

MD5
5bca01a5622374f180b93f1644fb74e3

SHA1
b794907e04f2fbdfcac2bd725895a65a0cc93c9a

SHA256
1fb5233e290ec6709fb0c484ef5e14f84cc24adf76217616dfa7ff50c517e8ca

SHA512
b5d70d722620c5c5a73be0447be187a65679d0d23f855656f21c9b0b77cdc0457ca564280fed8da0e0e704fa63b23c2c155a82cd99e8b8992fedeb144e039667

Download Submit
C:\Windows\SysWOW64\Napjdpcn.exe

Filesize
1.9MB

MD5
8beca1eabd4c2fdfc074af67f4049018

SHA1
edf496921ecc7967b3f984ff2e59b4a3a9628be8

SHA256
c3ce51eb0726cdd6f3facbb821d9ad910f628ce14813b8c5b063321737ab4317

SHA512
cc0942dc7d624b3a05ffb9ae123aa7dcf7a15d6e361c88586effebb6cdb167ce77402e493ab8b7caaad5355945b98c911dc33f8a41e85986249b5eb449abd534

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
1.9MB

MD5
53e02e6ebd731f592f0da6b833897f89

SHA1
1a441ce1daa6abc4d4bda0aad6f02cb9b198ac37

SHA256
49704ae27973b8c2d06dff53be987bd985146b2e87faa4dd3acd1ec3e7c4c474

SHA512
58ba0e85e483f3b5016849dc7ad578e6d0b94a9147b2d36d67d01e9358bd2bccc4be3d3a6db11318300ca445750424786e18a702b4b226663eaecbab8365acfb

Download Submit
C:\Windows\SysWOW64\Nlmdbh32.exe

Filesize
1.9MB

MD5
dbdaf4d08c72ea28a1daade373635b03

SHA1
ecb724b8c24a39d63dd2b51723ae975562ea2dd5

SHA256
194c20068b0c5fc0e9eea0141aca76a093e727c80548bda92ea7d8c33790c689

SHA512
d875411f459ad80358455ca49912369b31e3b4f38f0d20f9f1cc5802dbe0f4d3cca9f84a41f33126667b505fbb7babd657394119e729cf5a3126e47b3cea3df9

Download Submit
memory/216-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-635-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5376-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5432-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5472-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5512-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5592-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5640-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5680-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5720-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5760-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5804-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5900-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5952-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6032-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6076-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads