142facb8bea723b9af2b5af1355c55b79aef53e9d3b34a666b82217a7f77c4d9

Analysis

max time kernel
0s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Size

320KB
MD5

fac7831ae4c8e7c9fd3b3d2d7306d10a
SHA1

ac2bbc2f2af9a51f9e3bc4b26e6c9aa414c81b70
SHA256

142facb8bea723b9af2b5af1355c55b79aef53e9d3b34a666b82217a7f77c4d9
SHA512

9fd2e8d48cc672b742703f9a9f20cd3eeb6e34443a5406c3d1d9ec1593acd65c58e099d0627c738247fbca4a73ba16a7687a425d7e5f024467df6abd269c8edf
SSDEEP

6144:llexvlvY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:bexvQm05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqgkhnjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okjbpglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqdoboli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Occkojkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okjbpglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojmcld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Occkojkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqdoboli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojmcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqgkhnjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfbfc32.exe

Executes dropped EXE 7 IoCs

pid	Process
2248	Onfbfc32.exe
3660	Oqdoboli.exe
216	Occkojkm.exe
4032	Okjbpglo.exe
3444	Ojmcld32.exe
4660	Oqgkhnjf.exe
2212	Okloegjl.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Okloegjl.exe	Oqgkhnjf.exe
File opened for modification	C:\Windows\SysWOW64\Onfbfc32.exe	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
File created	C:\Windows\SysWOW64\Gpamgn32.dll	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
File opened for modification	C:\Windows\SysWOW64\Oqdoboli.exe	Onfbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Occkojkm.exe	Oqdoboli.exe
File created	C:\Windows\SysWOW64\Okjbpglo.exe	Occkojkm.exe
File created	C:\Windows\SysWOW64\Oqgkhnjf.exe	Ojmcld32.exe
File created	C:\Windows\SysWOW64\Nmfgdeof.dll	Ojmcld32.exe
File created	C:\Windows\SysWOW64\Onfbfc32.exe	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
File opened for modification	C:\Windows\SysWOW64\Oqgkhnjf.exe	Ojmcld32.exe
File created	C:\Windows\SysWOW64\Oqdoboli.exe	Onfbfc32.exe
File created	C:\Windows\SysWOW64\Occkojkm.exe	Oqdoboli.exe
File opened for modification	C:\Windows\SysWOW64\Ojmcld32.exe	Okjbpglo.exe
File created	C:\Windows\SysWOW64\Kpjcpkfo.dll	Okjbpglo.exe
File created	C:\Windows\SysWOW64\Lcoppd32.dll	Onfbfc32.exe
File created	C:\Windows\SysWOW64\Qgmbjkdp.dll	Oqdoboli.exe
File opened for modification	C:\Windows\SysWOW64\Okjbpglo.exe	Occkojkm.exe
File created	C:\Windows\SysWOW64\Echmafdm.dll	Occkojkm.exe
File created	C:\Windows\SysWOW64\Ojmcld32.exe	Okjbpglo.exe
File created	C:\Windows\SysWOW64\Okloegjl.exe	Oqgkhnjf.exe
File created	C:\Windows\SysWOW64\Dcogch32.dll	Oqgkhnjf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12084	11836	WerFault.exe	258

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Occkojkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okjbpglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqgkhnjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onfbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmbjkdp.dll"	Oqdoboli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onfbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojmcld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojmcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgdeof.dll"	Ojmcld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqgkhnjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcogch32.dll"	Oqgkhnjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpamgn32.dll"	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoppd32.dll"	Onfbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjcpkfo.dll"	Okjbpglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okjbpglo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqdoboli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqdoboli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Occkojkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echmafdm.dll"	Occkojkm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2248	4588	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe	18
PID 4588 wrote to memory of 2248	4588	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe	18
PID 4588 wrote to memory of 2248	4588	fac7831ae4c8e7c9fd3b3d2d7306d10a.exe	18
PID 2248 wrote to memory of 3660	2248	Onfbfc32.exe	473
PID 2248 wrote to memory of 3660	2248	Onfbfc32.exe	473
PID 2248 wrote to memory of 3660	2248	Onfbfc32.exe	473
PID 3660 wrote to memory of 216	3660	Oqdoboli.exe	472
PID 3660 wrote to memory of 216	3660	Oqdoboli.exe	472
PID 3660 wrote to memory of 216	3660	Oqdoboli.exe	472
PID 216 wrote to memory of 4032	216	Occkojkm.exe	471
PID 216 wrote to memory of 4032	216	Occkojkm.exe	471
PID 216 wrote to memory of 4032	216	Occkojkm.exe	471
PID 4032 wrote to memory of 3444	4032	Okjbpglo.exe	470
PID 4032 wrote to memory of 3444	4032	Okjbpglo.exe	470
PID 4032 wrote to memory of 3444	4032	Okjbpglo.exe	470
PID 3444 wrote to memory of 4660	3444	Ojmcld32.exe	469
PID 3444 wrote to memory of 4660	3444	Ojmcld32.exe	469
PID 3444 wrote to memory of 4660	3444	Ojmcld32.exe	469
PID 4660 wrote to memory of 2212	4660	Oqgkhnjf.exe	468
PID 4660 wrote to memory of 2212	4660	Oqgkhnjf.exe	468
PID 4660 wrote to memory of 2212	4660	Oqgkhnjf.exe	468

C:\Users\Admin\AppData\Local\Temp\fac7831ae4c8e7c9fd3b3d2d7306d10a.exe
"C:\Users\Admin\AppData\Local\Temp\fac7831ae4c8e7c9fd3b3d2d7306d10a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\Onfbfc32.exe
  C:\Windows\system32\Onfbfc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Oqdoboli.exe
    C:\Windows\system32\Oqdoboli.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3660

C:\Windows\SysWOW64\Onmhgb32.exe
C:\Windows\system32\Onmhgb32.exe
1⤵
PID:3028
- C:\Windows\SysWOW64\Odgqdlnj.exe
  C:\Windows\system32\Odgqdlnj.exe
  2⤵
  PID:1884

C:\Windows\SysWOW64\Pghieg32.exe
C:\Windows\system32\Pghieg32.exe
1⤵
PID:2792
- C:\Windows\SysWOW64\Pjffbc32.exe
  C:\Windows\system32\Pjffbc32.exe
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\Pqpnombl.exe
    C:\Windows\system32\Pqpnombl.exe
    3⤵
    PID:4224

C:\Windows\SysWOW64\Qgallfcq.exe
C:\Windows\system32\Qgallfcq.exe
1⤵
PID:1060
- C:\Windows\SysWOW64\Qnkdhpjn.exe
  C:\Windows\system32\Qnkdhpjn.exe
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\Qajadlja.exe
    C:\Windows\system32\Qajadlja.exe
    3⤵
    PID:2252

C:\Windows\SysWOW64\Qbimoo32.exe
C:\Windows\system32\Qbimoo32.exe
1⤵
PID:1200
- C:\Windows\SysWOW64\Acjjfggb.exe
  C:\Windows\system32\Acjjfggb.exe
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\Alabgd32.exe
    C:\Windows\system32\Alabgd32.exe
    3⤵
    PID:3936

C:\Windows\SysWOW64\Aejfpjne.exe
C:\Windows\system32\Aejfpjne.exe
1⤵
PID:760
- C:\Windows\SysWOW64\Ahhblemi.exe
  C:\Windows\system32\Ahhblemi.exe
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\Ajfoiqll.exe
    C:\Windows\system32\Ajfoiqll.exe
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\Abngjnmo.exe
      C:\Windows\system32\Abngjnmo.exe
      4⤵
      PID:1596

C:\Windows\SysWOW64\Aelcfilb.exe
C:\Windows\system32\Aelcfilb.exe
1⤵
PID:3128
- C:\Windows\SysWOW64\Ahkobekf.exe
  C:\Windows\system32\Ahkobekf.exe
  2⤵
  PID:4956

C:\Windows\SysWOW64\Adapgfqj.exe
C:\Windows\system32\Adapgfqj.exe
1⤵
PID:3652
- C:\Windows\SysWOW64\Ajkhdp32.exe
  C:\Windows\system32\Ajkhdp32.exe
  2⤵
  PID:1964

C:\Windows\SysWOW64\Abbpem32.exe
C:\Windows\system32\Abbpem32.exe
1⤵
PID:3504
- C:\Windows\SysWOW64\Aealah32.exe
  C:\Windows\system32\Aealah32.exe
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\Becifhfj.exe
    C:\Windows\system32\Becifhfj.exe
    3⤵
    PID:4520

C:\Windows\SysWOW64\Bbgipldd.exe
C:\Windows\system32\Bbgipldd.exe
1⤵
PID:5240
- C:\Windows\SysWOW64\Beeflhdh.exe
  C:\Windows\system32\Beeflhdh.exe
  2⤵
  PID:5280
- - C:\Windows\SysWOW64\Blpnib32.exe
    C:\Windows\system32\Blpnib32.exe
    3⤵
    PID:5320

C:\Windows\SysWOW64\Bnnjen32.exe
C:\Windows\system32\Bnnjen32.exe
1⤵
PID:5368
- C:\Windows\SysWOW64\Behbag32.exe
  C:\Windows\system32\Behbag32.exe
  2⤵
  PID:5416

C:\Windows\SysWOW64\Bhfonc32.exe
C:\Windows\system32\Bhfonc32.exe
1⤵
PID:5464
- C:\Windows\SysWOW64\Bdmpcdfm.exe
  C:\Windows\system32\Bdmpcdfm.exe
  2⤵
  PID:5504

C:\Windows\SysWOW64\Bhkhibmc.exe
C:\Windows\system32\Bhkhibmc.exe
1⤵
PID:5680
- C:\Windows\SysWOW64\Bkidenlg.exe
  C:\Windows\system32\Bkidenlg.exe
  2⤵
  PID:5720
- - C:\Windows\SysWOW64\Cacmah32.exe
    C:\Windows\system32\Cacmah32.exe
    3⤵
    PID:5760

C:\Windows\SysWOW64\Ceoibflm.exe
C:\Windows\system32\Ceoibflm.exe
1⤵
PID:5800
- C:\Windows\SysWOW64\Chmeobkq.exe
  C:\Windows\system32\Chmeobkq.exe
  2⤵
  PID:5840
- - C:\Windows\SysWOW64\Cogmkl32.exe
    C:\Windows\system32\Cogmkl32.exe
    3⤵
    PID:5880

C:\Windows\SysWOW64\Cafigg32.exe
C:\Windows\system32\Cafigg32.exe
1⤵
PID:5920
- C:\Windows\SysWOW64\Cddecc32.exe
  C:\Windows\system32\Cddecc32.exe
  2⤵
  PID:5960
- - C:\Windows\SysWOW64\Clkndpag.exe
    C:\Windows\system32\Clkndpag.exe
    3⤵
    PID:6000

C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
1⤵
PID:6040
- C:\Windows\SysWOW64\Cahfmgoo.exe
  C:\Windows\system32\Cahfmgoo.exe
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\Chbnia32.exe
    C:\Windows\system32\Chbnia32.exe
    3⤵
    PID:6124

C:\Windows\SysWOW64\Ckpjfm32.exe
C:\Windows\system32\Ckpjfm32.exe
1⤵
PID:5148
- C:\Windows\SysWOW64\Cefoce32.exe
  C:\Windows\system32\Cefoce32.exe
  2⤵
  PID:5228

C:\Windows\SysWOW64\Chdkoa32.exe
C:\Windows\system32\Chdkoa32.exe
1⤵
PID:5304
- C:\Windows\SysWOW64\Ckcgkldl.exe
  C:\Windows\system32\Ckcgkldl.exe
  2⤵
  PID:5400

C:\Windows\SysWOW64\Conclk32.exe
C:\Windows\system32\Conclk32.exe
1⤵
PID:5460
- C:\Windows\SysWOW64\Camphf32.exe
  C:\Windows\system32\Camphf32.exe
  2⤵
  PID:5548

C:\Windows\SysWOW64\Clbceo32.exe
C:\Windows\system32\Clbceo32.exe
1⤵
PID:5672
- C:\Windows\SysWOW64\Ckedalaj.exe
  C:\Windows\system32\Ckedalaj.exe
  2⤵
  PID:5736

C:\Windows\SysWOW64\Daolnf32.exe
C:\Windows\system32\Daolnf32.exe
1⤵
PID:5824
- C:\Windows\SysWOW64\Ddmhja32.exe
  C:\Windows\system32\Ddmhja32.exe
  2⤵
  PID:5928
- - C:\Windows\SysWOW64\Dldpkoil.exe
    C:\Windows\system32\Dldpkoil.exe
    3⤵
    PID:5984

C:\Windows\SysWOW64\Dkgqfl32.exe
C:\Windows\system32\Dkgqfl32.exe
1⤵
PID:6076
- C:\Windows\SysWOW64\Daaicfgd.exe
  C:\Windows\system32\Daaicfgd.exe
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\Demecd32.exe
    C:\Windows\system32\Demecd32.exe
    3⤵
    PID:3912

C:\Windows\SysWOW64\Doeiljfn.exe
C:\Windows\system32\Doeiljfn.exe
1⤵
PID:5628
- C:\Windows\SysWOW64\Deoaid32.exe
  C:\Windows\system32\Deoaid32.exe
  2⤵
  PID:5740
- - C:\Windows\SysWOW64\Dhnnep32.exe
    C:\Windows\system32\Dhnnep32.exe
    3⤵
    PID:5900

C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
1⤵
PID:5124
- C:\Windows\SysWOW64\Deanodkh.exe
  C:\Windows\system32\Deanodkh.exe
  2⤵
  PID:5396
- - C:\Windows\SysWOW64\Dhpjkojk.exe
    C:\Windows\system32\Dhpjkojk.exe
    3⤵
    PID:5700
  - - C:\Windows\SysWOW64\Dkoggkjo.exe
      C:\Windows\system32\Dkoggkjo.exe
      4⤵
      PID:1956

C:\Windows\SysWOW64\Dceohhja.exe
C:\Windows\system32\Dceohhja.exe
1⤵
PID:6096
- C:\Windows\SysWOW64\Ddgkpp32.exe
  C:\Windows\system32\Ddgkpp32.exe
  2⤵
  PID:5360

C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
1⤵
PID:5780
- C:\Windows\SysWOW64\Eolpmi32.exe
  C:\Windows\system32\Eolpmi32.exe
  2⤵
  PID:6036

C:\Windows\SysWOW64\Echknh32.exe
C:\Windows\system32\Echknh32.exe
1⤵
PID:5496
- C:\Windows\SysWOW64\Eefhjc32.exe
  C:\Windows\system32\Eefhjc32.exe
  2⤵
  PID:5312

C:\Windows\SysWOW64\Edihepnm.exe
C:\Windows\system32\Edihepnm.exe
1⤵
PID:5820
- C:\Windows\SysWOW64\Elppfmoo.exe
  C:\Windows\system32\Elppfmoo.exe
  2⤵
  PID:6160

C:\Windows\SysWOW64\Eoolbinc.exe
C:\Windows\system32\Eoolbinc.exe
1⤵
PID:6200
- C:\Windows\SysWOW64\Eamhodmf.exe
  C:\Windows\system32\Eamhodmf.exe
  2⤵
  PID:6248

C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
1⤵
PID:6288
- C:\Windows\SysWOW64\Elbmlmml.exe
  C:\Windows\system32\Elbmlmml.exe
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\Eoaihhlp.exe
    C:\Windows\system32\Eoaihhlp.exe
    3⤵
    PID:6392

C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
1⤵
PID:6436
- C:\Windows\SysWOW64\Eekaebcm.exe
  C:\Windows\system32\Eekaebcm.exe
  2⤵
  PID:6480
- - C:\Windows\SysWOW64\Ehimanbq.exe
    C:\Windows\system32\Ehimanbq.exe
    3⤵
    PID:6524

C:\Windows\SysWOW64\Ekhjmiad.exe
C:\Windows\system32\Ekhjmiad.exe
1⤵
PID:6560
- C:\Windows\SysWOW64\Ecoangbg.exe
  C:\Windows\system32\Ecoangbg.exe
  2⤵
  PID:6608

C:\Windows\SysWOW64\Eabbjc32.exe
C:\Windows\system32\Eabbjc32.exe
1⤵
PID:6648
- C:\Windows\SysWOW64\Edpnfo32.exe
  C:\Windows\system32\Edpnfo32.exe
  2⤵
  PID:6692

C:\Windows\SysWOW64\Ekjfcipa.exe
C:\Windows\system32\Ekjfcipa.exe
1⤵
PID:6736
- C:\Windows\SysWOW64\Eofbch32.exe
  C:\Windows\system32\Eofbch32.exe
  2⤵
  PID:6780
- - C:\Windows\SysWOW64\Eepjpb32.exe
    C:\Windows\system32\Eepjpb32.exe
    3⤵
    PID:6816

C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
1⤵
PID:6860
- C:\Windows\SysWOW64\Fkmchi32.exe
  C:\Windows\system32\Fkmchi32.exe
  2⤵
  PID:6920

C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
1⤵
PID:7032
- C:\Windows\SysWOW64\Fhqcam32.exe
  C:\Windows\system32\Fhqcam32.exe
  2⤵
  PID:7088
- - C:\Windows\SysWOW64\Fkopnh32.exe
    C:\Windows\system32\Fkopnh32.exe
    3⤵
    PID:7132
  - - C:\Windows\SysWOW64\Faihkbci.exe
      C:\Windows\system32\Faihkbci.exe
      4⤵
      PID:5992
    - - C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        5⤵
        
        PID:6184

C:\Windows\SysWOW64\Fomhdg32.exe
C:\Windows\system32\Fomhdg32.exe
1⤵
PID:6260
- C:\Windows\SysWOW64\Fakdpb32.exe
  C:\Windows\system32\Fakdpb32.exe
  2⤵
  PID:6316
- - C:\Windows\SysWOW64\Flqimk32.exe
    C:\Windows\system32\Flqimk32.exe
    3⤵
    PID:6412
  - - C:\Windows\SysWOW64\Gcojed32.exe
      C:\Windows\system32\Gcojed32.exe
      4⤵
      PID:6488

C:\Windows\SysWOW64\Fcckif32.exe
C:\Windows\system32\Fcckif32.exe
1⤵
PID:6980

C:\Windows\SysWOW64\Gbbkaako.exe
C:\Windows\system32\Gbbkaako.exe
1⤵
PID:6548
- C:\Windows\SysWOW64\Gdqgmmjb.exe
  C:\Windows\system32\Gdqgmmjb.exe
  2⤵
  PID:6632

C:\Windows\SysWOW64\Ghlcnk32.exe
C:\Windows\system32\Ghlcnk32.exe
1⤵
PID:6700
- C:\Windows\SysWOW64\Gkkojgao.exe
  C:\Windows\system32\Gkkojgao.exe
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\Gcagkdba.exe
    C:\Windows\system32\Gcagkdba.exe
    3⤵
    PID:6848

C:\Windows\SysWOW64\Gfpcgpae.exe
C:\Windows\system32\Gfpcgpae.exe
1⤵
PID:6900
- C:\Windows\SysWOW64\Gdcdbl32.exe
  C:\Windows\system32\Gdcdbl32.exe
  2⤵
  PID:7020

C:\Windows\SysWOW64\Gmjlcj32.exe
C:\Windows\system32\Gmjlcj32.exe
1⤵
PID:7120
- C:\Windows\SysWOW64\Gohhpe32.exe
  C:\Windows\system32\Gohhpe32.exe
  2⤵
  PID:6172
- - C:\Windows\SysWOW64\Gfbploob.exe
    C:\Windows\system32\Gfbploob.exe
    3⤵
    PID:6224
  - - C:\Windows\SysWOW64\Gdeqhl32.exe
      C:\Windows\system32\Gdeqhl32.exe
      4⤵
      PID:4508
    - - C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        5⤵
        
        PID:6508

C:\Windows\SysWOW64\Gbiaapdf.exe
C:\Windows\system32\Gbiaapdf.exe
1⤵
PID:6640
- C:\Windows\SysWOW64\Gdhmnlcj.exe
  C:\Windows\system32\Gdhmnlcj.exe
  2⤵
  PID:6744
- - C:\Windows\SysWOW64\Gmoeoidl.exe
    C:\Windows\system32\Gmoeoidl.exe
    3⤵
    PID:6960

C:\Windows\SysWOW64\Gomakdcp.exe
C:\Windows\system32\Gomakdcp.exe
1⤵
PID:7076
- C:\Windows\SysWOW64\Gfgjgo32.exe
  C:\Windows\system32\Gfgjgo32.exe
  2⤵
  PID:6244
- - C:\Windows\SysWOW64\Hiefcj32.exe
    C:\Windows\system32\Hiefcj32.exe
    3⤵
    PID:6516
  - - C:\Windows\SysWOW64\Hkdbpe32.exe
      C:\Windows\system32\Hkdbpe32.exe
      4⤵
      PID:6748

C:\Windows\SysWOW64\Hihbijhn.exe
C:\Windows\system32\Hihbijhn.exe
1⤵
PID:7028
- C:\Windows\SysWOW64\Hkfoeega.exe
  C:\Windows\system32\Hkfoeega.exe
  2⤵
  PID:7172

C:\Windows\SysWOW64\Hobkfd32.exe
C:\Windows\system32\Hobkfd32.exe
1⤵
PID:7208
- C:\Windows\SysWOW64\Hbpgbo32.exe
  C:\Windows\system32\Hbpgbo32.exe
  2⤵
  PID:7268

C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
1⤵
PID:7316
- C:\Windows\SysWOW64\Hijooifk.exe
  C:\Windows\system32\Hijooifk.exe
  2⤵
  PID:7356

C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
1⤵
PID:7400
- C:\Windows\SysWOW64\Hodgkc32.exe
  C:\Windows\system32\Hodgkc32.exe
  2⤵
  PID:7452

C:\Windows\SysWOW64\Hfnphn32.exe
C:\Windows\system32\Hfnphn32.exe
1⤵
PID:7492
- C:\Windows\SysWOW64\Himldi32.exe
  C:\Windows\system32\Himldi32.exe
  2⤵
  PID:7548
- - C:\Windows\SysWOW64\Hkkhqd32.exe
    C:\Windows\system32\Hkkhqd32.exe
    3⤵
    PID:7596

C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
1⤵
PID:7640
- C:\Windows\SysWOW64\Hfqlnm32.exe
  C:\Windows\system32\Hfqlnm32.exe
  2⤵
  PID:7684
- - C:\Windows\SysWOW64\Hmjdjgjo.exe
    C:\Windows\system32\Hmjdjgjo.exe
    3⤵
    PID:7728

C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
1⤵
PID:7784
- C:\Windows\SysWOW64\Hfcicmqp.exe
  C:\Windows\system32\Hfcicmqp.exe
  2⤵
  PID:7832

C:\Windows\SysWOW64\Iiaephpc.exe
C:\Windows\system32\Iiaephpc.exe
1⤵
PID:7868
- C:\Windows\SysWOW64\Icgjmapi.exe
  C:\Windows\system32\Icgjmapi.exe
  2⤵
  PID:7904
- - C:\Windows\SysWOW64\Iehfdi32.exe
    C:\Windows\system32\Iehfdi32.exe
    3⤵
    PID:7948
  - - C:\Windows\SysWOW64\Ipnjab32.exe
      C:\Windows\system32\Ipnjab32.exe
      4⤵
      PID:7984
    - - C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        5⤵
        
        PID:8024
      - C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        6⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        7⤵
        
        PID:8116

C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
1⤵
PID:8164
- C:\Windows\SysWOW64\Iemppiab.exe
  C:\Windows\system32\Iemppiab.exe
  2⤵
  PID:4392

C:\Windows\SysWOW64\Imdgqfbd.exe
C:\Windows\system32\Imdgqfbd.exe
1⤵
PID:7244
- C:\Windows\SysWOW64\Ipbdmaah.exe
  C:\Windows\system32\Ipbdmaah.exe
  2⤵
  PID:7304
- - C:\Windows\SysWOW64\Ibqpimpl.exe
    C:\Windows\system32\Ibqpimpl.exe
    3⤵
    PID:7388

C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
1⤵
PID:7436
- C:\Windows\SysWOW64\Iikhfg32.exe
  C:\Windows\system32\Iikhfg32.exe
  2⤵
  PID:7520
- - C:\Windows\SysWOW64\Ilidbbgl.exe
    C:\Windows\system32\Ilidbbgl.exe
    3⤵
    PID:7624

C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
1⤵
PID:7696
- C:\Windows\SysWOW64\Jfoiokfb.exe
  C:\Windows\system32\Jfoiokfb.exe
  2⤵
  PID:7780

C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
1⤵
PID:7856
- C:\Windows\SysWOW64\Jmhale32.exe
  C:\Windows\system32\Jmhale32.exe
  2⤵
  PID:7900

C:\Windows\SysWOW64\Jbeidl32.exe
C:\Windows\system32\Jbeidl32.exe
1⤵
PID:8052
- C:\Windows\SysWOW64\Jedeph32.exe
  C:\Windows\system32\Jedeph32.exe
  2⤵
  PID:8100
- - C:\Windows\SysWOW64\Jmknaell.exe
    C:\Windows\system32\Jmknaell.exe
    3⤵
    PID:6904

C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
1⤵
PID:7276
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  PID:7392

C:\Windows\SysWOW64\Jbhfjljd.exe
C:\Windows\system32\Jbhfjljd.exe
1⤵
PID:7532
- C:\Windows\SysWOW64\Jefbfgig.exe
  C:\Windows\system32\Jefbfgig.exe
  2⤵
  PID:7068

C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
1⤵
PID:7768
- C:\Windows\SysWOW64\Jlpkba32.exe
  C:\Windows\system32\Jlpkba32.exe
  2⤵
  PID:7892

C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
1⤵
PID:8032
- C:\Windows\SysWOW64\Jfeopj32.exe
  C:\Windows\system32\Jfeopj32.exe
  2⤵
  PID:8128
- - C:\Windows\SysWOW64\Jidklf32.exe
    C:\Windows\system32\Jidklf32.exe
    3⤵
    PID:7224

C:\Windows\SysWOW64\Jlbgha32.exe
C:\Windows\system32\Jlbgha32.exe
1⤵
PID:7508
- C:\Windows\SysWOW64\Jcioiood.exe
  C:\Windows\system32\Jcioiood.exe
  2⤵
  PID:7580

C:\Windows\SysWOW64\Jfhlejnh.exe
C:\Windows\system32\Jfhlejnh.exe
1⤵
PID:7804
- C:\Windows\SysWOW64\Jeklag32.exe
  C:\Windows\system32\Jeklag32.exe
  2⤵
  PID:8068
- - C:\Windows\SysWOW64\Jmbdbd32.exe
    C:\Windows\system32\Jmbdbd32.exe
    3⤵
    PID:7376

C:\Windows\SysWOW64\Jcllonma.exe
C:\Windows\system32\Jcllonma.exe
1⤵
PID:7992
- C:\Windows\SysWOW64\Kboljk32.exe
  C:\Windows\system32\Kboljk32.exe
  2⤵
  PID:7200
- - C:\Windows\SysWOW64\Kemhff32.exe
    C:\Windows\system32\Kemhff32.exe
    3⤵
    PID:7864

C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
1⤵
PID:7364
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  PID:7336

C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
1⤵
PID:7824
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  PID:8224
- - C:\Windows\SysWOW64\Kikame32.exe
    C:\Windows\system32\Kikame32.exe
    3⤵
    PID:8268

C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
1⤵
PID:8348
- C:\Windows\SysWOW64\Kbceejpf.exe
  C:\Windows\system32\Kbceejpf.exe
  2⤵
  PID:8392

C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
1⤵
PID:8432
- C:\Windows\SysWOW64\Kmijbcpl.exe
  C:\Windows\system32\Kmijbcpl.exe
  2⤵
  PID:8468
- - C:\Windows\SysWOW64\Klljnp32.exe
    C:\Windows\system32\Klljnp32.exe
    3⤵
    PID:8520

C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
1⤵
PID:8564
- C:\Windows\SysWOW64\Kbfbkj32.exe
  C:\Windows\system32\Kbfbkj32.exe
  2⤵
  PID:8608

C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
1⤵
PID:8644
- C:\Windows\SysWOW64\Kipkhdeq.exe
  C:\Windows\system32\Kipkhdeq.exe
  2⤵
  PID:8684

C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
1⤵
PID:8728
- C:\Windows\SysWOW64\Kdeoemeg.exe
  C:\Windows\system32\Kdeoemeg.exe
  2⤵
  PID:8768

C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
1⤵
PID:8812
- C:\Windows\SysWOW64\Kefkme32.exe
  C:\Windows\system32\Kefkme32.exe
  2⤵
  PID:8852

C:\Windows\SysWOW64\Kibgmdcn.exe
C:\Windows\system32\Kibgmdcn.exe
1⤵
PID:8892
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  PID:8928
- - C:\Windows\SysWOW64\Kdgljmcd.exe
    C:\Windows\system32\Kdgljmcd.exe
    3⤵
    PID:8972

C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
1⤵
PID:9048
- C:\Windows\SysWOW64\Lmppcbjd.exe
  C:\Windows\system32\Lmppcbjd.exe
  2⤵
  PID:9100
- - C:\Windows\SysWOW64\Llcpoo32.exe
    C:\Windows\system32\Llcpoo32.exe
    3⤵
    PID:9140

C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
1⤵
PID:9184
- C:\Windows\SysWOW64\Lbmhlihl.exe
  C:\Windows\system32\Lbmhlihl.exe
  2⤵
  PID:7736

C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
1⤵
PID:8260
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  PID:8336
- - C:\Windows\SysWOW64\Ldleel32.exe
    C:\Windows\system32\Ldleel32.exe
    3⤵
    PID:8428

C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
1⤵
PID:8500
- C:\Windows\SysWOW64\Lenamdem.exe
  C:\Windows\system32\Lenamdem.exe
  2⤵
  PID:8540
- - C:\Windows\SysWOW64\Llgjjnlj.exe
    C:\Windows\system32\Llgjjnlj.exe
    3⤵
    PID:8640

C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
1⤵
PID:8708
- C:\Windows\SysWOW64\Ldanqkki.exe
  C:\Windows\system32\Ldanqkki.exe
  2⤵
  PID:8752

C:\Windows\SysWOW64\Lebkhc32.exe
C:\Windows\system32\Lebkhc32.exe
1⤵
PID:8916
- C:\Windows\SysWOW64\Lllcen32.exe
  C:\Windows\system32\Lllcen32.exe
  2⤵
  PID:9004

C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
1⤵
PID:9096
- C:\Windows\SysWOW64\Mbfkbhpa.exe
  C:\Windows\system32\Mbfkbhpa.exe
  2⤵
  PID:9164

C:\Windows\SysWOW64\Mipcob32.exe
C:\Windows\system32\Mipcob32.exe
1⤵
PID:8320
- C:\Windows\SysWOW64\Mlopkm32.exe
  C:\Windows\system32\Mlopkm32.exe
  2⤵
  PID:8440

C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
1⤵
PID:8516
- C:\Windows\SysWOW64\Mgddhf32.exe
  C:\Windows\system32\Mgddhf32.exe
  2⤵
  PID:8696
- - C:\Windows\SysWOW64\Mibpda32.exe
    C:\Windows\system32\Mibpda32.exe
    3⤵
    PID:8764

C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
1⤵
PID:8880
- C:\Windows\SysWOW64\Mdhdajea.exe
  C:\Windows\system32\Mdhdajea.exe
  2⤵
  PID:8956

C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
1⤵
PID:9136
- C:\Windows\SysWOW64\Meiaib32.exe
  C:\Windows\system32\Meiaib32.exe
  2⤵
  PID:9204

C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
1⤵
PID:8460
- C:\Windows\SysWOW64\Mlcifmbl.exe
  C:\Windows\system32\Mlcifmbl.exe
  2⤵
  PID:8616

C:\Windows\SysWOW64\Mdjagjco.exe
C:\Windows\system32\Mdjagjco.exe
1⤵
PID:8936
- C:\Windows\SysWOW64\Mcmabg32.exe
  C:\Windows\system32\Mcmabg32.exe
  2⤵
  PID:9064
- - C:\Windows\SysWOW64\Melnob32.exe
    C:\Windows\system32\Melnob32.exe
    3⤵
    PID:8332

C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
1⤵
PID:8508
- C:\Windows\SysWOW64\Mpablkhc.exe
  C:\Windows\system32\Mpablkhc.exe
  2⤵
  PID:8796
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    PID:8420

C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
1⤵
PID:9128
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  PID:8748

C:\Windows\SysWOW64\Npcoakfp.exe
C:\Windows\system32\Npcoakfp.exe
1⤵
PID:8532
- C:\Windows\SysWOW64\Ndokbi32.exe
  C:\Windows\system32\Ndokbi32.exe
  2⤵
  PID:9248

C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
1⤵
PID:9288
- C:\Windows\SysWOW64\Nilcjp32.exe
  C:\Windows\system32\Nilcjp32.exe
  2⤵
  PID:9336

C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
1⤵
PID:9376
- C:\Windows\SysWOW64\Ndaggimg.exe
  C:\Windows\system32\Ndaggimg.exe
  2⤵
  PID:9424
- - C:\Windows\SysWOW64\Ncdgcf32.exe
    C:\Windows\system32\Ncdgcf32.exe
    3⤵
    PID:9464

C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
1⤵
PID:9512
- C:\Windows\SysWOW64\Nnjlpo32.exe
  C:\Windows\system32\Nnjlpo32.exe
  2⤵
  PID:9552
- - C:\Windows\SysWOW64\Nphhmj32.exe
    C:\Windows\system32\Nphhmj32.exe
    3⤵
    PID:9592

C:\Windows\SysWOW64\Ncfdie32.exe
C:\Windows\system32\Ncfdie32.exe
1⤵
PID:9632
- C:\Windows\SysWOW64\Neeqea32.exe
  C:\Windows\system32\Neeqea32.exe
  2⤵
  PID:9680

C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
1⤵
PID:9720
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  PID:9760

C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
1⤵
PID:9808
- C:\Windows\SysWOW64\Ngdmod32.exe
  C:\Windows\system32\Ngdmod32.exe
  2⤵
  PID:9848
- - C:\Windows\SysWOW64\Nnneknob.exe
    C:\Windows\system32\Nnneknob.exe
    3⤵
    PID:9892
  - - C:\Windows\SysWOW64\Npmagine.exe
      C:\Windows\system32\Npmagine.exe
      4⤵
      PID:9928
    - - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        5⤵
        
        PID:9980

C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
1⤵
PID:10016
- C:\Windows\SysWOW64\Olcbmj32.exe
  C:\Windows\system32\Olcbmj32.exe
  2⤵
  PID:10060
- - C:\Windows\SysWOW64\Ocnjidkf.exe
    C:\Windows\system32\Ocnjidkf.exe
    3⤵
    PID:10100

C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
1⤵
PID:10140
- C:\Windows\SysWOW64\Ojgbfocc.exe
  C:\Windows\system32\Ojgbfocc.exe
  2⤵
  PID:10180

C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
1⤵
PID:10220
- C:\Windows\SysWOW64\Ogkcpbam.exe
  C:\Windows\system32\Ogkcpbam.exe
  2⤵
  PID:9160

C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
1⤵
PID:9296
- C:\Windows\SysWOW64\Oneklm32.exe
  C:\Windows\system32\Oneklm32.exe
  2⤵
  PID:9352
- - C:\Windows\SysWOW64\Opdghh32.exe
    C:\Windows\system32\Opdghh32.exe
    3⤵
    PID:9456

C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
1⤵
PID:9536
- C:\Windows\SysWOW64\Ofqpqo32.exe
  C:\Windows\system32\Ofqpqo32.exe
  2⤵
  PID:9584

C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
1⤵
PID:9676
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  PID:9748

C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
1⤵
PID:9796
- C:\Windows\SysWOW64\Ogpmjb32.exe
  C:\Windows\system32\Ogpmjb32.exe
  2⤵
  PID:9860

C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
1⤵
PID:9940
- C:\Windows\SysWOW64\Onjegled.exe
  C:\Windows\system32\Onjegled.exe
  2⤵
  PID:10004

C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
1⤵
PID:10068
- C:\Windows\SysWOW64\Oddmdf32.exe
  C:\Windows\system32\Oddmdf32.exe
  2⤵
  PID:10132
- - C:\Windows\SysWOW64\Ogbipa32.exe
    C:\Windows\system32\Ogbipa32.exe
    3⤵
    PID:10216

C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
1⤵
PID:9272
- C:\Windows\SysWOW64\Pnlaml32.exe
  C:\Windows\system32\Pnlaml32.exe
  2⤵
  PID:9368

C:\Windows\SysWOW64\Pqknig32.exe
C:\Windows\system32\Pqknig32.exe
1⤵
PID:9472
- C:\Windows\SysWOW64\Pcijeb32.exe
  C:\Windows\system32\Pcijeb32.exe
  2⤵
  PID:9600

C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
1⤵
PID:9704
- C:\Windows\SysWOW64\Pjcbbmif.exe
  C:\Windows\system32\Pjcbbmif.exe
  2⤵
  PID:9744

C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
1⤵
PID:9916
- C:\Windows\SysWOW64\Pqmjog32.exe
  C:\Windows\system32\Pqmjog32.exe
  2⤵
  PID:9384

C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
1⤵
PID:10124
- C:\Windows\SysWOW64\Pggbkagp.exe
  C:\Windows\system32\Pggbkagp.exe
  2⤵
  PID:9176

C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
1⤵
PID:9328
- C:\Windows\SysWOW64\Pnakhkol.exe
  C:\Windows\system32\Pnakhkol.exe
  2⤵
  PID:9580

C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
1⤵
PID:9788
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  PID:10000
- - C:\Windows\SysWOW64\Pflplnlg.exe
    C:\Windows\system32\Pflplnlg.exe
    3⤵
    PID:10172

C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
1⤵
PID:9256
- C:\Windows\SysWOW64\Pqbdjfln.exe
  C:\Windows\system32\Pqbdjfln.exe
  2⤵
  PID:9648

C:\Windows\SysWOW64\Pcppfaka.exe
C:\Windows\system32\Pcppfaka.exe
1⤵
PID:9948
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  PID:8304
- - C:\Windows\SysWOW64\Pjjhbl32.exe
    C:\Windows\system32\Pjjhbl32.exe
    3⤵
    PID:9936

C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
1⤵
PID:8860
- C:\Windows\SysWOW64\Pcbmka32.exe
  C:\Windows\system32\Pcbmka32.exe
  2⤵
  PID:1700

C:\Windows\SysWOW64\Pgnilpah.exe
C:\Windows\system32\Pgnilpah.exe
1⤵
PID:6328
- C:\Windows\SysWOW64\Pjmehkqk.exe
  C:\Windows\system32\Pjmehkqk.exe
  2⤵
  PID:9496

C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
1⤵
PID:3456
- C:\Windows\SysWOW64\Qqfmde32.exe
  C:\Windows\system32\Qqfmde32.exe
  2⤵
  PID:5456

C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
1⤵
PID:10040
- C:\Windows\SysWOW64\Qgqeappe.exe
  C:\Windows\system32\Qgqeappe.exe
  2⤵
  PID:528
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    PID:3208

C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
1⤵
PID:9520
- C:\Windows\SysWOW64\Qcgffqei.exe
  C:\Windows\system32\Qcgffqei.exe
  2⤵
  PID:10260

C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
1⤵
PID:10304
- C:\Windows\SysWOW64\Ajanck32.exe
  C:\Windows\system32\Ajanck32.exe
  2⤵
  PID:10344

C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
1⤵
PID:10512
- C:\Windows\SysWOW64\Ageolo32.exe
  C:\Windows\system32\Ageolo32.exe
  2⤵
  PID:10552

C:\Windows\SysWOW64\Ajckij32.exe
C:\Windows\system32\Ajckij32.exe
1⤵
PID:10600
- C:\Windows\SysWOW64\Anogiicl.exe
  C:\Windows\system32\Anogiicl.exe
  2⤵
  PID:10636

C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
1⤵
PID:10676
- C:\Windows\SysWOW64\Aqncedbp.exe
  C:\Windows\system32\Aqncedbp.exe
  2⤵
  PID:10720

C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
1⤵
PID:10760
- C:\Windows\SysWOW64\Agglboim.exe
  C:\Windows\system32\Agglboim.exe
  2⤵
  PID:10808

C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
1⤵
PID:10972
- C:\Windows\SysWOW64\Agjhgngj.exe
  C:\Windows\system32\Agjhgngj.exe
  2⤵
  PID:11032

C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
1⤵
PID:11076
- C:\Windows\SysWOW64\Amgapeea.exe
  C:\Windows\system32\Amgapeea.exe
  2⤵
  PID:11156

C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
1⤵
PID:11248
- C:\Windows\SysWOW64\Afoeiklb.exe
  C:\Windows\system32\Afoeiklb.exe
  2⤵
  PID:10272

C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
1⤵
PID:10368
- C:\Windows\SysWOW64\Aminee32.exe
  C:\Windows\system32\Aminee32.exe
  2⤵
  PID:10448

C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
1⤵
PID:10520
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  PID:10608

C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
1⤵
PID:10664
- C:\Windows\SysWOW64\Bmkjkd32.exe
  C:\Windows\system32\Bmkjkd32.exe
  2⤵
  PID:10756

C:\Windows\SysWOW64\Bagflcje.exe
C:\Windows\system32\Bagflcje.exe
1⤵
PID:10800
- C:\Windows\SysWOW64\Bebblb32.exe
  C:\Windows\system32\Bebblb32.exe
  2⤵
  PID:10908

C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
1⤵
PID:11060
- C:\Windows\SysWOW64\Bnkgeg32.exe
  C:\Windows\system32\Bnkgeg32.exe
  2⤵
  PID:11184

C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
1⤵
PID:11220
- C:\Windows\SysWOW64\Baicac32.exe
  C:\Windows\system32\Baicac32.exe
  2⤵
  PID:10352

C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
1⤵
PID:10508
- C:\Windows\SysWOW64\Bffkij32.exe
  C:\Windows\system32\Bffkij32.exe
  2⤵
  PID:10648
- - C:\Windows\SysWOW64\Bnmcjg32.exe
    C:\Windows\system32\Bnmcjg32.exe
    3⤵
    PID:10728

C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
1⤵
PID:10836
- C:\Windows\SysWOW64\Beglgani.exe
  C:\Windows\system32\Beglgani.exe
  2⤵
  PID:11028

C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
1⤵
PID:11120
- C:\Windows\SysWOW64\Bfhhoi32.exe
  C:\Windows\system32\Bfhhoi32.exe
  2⤵
  PID:11260

C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
1⤵
PID:10584
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  PID:10896

C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
1⤵
PID:11192
- C:\Windows\SysWOW64\Bclhhnca.exe
  C:\Windows\system32\Bclhhnca.exe
  2⤵
  PID:10376

C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
1⤵
PID:10900
- C:\Windows\SysWOW64\Bnbmefbg.exe
  C:\Windows\system32\Bnbmefbg.exe
  2⤵
  PID:10408
- - C:\Windows\SysWOW64\Bmemac32.exe
    C:\Windows\system32\Bmemac32.exe
    3⤵
    PID:10960

C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
1⤵
PID:10888
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  PID:10660
- - C:\Windows\SysWOW64\Cjkjpgfi.exe
    C:\Windows\system32\Cjkjpgfi.exe
    3⤵
    PID:624

C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
1⤵
PID:11344
- C:\Windows\SysWOW64\Cdcoim32.exe
  C:\Windows\system32\Cdcoim32.exe
  2⤵
  PID:11392

C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
1⤵
PID:11432
- C:\Windows\SysWOW64\Cjmgfgdf.exe
  C:\Windows\system32\Cjmgfgdf.exe
  2⤵
  PID:11472
- - C:\Windows\SysWOW64\Cmlcbbcj.exe
    C:\Windows\system32\Cmlcbbcj.exe
    3⤵
    PID:11520

C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
1⤵
PID:11644
- C:\Windows\SysWOW64\Cjpckf32.exe
  C:\Windows\system32\Cjpckf32.exe
  2⤵
  PID:11688

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
1⤵
PID:11768
- C:\Windows\SysWOW64\Ceehho32.exe
  C:\Windows\system32\Ceehho32.exe
  2⤵
  PID:11804

C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
1⤵
PID:11848
- C:\Windows\SysWOW64\Cffdpghg.exe
  C:\Windows\system32\Cffdpghg.exe
  2⤵
  PID:11884

C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
1⤵
PID:11932
- C:\Windows\SysWOW64\Cmqmma32.exe
  C:\Windows\system32\Cmqmma32.exe
  2⤵
  PID:11980

C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
1⤵
PID:12024
- C:\Windows\SysWOW64\Cegdnopg.exe
  C:\Windows\system32\Cegdnopg.exe
  2⤵
  PID:12060

C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
1⤵
PID:12096
- C:\Windows\SysWOW64\Dfiafg32.exe
  C:\Windows\system32\Dfiafg32.exe
  2⤵
  PID:12140

C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
1⤵
PID:12224
- C:\Windows\SysWOW64\Danecp32.exe
  C:\Windows\system32\Danecp32.exe
  2⤵
  PID:12268

C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
1⤵
PID:11304
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  PID:11384

C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
1⤵
PID:11460
- C:\Windows\SysWOW64\Dmefhako.exe
  C:\Windows\system32\Dmefhako.exe
  2⤵
  PID:11504
- - C:\Windows\SysWOW64\Daqbip32.exe
    C:\Windows\system32\Daqbip32.exe
    3⤵
    PID:11588

C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
1⤵
PID:11736
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  PID:11796

C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
1⤵
PID:11972
- C:\Windows\SysWOW64\Daconoae.exe
  C:\Windows\system32\Daconoae.exe
  2⤵
  PID:12032
- - C:\Windows\SysWOW64\Ddakjkqi.exe
    C:\Windows\system32\Ddakjkqi.exe
    3⤵
    PID:12104

C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
1⤵
PID:12216
- C:\Windows\SysWOW64\Dmjocp32.exe
  C:\Windows\system32\Dmjocp32.exe
  2⤵
  PID:12284
- - C:\Windows\SysWOW64\Daekdooc.exe
    C:\Windows\system32\Daekdooc.exe
    3⤵
    PID:11356

C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
1⤵
PID:11624
- C:\Windows\SysWOW64\Doilmc32.exe
  C:\Windows\system32\Doilmc32.exe
  2⤵
  PID:11720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 11836 -ip 11836
1⤵
PID:12016

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
1⤵
PID:11836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 11836 -s 396
  2⤵
  - Program crash
  PID:12084

C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
1⤵
PID:11516

C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
1⤵
PID:12168

C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
1⤵
PID:11900

C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
1⤵
PID:11652

C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
1⤵
PID:12184

C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
1⤵
PID:11724

C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
1⤵
PID:11600

C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
1⤵
PID:11564

C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
1⤵
PID:11296

C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
1⤵
PID:10588

C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
1⤵
PID:10456

C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
1⤵
PID:10988

C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
1⤵
PID:11204

C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
1⤵
PID:10912

C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
1⤵
PID:10848

C:\Windows\SysWOW64\Adgbpc32.exe
C:\Windows\system32\Adgbpc32.exe
1⤵
PID:10468

C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
1⤵
PID:10428

C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
1⤵
PID:10388

C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
1⤵
PID:8232

C:\Windows\SysWOW64\Lbdolh32.exe
C:\Windows\system32\Lbdolh32.exe
1⤵
PID:8820

C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
1⤵
PID:9008

C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
1⤵
PID:8312

C:\Windows\SysWOW64\Jlednamo.exe
C:\Windows\system32\Jlednamo.exe
1⤵
PID:7652

C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
1⤵
PID:7968

C:\Windows\SysWOW64\Hfifmnij.exe
C:\Windows\system32\Hfifmnij.exe
1⤵
PID:6616

C:\Windows\SysWOW64\Hckjacjg.exe
C:\Windows\system32\Hckjacjg.exe
1⤵
PID:7084

C:\Windows\SysWOW64\Dkljak32.exe
C:\Windows\system32\Dkljak32.exe
1⤵
PID:6008

C:\Windows\SysWOW64\Dlgmpogj.exe
C:\Windows\system32\Dlgmpogj.exe
1⤵
PID:5452

C:\Windows\SysWOW64\Bemlmgnp.exe
C:\Windows\system32\Bemlmgnp.exe
1⤵
PID:5640

C:\Windows\SysWOW64\Bbnpqk32.exe
C:\Windows\system32\Bbnpqk32.exe
1⤵
PID:5588

C:\Windows\SysWOW64\Bjghpn32.exe
C:\Windows\system32\Bjghpn32.exe
1⤵
PID:5540

C:\Windows\SysWOW64\Bjpaooda.exe
C:\Windows\system32\Bjpaooda.exe
1⤵
PID:5200

C:\Windows\SysWOW64\Bhaebcen.exe
C:\Windows\system32\Bhaebcen.exe
1⤵
PID:5160

C:\Windows\SysWOW64\Aacckjaf.exe
C:\Windows\system32\Aacckjaf.exe
1⤵
PID:368

C:\Windows\SysWOW64\Andgoobc.exe
C:\Windows\system32\Andgoobc.exe
1⤵
PID:1296

C:\Windows\SysWOW64\Anpncp32.exe
C:\Windows\system32\Anpncp32.exe
1⤵
PID:3324

C:\Windows\SysWOW64\Qjbena32.exe
C:\Windows\system32\Qjbena32.exe
1⤵
PID:2912

C:\Windows\SysWOW64\Qgciaf32.exe
C:\Windows\system32\Qgciaf32.exe
1⤵
PID:3604

C:\Windows\SysWOW64\Pagdol32.exe
C:\Windows\system32\Pagdol32.exe
1⤵
PID:5044

C:\Windows\SysWOW64\Pnihcq32.exe
C:\Windows\system32\Pnihcq32.exe
1⤵
PID:3152

C:\Windows\SysWOW64\Pgopffec.exe
C:\Windows\system32\Pgopffec.exe
1⤵
PID:4168

C:\Windows\SysWOW64\Peqcjkfp.exe
C:\Windows\system32\Peqcjkfp.exe
1⤵
PID:1248

C:\Windows\SysWOW64\Pnfkma32.exe
C:\Windows\system32\Pnfkma32.exe
1⤵
PID:4120

C:\Windows\SysWOW64\Pkhoae32.exe
C:\Windows\system32\Pkhoae32.exe
1⤵
PID:4456

C:\Windows\SysWOW64\Pcagphom.exe
C:\Windows\system32\Pcagphom.exe
1⤵
PID:5088

C:\Windows\SysWOW64\Pabkdmpi.exe
C:\Windows\system32\Pabkdmpi.exe
1⤵
PID:3088

C:\Windows\SysWOW64\Pndohaqe.exe
C:\Windows\system32\Pndohaqe.exe
1⤵
PID:1864

C:\Windows\SysWOW64\Pkfblfab.exe
C:\Windows\system32\Pkfblfab.exe
1⤵
PID:2320

C:\Windows\SysWOW64\Pcojkhap.exe
C:\Windows\system32\Pcojkhap.exe
1⤵
PID:4220

C:\Windows\SysWOW64\Pqnaim32.exe
C:\Windows\system32\Pqnaim32.exe
1⤵
PID:4804

C:\Windows\SysWOW64\Pnpemb32.exe
C:\Windows\system32\Pnpemb32.exe
1⤵
PID:2932

C:\Windows\SysWOW64\Pkaiqf32.exe
C:\Windows\system32\Pkaiqf32.exe
1⤵
PID:4144

C:\Windows\SysWOW64\Ocgdji32.exe
C:\Windows\system32\Ocgdji32.exe
1⤵
PID:3840

C:\Windows\SysWOW64\Obfhba32.exe
C:\Windows\system32\Obfhba32.exe
1⤵
PID:2692

C:\Windows\SysWOW64\Okloegjl.exe
C:\Windows\system32\Okloegjl.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\Oqgkhnjf.exe
C:\Windows\system32\Oqgkhnjf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\Ojmcld32.exe
C:\Windows\system32\Ojmcld32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\Okjbpglo.exe
C:\Windows\system32\Okjbpglo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\Occkojkm.exe
C:\Windows\system32\Occkojkm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
103KB

MD5
8687ab8e5e01539380356cc442be4ab5

SHA1
c58bf98cc71d1657aa44e2e0c32fdeee6a7a2b40

SHA256
7ac923340e801fb450107af13978d675db586e1c22267931ff4af46d0806cbdb

SHA512
9e3f48e6c36b959b9c2910c7f206485eda93974026572ca79a0989fd0e124f5abaa927f747b46af9e87ac786c6fd978b5473aca3a0d3455c7610bc2e1a048dfa

Download Submit
C:\Windows\SysWOW64\Beeflhdh.exe

Filesize
320KB

MD5
96925a68bb8be9e94952d46dac338848

SHA1
de110c8d88dcfc21b0f804b2d3e90e3ba8174a63

SHA256
8825ccf22be36d3a9c02cb5bbf7464ffefe7ef41e237d5818fdf0e242d15ed9a

SHA512
4513c19a3782e33a1a227fb52771979e2da88414b7f8c183b27753f96886cb1a04461572ba8f36eb26b160429b6026eb650e9423d133c50331d9ab76bed06282

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
320KB

MD5
d7a0a3e7c576132820182df38a671d86

SHA1
fa66b379e0e7a51366a2ad23e93886b5ae9089ff

SHA256
e0cb033232955e9ad024186d5b9aa51de594e8eceb2937e46d27445e4c707c3d

SHA512
31c4e440c1276321ca202b8d42188b8ecb0cc8bf14a55a40ce6157acdcc20c451e141dfe87ce34dec2a9ec9b0efa50e909370fdbabbce9421d030764a62fbb2a

Download Submit
C:\Windows\SysWOW64\Bkidenlg.exe

Filesize
320KB

MD5
41ae766c207b1cc8cb3c5129519dca14

SHA1
083517dd4be55194e2a3c08edcd64d7ea0209cbf

SHA256
9f79871adbd428c38f094034d943d0a96955cc054979ae1d30251d665b8aa892

SHA512
5cca6e46269d8c4c9459b01f84ca0e53cfc9c0065269d0b8c73c2af260d8475394511d26fe1cfedf975bc78977b56691fcb3c80213d86c37f6f434b93529c327

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
177KB

MD5
1b25070f010a52c327c70c19bd5f4e82

SHA1
17998f5cf0ae8d0a4b1bcccadd9090f4d7b6e3fb

SHA256
745c2a1b9216d20ec3ec0eb3cff803e132321a0757d85b4516586ae5b49a1aba

SHA512
0ebbe457f37ed0d47c5655454eb2edaa461c58de2bd9875b7b7fe1eb3fbd3ff3c9c36ac4be9655d9bfd6eb7e00e923ce405267745a0ccfabd185e453f5bdf584

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
320KB

MD5
f39a2f74a951fea9bed4f550b9be2d0c

SHA1
c2b4e8dd56b3ceec6ea9ffd3d83f1d7db39a589b

SHA256
1a11bedb98a93677b32cd776af5cbeda46074831038e32d6c0d500f0e45feb56

SHA512
bbf95ccbdf32cb860495dab2da09016cb0d4fa70e2e1e63f28d5a0211d402af2de234edf13e43290c33a949f33cd45cca72e4017c093f39eb7c114d56b50c452

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
320KB

MD5
416af3888978749a9a1c21865ebc453d

SHA1
156bae04602344ef107eaffa428e4ae4dea775ea

SHA256
79d345aa64fb5e28b308476da6d40e10c8b80f271e7582d029ade0e915e211ae

SHA512
fc270c2db69ef2ff2b87f52e542023e70b4639c62f069bbe7cdb9a2810eeccdcc8d3c57b6768828b02f7441b050d954d8d9c4b61739cb374aaca6471295a0e97

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
320KB

MD5
ddf5fa7c7e2df2ce0693739f581bd04a

SHA1
02f2fa12bac25b2b697e8b4ee86928af101821a7

SHA256
501af46e30b8f111e72a79ce7420188f4e172f96dc4b465603c15662aa103166

SHA512
2e67e2e93113fad920a0863b2fa7c9b8a4b2f4dfde332810fe420f8b3d813d470ef1e29a0daf18ba72290e8a71b1ae1b9df1a42fde9f293e50f529f8609c308e

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
320KB

MD5
9477cdad5c246a0cc39bf0c630cce4d5

SHA1
2fed7528d21c6b23ec7109da0cb2a8fbf9a5a2d3

SHA256
6bfe292ef838e4cc95e48822c6abaa540a95387e70b68b649c4f0f3b8634a9e9

SHA512
33a5fd1717c0f7c8a1496fb050355a0c2819eff6b62b2a1df0f4dd2192bd1ac733b91a226826f59cc492a6424341a171385481d9ed7b8a09f1dc3c3b66eb62ed

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
320KB

MD5
27d9b99ae2e28d453d1d4eb9dcbebed6

SHA1
d142308844bf1e98176a359c33d16a995e24034f

SHA256
1e1a1f6f4c5f7a322973faf6246bdefcd55c9e3d4f01dca0361655d30f4f695b

SHA512
1b161300064abed2e7550e94b4e3f162ca807ceced9f24820252f399b420e828da30332eb90eff386f5519c251416477e2c86351e181e38a944f96460bb43252

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
320KB

MD5
19b51129e0fde68c240e871bbdaee0c4

SHA1
579e4e86b90df901712c1bc767bec0ea4d6b6a52

SHA256
494fb68160b00dda76a600cdd501d19ea417d5bdf190888485a7fe5ad63e3a04

SHA512
a67bf54dfa50e48752755e8fddcfc6b69b9136e906c69f7b70638731a00d87f4ac16a9b95cc25f8c57e9985834df12f76b7c016a06a911920df12dcaefad79ff

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
142KB

MD5
735d988a8bbb272266caac9f798cf391

SHA1
851e11dd02477941b13ceca5d3d1f6abea5e1ef9

SHA256
cc728c57dfc52253d6aedb8d392223ffa6e9afeff0319d09972ed1567351a995

SHA512
462e23e2da37807909694179931f283114c71f97e9184313a12f157b69de2cf0981eedc4bb0c4021fece8fe5d32071bb1d45571f1179edec7eaa72f7197cc046

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
69KB

MD5
53db0105102656e8a09ec0fee587eca9

SHA1
6ed411cd7a32bb47acb0dee7ae6d4cb68cfa3d8d

SHA256
be3cce89062a013b2f810a3a19967a1a383c8756f900a665cf3ca84eabafa66d

SHA512
f5907ffc12a4bd8350a37615e93798947c608a6b3bb93ec9bb73891ed742fed15cf844f84b838ae01876161f59658428e1538234bff9246a51a1cc480c777c9a

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
98KB

MD5
02b6b101278b1fcb26f3262dfcc18f7c

SHA1
208f84ae3bc4901fcb9c441fda6f819f9c09b60d

SHA256
d11918a0f7ae870b28fd384494a8774ffd4081bd151c69468cc60d959f2d4f71

SHA512
eeb5de391202873c73807c62d9a49313d2e2793f4084db545c5aef06875f2b25316dee28992018893343c93dc5b39a76a6bca202d86cb68b6b2531db9f259927

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
156KB

MD5
315b6c7f2c30ec6681a9d4322c18270a

SHA1
eb355a9008a8eebc5d0e515e948a362cfc0385c9

SHA256
b8209497d09de7a0b199b049da6d99438794b071fc247dcf0394ef2e8035be06

SHA512
511c7cfe2d061e2590714d89bb6529a2345dda2c619c29a41108c685e6f898012b93f395fd15a17c9d57da8ffc95fb44ef9f4d4603ef33c7359c7b35fd5b1038

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
83KB

MD5
c091c9ff0cbd5d1cc9927fb8e0907d60

SHA1
3543200842d990edd9341d46c34e0266d44a0e6f

SHA256
907cf6d2d542a8ab1fe63f50d2355a03dc7c359416794896dcd5edd6d2ab8ac7

SHA512
86e32513da013b39ae102341b623057b1c7e918c65c181a6feaaec460e84702a7727a41dcedb9398577f9b2427d2781d40eaf56bd6a543674ab01b7e1e6d73ba

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
162KB

MD5
5015eb938b73c5db43e926f8d9a74b7a

SHA1
737e839668feb34e72385273611e5d21e396de2a

SHA256
9a361dab0714487dccdd7d8ffe60ac91b1cf237f6aa3e8d023eccb29663b61ad

SHA512
a443ed9f05c91de40ff8388c3babb27af8d281a2f30f78e4c3b2578948c2ec9d107b0b79eae6d0c5d9a3ae5db5c60c55916deae8432445fdb89326c640593858

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
116KB

MD5
6f205688f3fc042def928a3afcd07a37

SHA1
523de90a6b658599def42b8349ae8af36934c7a9

SHA256
52e91d08db8b44d2abb5beaded2125d5219b3d6f5512f25888eb98c64d50b3c4

SHA512
1d9c8093cffa94994ea18b96e40790192c680b6f4f29c0140bdfad0e539d4ea878e602a3f446e3121d228b36f70c03c6356942bc4dee1f300675136122d3d7c4

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
101KB

MD5
44fdcbf729f6f91690e27d01633b9a3d

SHA1
130150cc7a0864a54a8b1673125947c260fe7fb0

SHA256
920873988b722216da9f66050791be2783a9f32c73e37192d9b41c27fd74cb92

SHA512
edae6ee31225b8f2263586102b4301586cd17ae414418666e64c55ec04921ffdc236cfa19fc4bc3e7c05c8f369ad5412be1afdce5891f0e12b538cf5f522504e

Download Submit
C:\Windows\SysWOW64\Obfhba32.exe

Filesize
283KB

MD5
ec4f417234b2f008072ac7da057188ea

SHA1
bbf4db11fe22fb440e62b4de9fa1d62de738e325

SHA256
4abd796c5647f8ff900f4ff63d73e1f00dda4f7b80874ead9a8bc87f6ca0437b

SHA512
66cc14ee3c59911240dbf3d6ad80a2a5b5b30e051ae04899598dab2d580e6a1929c89236aeb629bde807d90667f1eaf40b83e03cff16a908b49958af43a0af5a

Download Submit
C:\Windows\SysWOW64\Okloegjl.exe

Filesize
167KB

MD5
9bcec209cc05899ad45d6e94f9bebec2

SHA1
88c11c8f7b41ef227a913a746e97ed727f3a5320

SHA256
04e14b1396b0f6095c013c21ba94ddbcb4db88f065672e2bba2e9f7c09841890

SHA512
c69a7e9a385dd332ece672cdf881b21185b35aee578b38a8d8123a3414bd15a1932f34bb4b4ebca638eb09879991d9bb255668f0d3cdcf95478a1f6846a1a4f5

Download Submit
C:\Windows\SysWOW64\Onfbfc32.exe

Filesize
130KB

MD5
7617474122aacfa7f54e0ce4de588d9d

SHA1
3a5bde91d51438ce9c448651e386535cb0512f5c

SHA256
d547778c80b37f623df5f2f0b19f766196e498c2ee9f7b6e1e4ce9f232644daa

SHA512
bb5f2aac838f2e3b46158957c7affbb89f08b9bbc4dcf98cced7a98a0dfbe56fad39d40e5f4f2a0b3ec8c07842136ccfc270d9203b6b7805ce3c897fe251617a

Download Submit
C:\Windows\SysWOW64\Onfbfc32.exe

Filesize
287KB

MD5
06784f8642af9ba538e2a59e5c50144d

SHA1
a027193efa8124e0fb6e4dea027505512217a246

SHA256
f1897fc7ad5033a6213013dfea0f615720ef64af2adfb6267ad4ad8d4057821e

SHA512
150fde148d23aa66f081f029b04b52f7130782db5a3b201d80c69651da1a8135b621d7fa8bc6e439f3cd2087cfe37ecdf8202064ae28f6f48545cae80bd690b8

Download Submit
C:\Windows\SysWOW64\Onmhgb32.exe

Filesize
196KB

MD5
a5eb65de24df530b9e28f62903c63dd6

SHA1
7f5e5bec3ac6a13edf3f4925ed5a51efe2d6ba0a

SHA256
846be45b879feb3e42590c3d0c24a9aebc24c22348d83594427923c5354ac4f0

SHA512
85b57da7ef94305c09a0158ebc2c767f4b9538fabe028eccb87153782c7b7ddd04567dede199874ea2c69bc87327bc3ee36c9dbc58999c4387a6929c1cb85a35

Download Submit
C:\Windows\SysWOW64\Oqdoboli.exe

Filesize
92KB

MD5
76d4ff80f36f0ed2fb83d55d531c835a

SHA1
1a1ed22ecbcaa6b673205c80cb7f254626d8a7d9

SHA256
f0db6d426bdeb6c03c35c5da1911c94934eff5dbc3df19473cdf7c366bc25b39

SHA512
6802be72ce349df396bbdd77562e707bf098469ec94355b7241aedeeaa553572581f702b2c91d07ce9caaa0dbf8ada3b0cb75c3275608ae01e1f1c8e7a00881e

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
106KB

MD5
cd1da9ff62464c80ba9ad76c3c036c45

SHA1
ae748411baf44876801445f0ba881164a621a2a6

SHA256
ace26498e159a954734aebc177a3b0bdefb088ab6b20d16c2e957efadd27bc04

SHA512
aa3c30ebef790eadcfdb1a85cfdb274a5b42c86734bd44f6cbe2fd9d052421a149d6489c337886baf619058a9779a35a5abb8e6d478a66a021bae110c8f7393b

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
105KB

MD5
df5aa61466db55bfe87a7567d2b1d42d

SHA1
85f9c9ae94863aaff776f3234cd856649e08e0a1

SHA256
4aca2d3ffcebd75a76b47673332a187d7b73bbf8d3e74eeca3e194396d855f87

SHA512
55cca617d9e3e955b1b3136115758c6cb0260e5bdff04ffdc0513045ee460205abddae9c419cf9554cbd2b63b001852cb6f8f2e5a43c4f2fd92f05dc87e28282

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
139KB

MD5
cd8e103e68d690ea747cdd1fd6f2b81e

SHA1
a5e182be7f9bcea00eccfee4ca97189c3562594d

SHA256
c7924a06037887a3e0179b3328369bf07ffec2c07de4c908345d72742fa920d6

SHA512
50fae8ff8127dbbbbb2ee4456af820ff7159c4c5147608556afa688ab51fc81651debb67190095be0cdcf0978c24d2058841d4b7c4d72f27b17d490931e420d6

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
106KB

MD5
f5f7674d0dbdf38fbbc130b520d781a1

SHA1
2937ec611b355b33bc597662d553a047d4e66fe1

SHA256
023e7df7d7702fa910ab7c6066d3c23bfb6ec3517af7bb5c623704e35825650c

SHA512
f2be6fa6010984e27c3266d0470aab5cdc609d856ba83edc5d4e77403b05293d2144967e4e239dd578ac1687947159e4f87b38f438bae66508d2942c29e5c7be

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
133KB

MD5
be80da70ac89545df8adcf3281ac0bff

SHA1
ae452875992f4e5d7b1c4e9ae43ff26421f2af84

SHA256
f71d09d4fc81ac11894c8c0e2a819775f17e83769f86c6ef9f875ee1b5ed9c21

SHA512
1d2908e4e4a9d6e255eb891e4a869a6f5d8479994ac50093ab254b2275d8ee5eed2db2f1942de403a465c990b60ec89a58d6ce999deaa8f09bd22f68fb7701e8

Download Submit
memory/216-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/368-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3936-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4120-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4220-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4224-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5160-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5200-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5240-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5320-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5368-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5416-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5464-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5504-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5540-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5588-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads