Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 08:54

General

  • Target

    1a853b3f1bd21fe2137098251ad239b8948a495ad261c2c9db2bde9a103cea73N.exe

  • Size

    64KB

  • MD5

    462e98e25bd9de476b61c466b1104dc0

  • SHA1

    25dc093111654187123dcd26a7a1c17b4514bb19

  • SHA256

    1a853b3f1bd21fe2137098251ad239b8948a495ad261c2c9db2bde9a103cea73

  • SHA512

    c9215a1e5b9d95b38ae6666ff6aa74a250c8f92b87f85df65f3c5f1c051d07663eaee366a9ce460dd335d58788782ca36c053b858c156066ef47d955cef8c00f

  • SSDEEP

    1536:YIpBazinmSlAVmEuyXDPs6+Ig8t7TJW/ZBQ8oTpL2LVXdZgQe:FBax7mKDE6+P8aBadTpoVXds

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a853b3f1bd21fe2137098251ad239b8948a495ad261c2c9db2bde9a103cea73N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a853b3f1bd21fe2137098251ad239b8948a495ad261c2c9db2bde9a103cea73N.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\Jmmjgejj.exe
      C:\Windows\system32\Jmmjgejj.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\Jplfcpin.exe
        C:\Windows\system32\Jplfcpin.exe
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\SysWOW64\Jbjcolha.exe
          C:\Windows\system32\Jbjcolha.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Windows\SysWOW64\Jidklf32.exe
            C:\Windows\system32\Jidklf32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3076
            • C:\Windows\SysWOW64\Jlbgha32.exe
              C:\Windows\system32\Jlbgha32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3784
              • C:\Windows\SysWOW64\Jcioiood.exe
                C:\Windows\system32\Jcioiood.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2128
                • C:\Windows\SysWOW64\Jfhlejnh.exe
                  C:\Windows\system32\Jfhlejnh.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:4860
                  • C:\Windows\SysWOW64\Jifhaenk.exe
                    C:\Windows\system32\Jifhaenk.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3292
                    • C:\Windows\SysWOW64\Jpppnp32.exe
                      C:\Windows\system32\Jpppnp32.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:412
                      • C:\Windows\SysWOW64\Kboljk32.exe
                        C:\Windows\system32\Kboljk32.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:4876
                        • C:\Windows\SysWOW64\Kiidgeki.exe
                          C:\Windows\system32\Kiidgeki.exe
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:2968
                          • C:\Windows\SysWOW64\Klgqcqkl.exe
                            C:\Windows\system32\Klgqcqkl.exe
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:3556
                            • C:\Windows\SysWOW64\Kdnidn32.exe
                              C:\Windows\system32\Kdnidn32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:2784
                              • C:\Windows\SysWOW64\Kfmepi32.exe
                                C:\Windows\system32\Kfmepi32.exe
                                15⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3096
                                • C:\Windows\SysWOW64\Kikame32.exe
                                  C:\Windows\system32\Kikame32.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:2436
                                  • C:\Windows\SysWOW64\Klimip32.exe
                                    C:\Windows\system32\Klimip32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1904
                                    • C:\Windows\SysWOW64\Kdqejn32.exe
                                      C:\Windows\system32\Kdqejn32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:4648
                                      • C:\Windows\SysWOW64\Kebbafoj.exe
                                        C:\Windows\system32\Kebbafoj.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:3712
                                        • C:\Windows\SysWOW64\Klljnp32.exe
                                          C:\Windows\system32\Klljnp32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:3748
                                          • C:\Windows\SysWOW64\Kdcbom32.exe
                                            C:\Windows\system32\Kdcbom32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:1208
                                            • C:\Windows\SysWOW64\Kfankifm.exe
                                              C:\Windows\system32\Kfankifm.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:3956
                                              • C:\Windows\SysWOW64\Kipkhdeq.exe
                                                C:\Windows\system32\Kipkhdeq.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:3524
                                                • C:\Windows\SysWOW64\Kpjcdn32.exe
                                                  C:\Windows\system32\Kpjcdn32.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1640
                                                  • C:\Windows\SysWOW64\Kfckahdj.exe
                                                    C:\Windows\system32\Kfckahdj.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4712
                                                    • C:\Windows\SysWOW64\Kibgmdcn.exe
                                                      C:\Windows\system32\Kibgmdcn.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:4100
                                                      • C:\Windows\SysWOW64\Klqcioba.exe
                                                        C:\Windows\system32\Klqcioba.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        PID:3316
                                                        • C:\Windows\SysWOW64\Kdgljmcd.exe
                                                          C:\Windows\system32\Kdgljmcd.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:4584
                                                          • C:\Windows\SysWOW64\Lffhfh32.exe
                                                            C:\Windows\system32\Lffhfh32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:2480
                                                            • C:\Windows\SysWOW64\Liddbc32.exe
                                                              C:\Windows\system32\Liddbc32.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1760
                                                              • C:\Windows\SysWOW64\Llcpoo32.exe
                                                                C:\Windows\system32\Llcpoo32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:4456
                                                                • C:\Windows\SysWOW64\Lbmhlihl.exe
                                                                  C:\Windows\system32\Lbmhlihl.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:3960
                                                                  • C:\Windows\SysWOW64\Ligqhc32.exe
                                                                    C:\Windows\system32\Ligqhc32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3264
                                                                    • C:\Windows\SysWOW64\Lmbmibhb.exe
                                                                      C:\Windows\system32\Lmbmibhb.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4300
                                                                      • C:\Windows\SysWOW64\Lfkaag32.exe
                                                                        C:\Windows\system32\Lfkaag32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:3476
                                                                        • C:\Windows\SysWOW64\Liimncmf.exe
                                                                          C:\Windows\system32\Liimncmf.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3596
                                                                          • C:\Windows\SysWOW64\Ldoaklml.exe
                                                                            C:\Windows\system32\Ldoaklml.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            PID:5004
                                                                            • C:\Windows\SysWOW64\Lgmngglp.exe
                                                                              C:\Windows\system32\Lgmngglp.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              PID:2556
                                                                              • C:\Windows\SysWOW64\Lepncd32.exe
                                                                                C:\Windows\system32\Lepncd32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                PID:5112
                                                                                • C:\Windows\SysWOW64\Lmgfda32.exe
                                                                                  C:\Windows\system32\Lmgfda32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4664
                                                                                  • C:\Windows\SysWOW64\Lpebpm32.exe
                                                                                    C:\Windows\system32\Lpebpm32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:3092
                                                                                    • C:\Windows\SysWOW64\Lbdolh32.exe
                                                                                      C:\Windows\system32\Lbdolh32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2460
                                                                                      • C:\Windows\SysWOW64\Lebkhc32.exe
                                                                                        C:\Windows\system32\Lebkhc32.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • Modifies registry class
                                                                                        PID:1088
                                                                                        • C:\Windows\SysWOW64\Lmiciaaj.exe
                                                                                          C:\Windows\system32\Lmiciaaj.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1528
                                                                                          • C:\Windows\SysWOW64\Lphoelqn.exe
                                                                                            C:\Windows\system32\Lphoelqn.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:1384
                                                                                            • C:\Windows\SysWOW64\Mbfkbhpa.exe
                                                                                              C:\Windows\system32\Mbfkbhpa.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1520
                                                                                              • C:\Windows\SysWOW64\Medgncoe.exe
                                                                                                C:\Windows\system32\Medgncoe.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Modifies registry class
                                                                                                PID:1500
                                                                                                • C:\Windows\SysWOW64\Mmlpoqpg.exe
                                                                                                  C:\Windows\system32\Mmlpoqpg.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:920
                                                                                                  • C:\Windows\SysWOW64\Mpjlklok.exe
                                                                                                    C:\Windows\system32\Mpjlklok.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:528
                                                                                                    • C:\Windows\SysWOW64\Mchhggno.exe
                                                                                                      C:\Windows\system32\Mchhggno.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:4732
                                                                                                      • C:\Windows\SysWOW64\Megdccmb.exe
                                                                                                        C:\Windows\system32\Megdccmb.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:2212
                                                                                                        • C:\Windows\SysWOW64\Mibpda32.exe
                                                                                                          C:\Windows\system32\Mibpda32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:4592
                                                                                                          • C:\Windows\SysWOW64\Mlampmdo.exe
                                                                                                            C:\Windows\system32\Mlampmdo.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:1068
                                                                                                            • C:\Windows\SysWOW64\Mckemg32.exe
                                                                                                              C:\Windows\system32\Mckemg32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:4840
                                                                                                              • C:\Windows\SysWOW64\Meiaib32.exe
                                                                                                                C:\Windows\system32\Meiaib32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:1396
                                                                                                                • C:\Windows\SysWOW64\Mmpijp32.exe
                                                                                                                  C:\Windows\system32\Mmpijp32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:1556
                                                                                                                  • C:\Windows\SysWOW64\Mpoefk32.exe
                                                                                                                    C:\Windows\system32\Mpoefk32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:4652
                                                                                                                    • C:\Windows\SysWOW64\Mcmabg32.exe
                                                                                                                      C:\Windows\system32\Mcmabg32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:4432
                                                                                                                      • C:\Windows\SysWOW64\Melnob32.exe
                                                                                                                        C:\Windows\system32\Melnob32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:3584
                                                                                                                        • C:\Windows\SysWOW64\Mmbfpp32.exe
                                                                                                                          C:\Windows\system32\Mmbfpp32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:3796
                                                                                                                          • C:\Windows\SysWOW64\Mlefklpj.exe
                                                                                                                            C:\Windows\system32\Mlefklpj.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:3880
                                                                                                                            • C:\Windows\SysWOW64\Mcpnhfhf.exe
                                                                                                                              C:\Windows\system32\Mcpnhfhf.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Modifies registry class
                                                                                                                              PID:4288
                                                                                                                              • C:\Windows\SysWOW64\Menjdbgj.exe
                                                                                                                                C:\Windows\system32\Menjdbgj.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:2400
                                                                                                                                • C:\Windows\SysWOW64\Miifeq32.exe
                                                                                                                                  C:\Windows\system32\Miifeq32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:1976
                                                                                                                                  • C:\Windows\SysWOW64\Npcoakfp.exe
                                                                                                                                    C:\Windows\system32\Npcoakfp.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:3012
                                                                                                                                    • C:\Windows\SysWOW64\Ndokbi32.exe
                                                                                                                                      C:\Windows\system32\Ndokbi32.exe
                                                                                                                                      66⤵
                                                                                                                                        PID:4920
                                                                                                                                        • C:\Windows\SysWOW64\Nepgjaeg.exe
                                                                                                                                          C:\Windows\system32\Nepgjaeg.exe
                                                                                                                                          67⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:5108
                                                                                                                                          • C:\Windows\SysWOW64\Nngokoej.exe
                                                                                                                                            C:\Windows\system32\Nngokoej.exe
                                                                                                                                            68⤵
                                                                                                                                              PID:4668
                                                                                                                                              • C:\Windows\SysWOW64\Npfkgjdn.exe
                                                                                                                                                C:\Windows\system32\Npfkgjdn.exe
                                                                                                                                                69⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:3640
                                                                                                                                                • C:\Windows\SysWOW64\Ngpccdlj.exe
                                                                                                                                                  C:\Windows\system32\Ngpccdlj.exe
                                                                                                                                                  70⤵
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:4368
                                                                                                                                                  • C:\Windows\SysWOW64\Nlmllkja.exe
                                                                                                                                                    C:\Windows\system32\Nlmllkja.exe
                                                                                                                                                    71⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:4472
                                                                                                                                                    • C:\Windows\SysWOW64\Nphhmj32.exe
                                                                                                                                                      C:\Windows\system32\Nphhmj32.exe
                                                                                                                                                      72⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:5032
                                                                                                                                                      • C:\Windows\SysWOW64\Ngbpidjh.exe
                                                                                                                                                        C:\Windows\system32\Ngbpidjh.exe
                                                                                                                                                        73⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:3220
                                                                                                                                                        • C:\Windows\SysWOW64\Njqmepik.exe
                                                                                                                                                          C:\Windows\system32\Njqmepik.exe
                                                                                                                                                          74⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          PID:4852
                                                                                                                                                          • C:\Windows\SysWOW64\Npjebj32.exe
                                                                                                                                                            C:\Windows\system32\Npjebj32.exe
                                                                                                                                                            75⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:4104
                                                                                                                                                            • C:\Windows\SysWOW64\Ndfqbhia.exe
                                                                                                                                                              C:\Windows\system32\Ndfqbhia.exe
                                                                                                                                                              76⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:4776
                                                                                                                                                              • C:\Windows\SysWOW64\Ngdmod32.exe
                                                                                                                                                                C:\Windows\system32\Ngdmod32.exe
                                                                                                                                                                77⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                PID:496
                                                                                                                                                                • C:\Windows\SysWOW64\Njciko32.exe
                                                                                                                                                                  C:\Windows\system32\Njciko32.exe
                                                                                                                                                                  78⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:3952
                                                                                                                                                                  • C:\Windows\SysWOW64\Nnneknob.exe
                                                                                                                                                                    C:\Windows\system32\Nnneknob.exe
                                                                                                                                                                    79⤵
                                                                                                                                                                      PID:2772
                                                                                                                                                                      • C:\Windows\SysWOW64\Npmagine.exe
                                                                                                                                                                        C:\Windows\system32\Npmagine.exe
                                                                                                                                                                        80⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:4000
                                                                                                                                                                        • C:\Windows\SysWOW64\Ndhmhh32.exe
                                                                                                                                                                          C:\Windows\system32\Ndhmhh32.exe
                                                                                                                                                                          81⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:4556
                                                                                                                                                                          • C:\Windows\SysWOW64\Nggjdc32.exe
                                                                                                                                                                            C:\Windows\system32\Nggjdc32.exe
                                                                                                                                                                            82⤵
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            PID:2868
                                                                                                                                                                            • C:\Windows\SysWOW64\Nnqbanmo.exe
                                                                                                                                                                              C:\Windows\system32\Nnqbanmo.exe
                                                                                                                                                                              83⤵
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:2364
                                                                                                                                                                              • C:\Windows\SysWOW64\Oponmilc.exe
                                                                                                                                                                                C:\Windows\system32\Oponmilc.exe
                                                                                                                                                                                84⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                PID:4176
                                                                                                                                                                                • C:\Windows\SysWOW64\Ocnjidkf.exe
                                                                                                                                                                                  C:\Windows\system32\Ocnjidkf.exe
                                                                                                                                                                                  85⤵
                                                                                                                                                                                    PID:1992
                                                                                                                                                                                    • C:\Windows\SysWOW64\Ojgbfocc.exe
                                                                                                                                                                                      C:\Windows\system32\Ojgbfocc.exe
                                                                                                                                                                                      86⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:2164
                                                                                                                                                                                      • C:\Windows\SysWOW64\Odmgcgbi.exe
                                                                                                                                                                                        C:\Windows\system32\Odmgcgbi.exe
                                                                                                                                                                                        87⤵
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:1228
                                                                                                                                                                                        • C:\Windows\SysWOW64\Ogkcpbam.exe
                                                                                                                                                                                          C:\Windows\system32\Ogkcpbam.exe
                                                                                                                                                                                          88⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:4544
                                                                                                                                                                                          • C:\Windows\SysWOW64\Ojjolnaq.exe
                                                                                                                                                                                            C:\Windows\system32\Ojjolnaq.exe
                                                                                                                                                                                            89⤵
                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                            PID:436
                                                                                                                                                                                            • C:\Windows\SysWOW64\Olhlhjpd.exe
                                                                                                                                                                                              C:\Windows\system32\Olhlhjpd.exe
                                                                                                                                                                                              90⤵
                                                                                                                                                                                                PID:2028
                                                                                                                                                                                                • C:\Windows\SysWOW64\Odocigqg.exe
                                                                                                                                                                                                  C:\Windows\system32\Odocigqg.exe
                                                                                                                                                                                                  91⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:956
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ofqpqo32.exe
                                                                                                                                                                                                    C:\Windows\system32\Ofqpqo32.exe
                                                                                                                                                                                                    92⤵
                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:3632
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Onhhamgg.exe
                                                                                                                                                                                                      C:\Windows\system32\Onhhamgg.exe
                                                                                                                                                                                                      93⤵
                                                                                                                                                                                                        PID:3820
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Olkhmi32.exe
                                                                                                                                                                                                          C:\Windows\system32\Olkhmi32.exe
                                                                                                                                                                                                          94⤵
                                                                                                                                                                                                            PID:5144
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Odapnf32.exe
                                                                                                                                                                                                              C:\Windows\system32\Odapnf32.exe
                                                                                                                                                                                                              95⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:5192
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ogpmjb32.exe
                                                                                                                                                                                                                C:\Windows\system32\Ogpmjb32.exe
                                                                                                                                                                                                                96⤵
                                                                                                                                                                                                                  PID:5240
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ofcmfodb.exe
                                                                                                                                                                                                                    C:\Windows\system32\Ofcmfodb.exe
                                                                                                                                                                                                                    97⤵
                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                    PID:5276
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Olmeci32.exe
                                                                                                                                                                                                                      C:\Windows\system32\Olmeci32.exe
                                                                                                                                                                                                                      98⤵
                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:5328
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ocgmpccl.exe
                                                                                                                                                                                                                        C:\Windows\system32\Ocgmpccl.exe
                                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                        PID:5392
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ofeilobp.exe
                                                                                                                                                                                                                          C:\Windows\system32\Ofeilobp.exe
                                                                                                                                                                                                                          100⤵
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:5448
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ojaelm32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Ojaelm32.exe
                                                                                                                                                                                                                            101⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:5508
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Pqknig32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Pqknig32.exe
                                                                                                                                                                                                                              102⤵
                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                              PID:5552
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Pdifoehl.exe
                                                                                                                                                                                                                                C:\Windows\system32\Pdifoehl.exe
                                                                                                                                                                                                                                103⤵
                                                                                                                                                                                                                                  PID:5596
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Pfjcgn32.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Pfjcgn32.exe
                                                                                                                                                                                                                                    104⤵
                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                    PID:5640
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Pqpgdfnp.exe
                                                                                                                                                                                                                                      105⤵
                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                      PID:5684
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Pdkcde32.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Pdkcde32.exe
                                                                                                                                                                                                                                        106⤵
                                                                                                                                                                                                                                          PID:5728
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Pqbdjfln.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Pqbdjfln.exe
                                                                                                                                                                                                                                            107⤵
                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:5772
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Pfolbmje.exe
                                                                                                                                                                                                                                              108⤵
                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:5816
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Pqdqof32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Pqdqof32.exe
                                                                                                                                                                                                                                                109⤵
                                                                                                                                                                                                                                                  PID:5860
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Pgnilpah.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Pgnilpah.exe
                                                                                                                                                                                                                                                    110⤵
                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:5904
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Qmkadgpo.exe
                                                                                                                                                                                                                                                      111⤵
                                                                                                                                                                                                                                                        PID:5948
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Qdbiedpa.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\Qdbiedpa.exe
                                                                                                                                                                                                                                                          112⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          PID:5992
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Qjoankoi.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Qjoankoi.exe
                                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            PID:6036
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Qqijje32.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Qqijje32.exe
                                                                                                                                                                                                                                                              114⤵
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              PID:6080
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Qddfkd32.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Qddfkd32.exe
                                                                                                                                                                                                                                                                115⤵
                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                PID:6120
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Qgcbgo32.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Qgcbgo32.exe
                                                                                                                                                                                                                                                                  116⤵
                                                                                                                                                                                                                                                                    PID:5152
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Anmjcieo.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Anmjcieo.exe
                                                                                                                                                                                                                                                                      117⤵
                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                      PID:5208
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Acjclpcf.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\Acjclpcf.exe
                                                                                                                                                                                                                                                                        118⤵
                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                        PID:5284
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ageolo32.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Ageolo32.exe
                                                                                                                                                                                                                                                                          119⤵
                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                          PID:5388
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Afhohlbj.exe
                                                                                                                                                                                                                                                                            120⤵
                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                            PID:5488
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ajckij32.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Ajckij32.exe
                                                                                                                                                                                                                                                                              121⤵
                                                                                                                                                                                                                                                                                PID:5560
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Ambgef32.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Ambgef32.exe
                                                                                                                                                                                                                                                                                  122⤵
                                                                                                                                                                                                                                                                                    PID:5648
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Aeiofcji.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Aeiofcji.exe
                                                                                                                                                                                                                                                                                      123⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      PID:5720
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Agglboim.exe
                                                                                                                                                                                                                                                                                        124⤵
                                                                                                                                                                                                                                                                                          PID:5800
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\Ajfhnjhq.exe
                                                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                            PID:5912
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\Amddjegd.exe
                                                                                                                                                                                                                                                                                              126⤵
                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                              PID:5980
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Aqppkd32.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\Aqppkd32.exe
                                                                                                                                                                                                                                                                                                127⤵
                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                PID:6116
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Acnlgp32.exe
                                                                                                                                                                                                                                                                                                  128⤵
                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                  PID:5268
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Agjhgngj.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Agjhgngj.exe
                                                                                                                                                                                                                                                                                                    129⤵
                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                    PID:5404
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ajhddjfn.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Ajhddjfn.exe
                                                                                                                                                                                                                                                                                                      130⤵
                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                      PID:5564
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Amgapeea.exe
                                                                                                                                                                                                                                                                                                        131⤵
                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                        PID:5696
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Aeniabfd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Aeniabfd.exe
                                                                                                                                                                                                                                                                                                          132⤵
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          PID:5848
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Acqimo32.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Acqimo32.exe
                                                                                                                                                                                                                                                                                                            133⤵
                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                            PID:6008
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Aglemn32.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Aglemn32.exe
                                                                                                                                                                                                                                                                                                              134⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              PID:5204
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Afoeiklb.exe
                                                                                                                                                                                                                                                                                                                135⤵
                                                                                                                                                                                                                                                                                                                  PID:5540
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Aminee32.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Aminee32.exe
                                                                                                                                                                                                                                                                                                                    136⤵
                                                                                                                                                                                                                                                                                                                      PID:5760
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Aepefb32.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Aepefb32.exe
                                                                                                                                                                                                                                                                                                                        137⤵
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        PID:5960
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Accfbokl.exe
                                                                                                                                                                                                                                                                                                                          138⤵
                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                          PID:5496
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Bjmnoi32.exe
                                                                                                                                                                                                                                                                                                                            139⤵
                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            PID:5828
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Bfdodjhm.exe
                                                                                                                                                                                                                                                                                                                              140⤵
                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                              PID:5440
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Bmngqdpj.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Bmngqdpj.exe
                                                                                                                                                                                                                                                                                                                                141⤵
                                                                                                                                                                                                                                                                                                                                  PID:5932
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Beeoaapl.exe
                                                                                                                                                                                                                                                                                                                                    142⤵
                                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:2300
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Bffkij32.exe
                                                                                                                                                                                                                                                                                                                                      143⤵
                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                      PID:1028
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bcjlcn32.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Bcjlcn32.exe
                                                                                                                                                                                                                                                                                                                                        144⤵
                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                        PID:4696
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Bnpppgdj.exe
                                                                                                                                                                                                                                                                                                                                          145⤵
                                                                                                                                                                                                                                                                                                                                            PID:5976
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Beihma32.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Beihma32.exe
                                                                                                                                                                                                                                                                                                                                              146⤵
                                                                                                                                                                                                                                                                                                                                                PID:5372
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Bclhhnca.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Bclhhnca.exe
                                                                                                                                                                                                                                                                                                                                                  147⤵
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  PID:2676
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Bjfaeh32.exe
                                                                                                                                                                                                                                                                                                                                                    148⤵
                                                                                                                                                                                                                                                                                                                                                      PID:6172
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Bnbmefbg.exe
                                                                                                                                                                                                                                                                                                                                                        149⤵
                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                        PID:6216
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Bapiabak.exe
                                                                                                                                                                                                                                                                                                                                                          150⤵
                                                                                                                                                                                                                                                                                                                                                            PID:6260
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bcoenmao.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Bcoenmao.exe
                                                                                                                                                                                                                                                                                                                                                              151⤵
                                                                                                                                                                                                                                                                                                                                                                PID:6304
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                                                                                                                                                                                                  152⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:6348
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cndikf32.exe
                                                                                                                                                                                                                                                                                                                                                                      153⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:6392
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Cenahpha.exe
                                                                                                                                                                                                                                                                                                                                                                          154⤵
                                                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                          PID:6440
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Chmndlge.exe
                                                                                                                                                                                                                                                                                                                                                                            155⤵
                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                            PID:6488
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                                                                                                                                                                                                              156⤵
                                                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                              PID:6532
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Caebma32.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Caebma32.exe
                                                                                                                                                                                                                                                                                                                                                                                157⤵
                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                PID:6576
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cdcoim32.exe
                                                                                                                                                                                                                                                                                                                                                                                  158⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                  PID:6616
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Chokikeb.exe
                                                                                                                                                                                                                                                                                                                                                                                    159⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                    PID:6660
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                                                                                                                                                                                                      160⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                      PID:6704
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Cagobalc.exe
                                                                                                                                                                                                                                                                                                                                                                                        161⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                        PID:6752
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                                                                                                                                                                                                                          162⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                          PID:6796
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Chagok32.exe
                                                                                                                                                                                                                                                                                                                                                                                            163⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                            PID:6840
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Cjpckf32.exe
                                                                                                                                                                                                                                                                                                                                                                                              164⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                              PID:6884
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Cmnpgb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                165⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                PID:6928
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Ceehho32.exe
                                                                                                                                                                                                                                                                                                                                                                                                  166⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6972
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Chcddk32.exe
                                                                                                                                                                                                                                                                                                                                                                                                    167⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7016
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cffdpghg.exe
                                                                                                                                                                                                                                                                                                                                                                                                      168⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7060
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                                                                                                                                                                                                                                                                        169⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                        PID:7104
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Calhnpgn.exe
                                                                                                                                                                                                                                                                                                                                                                                                          170⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:7148
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                                                                                                                                                                                                                            171⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                            PID:6168
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Djdmffnn.exe
                                                                                                                                                                                                                                                                                                                                                                                                              172⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6244
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dopigd32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  173⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6312
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Danecp32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    174⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6388
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Ddmaok32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      175⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6452
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dfknkg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          176⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6516
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Dobfld32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            177⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6584
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Dmefhako.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              178⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6640
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                179⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6720
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6788
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    181⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6876
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Ddakjkqi.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      182⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6912
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        183⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7004
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          184⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7076
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            185⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7156
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              186⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6228
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                187⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6336
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  188⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6356
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 212
                                                                                                                                                                                                                                                                                                                                                                                                                                                    189⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6736
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6356 -ip 6356
                                                            1⤵
                                                              PID:6636

                                                            Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Windows\SysWOW64\Afoeiklb.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    8c4fee2a9d795d0c8844bff2655e3953

                                                                    SHA1

                                                                    4d237da96820ace0c0da7f02ee0f447f7014ae8b

                                                                    SHA256

                                                                    6b06a67b793ec11feeec8ba9387d8fab5ff29e6083b541e7653ef7e314cd9b37

                                                                    SHA512

                                                                    737b9d0d5dc7ed952aac22fbae3acc55727916fdb50c044940627e3975163632bddb45ce59daf44e40d3447ced800fcbf932c053a72448a52ac78a215c4974c7

                                                                  • C:\Windows\SysWOW64\Bclhhnca.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    4ec351167c53ba1b19f7c9ba28863d9b

                                                                    SHA1

                                                                    ab90af264f1d2c64f04ad399e58a406bc2a42688

                                                                    SHA256

                                                                    653aabf436d3d4fbb0be7dd30dc4b42610afade3e5feee4d7068a51fc2c2011f

                                                                    SHA512

                                                                    d8ec0e602a9d10fbf197be55587f27c835f0c3fe46c4805e6d4174ba279ab23b0cdf912402cf4bbf2013852ac5cfe3a31617506243d9e9a1b4292a3c33293edd

                                                                  • C:\Windows\SysWOW64\Bffkij32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    fc5e7d25bad43bb26a80a9d20054c8f0

                                                                    SHA1

                                                                    671f106a8f5c3094a640141de25f723c26612806

                                                                    SHA256

                                                                    b2a9beffecba836c8c831683033f1fc5a816f1542ecf917f0390705b2cd4bf44

                                                                    SHA512

                                                                    d01b85b56291fad8a80cf7ab78c8a702069f277c1c86dc7959f1921fc67c82735769f89e96ff1f78aa68180d826bed4150457d61081cce9ff6a05133690b4a60

                                                                  • C:\Windows\SysWOW64\Bjmnoi32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    60db3def1e8e7386d684dedbeef4c19e

                                                                    SHA1

                                                                    a6940fd2773fe52084083fcddc3fbe2b58921843

                                                                    SHA256

                                                                    29941c21fca92e1442384c241fe0afcba2da217fad7c649719f9207449efb077

                                                                    SHA512

                                                                    6703be2b020de4c5eb76fc40b99087615e646ceb6e3b2d62b6d0f0a507658a9ba159e70c4941413e56e73f3546973b68f0422282c4cb12375f893bfca78487b9

                                                                  • C:\Windows\SysWOW64\Bnbmefbg.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    688f799d56b6d5dcf7522d6d116e3140

                                                                    SHA1

                                                                    609ec9bc81d097acbf571261640d57cf566fad53

                                                                    SHA256

                                                                    254ecacdc2ea5cdab9df362d821ffd5ae2640d729ee4421390ac287c9673b552

                                                                    SHA512

                                                                    249ff2226c6e76e6498e1837c10855d6042109bdcf350f30f1795e12a0da49e921ec4e1d83a571ea05f7bbf291d34f92aa63028bf0d0145cba890d15329d4c9f

                                                                  • C:\Windows\SysWOW64\Cagobalc.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    35e04febab263a85968795256aebe6b5

                                                                    SHA1

                                                                    42bb5de2592ac85278878b344e729b75a57bc2de

                                                                    SHA256

                                                                    daad944fe9aa7e9a08c16be851a23bf68dfb791d7954bd3ae7e88ab6c2a92365

                                                                    SHA512

                                                                    2f738b857aa923cfc1a754675e433a7c60d9c7a80422578c6da11c7c09e1380b5b5709730da3d9d5f316de113cafb881f52933d776dcd887c6d01d351f592977

                                                                  • C:\Windows\SysWOW64\Cdcoim32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    cca5aa2c23cc98261c94db755dbd5e85

                                                                    SHA1

                                                                    9813b8a919ec2e530e02fa018554af9da4a835eb

                                                                    SHA256

                                                                    62f91e2aa4caa2bcd8cb4e8408b369d14dba954950aec63caebeb25ebfb7be6a

                                                                    SHA512

                                                                    90b4da68c462001fe777300e8f9a1a9d3384400671d7adac1492794ef6c7eabfb12f553ea179c91319437fcd08ba65bf4b9781847750f658c2039c01fa62a895

                                                                  • C:\Windows\SysWOW64\Cmnpgb32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    3f1dc9f9ddf5a3545bb3c30e56668ff4

                                                                    SHA1

                                                                    d9e3104c07076934ba8554bf79f7219d60371058

                                                                    SHA256

                                                                    576fb9d6ba5736d621b671bd54d891ea6b909513597d46017b5d8a97065c3bb2

                                                                    SHA512

                                                                    98f38d84bd6bb76d8c9cad378971f114583130db27f07a79f5edd6e7452f5397359ef766d9e6415422350672e6a0e2f29746ebffbcedb49382f64ddea2d5e3d9

                                                                  • C:\Windows\SysWOW64\Danecp32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    7fbc0aec169dfa3ba952f84458ecef09

                                                                    SHA1

                                                                    71d3da64b380e16ae277c215981b4c067b73c5b9

                                                                    SHA256

                                                                    7d1c0184cfcd158288c8830d485cc2916c5f63b650dbdb0d45a5050e301a59ee

                                                                    SHA512

                                                                    bb9157be0dfcd4527c8ea1605d325d86939571ca51927887ffa414965f764b70748b8e61e9ab191e47254bed15f2c9bb78231d47c4305f2656cb067bc6f6e63e

                                                                  • C:\Windows\SysWOW64\Ddjejl32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    e5d2c921f060808e115c33e097dca223

                                                                    SHA1

                                                                    164f192bf9ae2c98f194420ea959eaaef74ab7ed

                                                                    SHA256

                                                                    58a3211b9a4e3636d7399735433b6305c425c4f2e1baefb699e108c7d689bf8d

                                                                    SHA512

                                                                    58094b9d9a561370c56759f56b652c946362f605457149a2cbfe6460a802bf908a74b4951253c1713dc42156cfb6f2ae002f6fe013606d62a245c338443a60ca

                                                                  • C:\Windows\SysWOW64\Ddonekbl.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    fa587aeea5439dd3f9feb7571b3c5589

                                                                    SHA1

                                                                    6ad54409bccdbc309784b248b6e95bbe646d1030

                                                                    SHA256

                                                                    258d7ffe6d33631cbae2799d388481586d40924292e9f5ba7d332362518cddec

                                                                    SHA512

                                                                    99c785677e9d9b635badf28043a049b38bed4c0cb53e331f2010bc7ab0914dcda1021080645c27bc86c529dc21d51baaa20785510ea5a7f854c9b0bc7e36fa2f

                                                                  • C:\Windows\SysWOW64\Deagdn32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    289b6ae495bf82eac010edc59bc32c7f

                                                                    SHA1

                                                                    2bdf431ab4c2e937780b11c21912565f845c5104

                                                                    SHA256

                                                                    68e961be3a90864f63eb4baf265544ae7f045d0a577769ffa83a3979133b8ae5

                                                                    SHA512

                                                                    416fe5f5652fe01c91b9273831815b4398d4fa6c5d9c288fcd416718edb759bf57e5f675aac3affa53e1109ab430eb51f230b35b057849389127d737a575ba80

                                                                  • C:\Windows\SysWOW64\Dkkcge32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    73d35aa97401bafc46f33a96e669022d

                                                                    SHA1

                                                                    2a4c323b286991afb505ff73ed009fd18fe72195

                                                                    SHA256

                                                                    8e2fbb0f2ea6529ca7ac468f889b78c1f6dd21c648795d670bffd267a71df3a0

                                                                    SHA512

                                                                    0b3804b91b4234018d845230e27fd0184972a893f8fd45f1132668c19404c6dd1535a61a656e61036fdb2625a3f16918906d684c2d0330236679320a8c66b366

                                                                  • C:\Windows\SysWOW64\Dmllipeg.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    c37d53d41335c1d0fada3e18a0b1ae66

                                                                    SHA1

                                                                    3c9da77031a8613396c7eff08251f377a4b2a64b

                                                                    SHA256

                                                                    e09cdd778f29dde85110c2f9322cfa726429f446756053c2869126e9b000d0a9

                                                                    SHA512

                                                                    1b945686ffb25929a2ca689da9cc415663a53aa6994d6b04b40aff0bdb657471d4990ef2c1d8d2b006ae36ffeca20788119f6afc2d4e886d033d6bdbba9bb4dc

                                                                  • C:\Windows\SysWOW64\Jbjcolha.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    f5f6c247056ca304ee36d927464921d6

                                                                    SHA1

                                                                    53e80824b2e400544186e82302af1529f0e9ff39

                                                                    SHA256

                                                                    0b2951b81e5ab4e9149dcaf1c84ce077355d37432a6ab44dda71a61924f20e4c

                                                                    SHA512

                                                                    8d7efe4d98ce1b37911552983bf741a2656628c6a2d873e805990d90067283b29ccb396160577691701ec1ed6138afa2da4da631cd58936eab0298107f8449ad

                                                                  • C:\Windows\SysWOW64\Jcioiood.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    cd0cb0cdaf3c1f6537b6be2efe0d0e1d

                                                                    SHA1

                                                                    290530a3f40fa25283c45bbc0954cca04fb76338

                                                                    SHA256

                                                                    2fac291a74e56826be860662078ad19c1a3c8c265e5c1b3c4af16c548b541406

                                                                    SHA512

                                                                    d5d0161c9c09c3cb0962374863692056e6c34830124ff9f5ee96f539eb70da1dd84cf853d55e8ede5f858c9dc704a0a4882fe0519616e4fc9a8e8afbffb8113f

                                                                  • C:\Windows\SysWOW64\Jfhlejnh.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    ab7382c204db9be213ae840a250feeed

                                                                    SHA1

                                                                    2b0c449c3c59f2433f25b0fd39a921e9f3f0a802

                                                                    SHA256

                                                                    2a22555730badb825e61b1f8a4dae51b3e13b4bddf90d9ab3dfdeff86a6e72b8

                                                                    SHA512

                                                                    1bf2abd853c6c41e612a5c6879cfee2b899937a661808de07f1ef20398976471827df6261f3fc96fc63a758d526a8c3395f9246b895ad5cb87bc9ad02d45291a

                                                                  • C:\Windows\SysWOW64\Jidklf32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    9d665a219955a1a3fa40862b2e8382d4

                                                                    SHA1

                                                                    907201330f61487bc1ac2d9b8401914116804df3

                                                                    SHA256

                                                                    b4db9f77a09123b0d740cf88211aa6caafca1c2e01805c8a4bf86f3cee331aeb

                                                                    SHA512

                                                                    7303caa607881a466c228429ac26aa0f0248f3567d88324831a6ba90a6f9a749786d96cb263748166c300a00b1748ea908a0faa8e249148a83583e39f312c730

                                                                  • C:\Windows\SysWOW64\Jifhaenk.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    63843a6318f33d22f892c1dd6c59107f

                                                                    SHA1

                                                                    e166895b9ba2c2ab7e1e53a750f1edde3ee2e2ef

                                                                    SHA256

                                                                    f01ed5dab13fc1d0a6575a903783046bf72e7775e4f21d087f95d11a7637aafb

                                                                    SHA512

                                                                    0649a3511639da8f028a22ebcce2d9541fdda9022b284eebf7fb357a3bb8d4057b6bc0d2309422d097ce1c269fb9e2860b4ea0ce4ad7532682748e607fa7eb43

                                                                  • C:\Windows\SysWOW64\Jlbgha32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    dddb79170e9cddfca1aabf3e33ae961d

                                                                    SHA1

                                                                    53ac030bcf3924a07b8ab2ad150e9c3ddddc8bdb

                                                                    SHA256

                                                                    0d578b4d8ec5d44c0208721daa5e16b163c05c52391759a6a5bd08a6b30fe571

                                                                    SHA512

                                                                    a13f479f13bcea10885267b2fe330f94277025a46c93bfe6cef1119cd75d55d5186a2fc5c928007b68ba93d276f81b0b955e36b93ba5bb41ba019ff6d546e8a2

                                                                  • C:\Windows\SysWOW64\Jmmjgejj.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    1a897987dbfdd24eda58440d0cbd4fe8

                                                                    SHA1

                                                                    8320b3890ea36b79cca40503f2f072a5e477d518

                                                                    SHA256

                                                                    5fa3671077a5e34f02fb4d0108f8805b066816d95d6000aefab942fd47d84931

                                                                    SHA512

                                                                    0620bc1a3504cdeee80a98829ab8c1b4f7919168d08764ca7272d381a9cd04df6aa190a8d8e21166becaa182f80910c00226f7ed64f291865af856f48434c582

                                                                  • C:\Windows\SysWOW64\Jplfcpin.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    e9245ebb26a363c400aed64bff0f6071

                                                                    SHA1

                                                                    949ef820b7602a989fe1bc12a7bb675a85913d2f

                                                                    SHA256

                                                                    a3517a9734f60efff524e3af5d78f91d9dbbecac7cc2d16cd458f5a0d28c5543

                                                                    SHA512

                                                                    d2cabb31be6313ce4ed169ae6b3a4ead9bf46c886dbb6f4a2189f9954ddea186115c9ee56bb3a8bac83baf576912048c7dbcabdf6dd76eff42429315292b4cc7

                                                                  • C:\Windows\SysWOW64\Jpppnp32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    6109e8d197477702df2c180d1ecc39f1

                                                                    SHA1

                                                                    c9d55b244f0c2b5ed4c2bff630f5fa62638e6f43

                                                                    SHA256

                                                                    8114c7b0fd4503bbe616156bba9cdc3fbf9b489b217bd0b2c4275c97b1f17d31

                                                                    SHA512

                                                                    47899a61a1cb6f7ff7d5823602a931d31c815a544c1762bdfc3375a091e3a433715e70f1003af06598a071c04c23d809bd1bc4e430bdb7a180d5f8885d4d72d9

                                                                  • C:\Windows\SysWOW64\Kboljk32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    d61280f5f1b5870e4ad08d86d6c42ec0

                                                                    SHA1

                                                                    dae200b604bffb8e63af8791dd6e0052fc483f84

                                                                    SHA256

                                                                    330da6e5d0a97a012ba475e0519b52c2b8d8b52e7c261121cead88ae2026f602

                                                                    SHA512

                                                                    1e542436188c8b6bb768f6d9e64d91b966d6be1481c1ddb468eefd9cb50768faa1f7ba306780812e930ed3d2960e8ef6a2f36e455ac215accd7d1a8f21b3cbdf

                                                                  • C:\Windows\SysWOW64\Kdcbom32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    2a75f7111bdfca29f556e4f5a0811b3c

                                                                    SHA1

                                                                    cc99cccc54949c32ced40eefe561714eda51ba82

                                                                    SHA256

                                                                    cf3c11d89c99c08cadb8b78bdb280f04ae4a32e9a51fb81567b9ca17ad83c153

                                                                    SHA512

                                                                    4dd37c0bd09e4d1f19ab60426907f1d513b8d46a2489d99f8ac2c4f95a4d05d125d3f58800eed8aa0e03af7f77655101aca7e5a45eb0176ace73a92baec2f27c

                                                                  • C:\Windows\SysWOW64\Kdgljmcd.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    0940685461d3800839b194a04adbee01

                                                                    SHA1

                                                                    2a8658b1358493065d2c762bfdf9e915af89ab11

                                                                    SHA256

                                                                    b5d57218c9dca3fd99806670eb5c467d0ce68c39b03b1e0491ccd024a1bf817e

                                                                    SHA512

                                                                    8fa91a590fc3b191414556aaf48d3893f048485e7898dc3277886dbc4b0e6770f3b54a2e172fceede9cc19dac3765505193e500b2f795e194429c5001bc6db86

                                                                  • C:\Windows\SysWOW64\Kdnidn32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    fc4ae82df4fbfc30fb28f19bae258861

                                                                    SHA1

                                                                    3bce54ebcb17a80497ad970b9cb651ed2f7d83f9

                                                                    SHA256

                                                                    a3ffd281d95d6e177342b89a9c0c57f7d6315b239c2f000baf209a1e79e07fac

                                                                    SHA512

                                                                    a3a19bfea6de61aeccb8c52d1386c7c314b9cb1fa1b6df7ad480cbb5b6064e05f5c521fba55d8ae90877c555a182c3b4dab04f15a0a53cbf7d47cb030aac6f60

                                                                  • C:\Windows\SysWOW64\Kdqejn32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    be54c4b5d5a4030d3513334d8655ca77

                                                                    SHA1

                                                                    9836865cb3cc86c7876d3f8030bd7794eba652a9

                                                                    SHA256

                                                                    742c5accd6fea297f0ca2b66a3b260223b1c9f54961032a5d448e1e2d7dbbc88

                                                                    SHA512

                                                                    a78301efd60abc78c705d3b6c452e617631fed044710bdb044d78f5be97c9d616d3a7895b29620ca7c10835e639990fa5f30780b39c7bb536f6a9f7830286b7c

                                                                  • C:\Windows\SysWOW64\Kebbafoj.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    5f63b604aa7887d029afd7493096ad22

                                                                    SHA1

                                                                    716c105f24ce4149bc73d83b20bd092ab21fd112

                                                                    SHA256

                                                                    97803d2050a0f3dca9c3121d4f999c605e1d4e432ca3d21ce93c137637858e00

                                                                    SHA512

                                                                    e79dda5cfcd5900efc1e2f25af8282c70fe187bbc97f16ea549ca80575226cf954319e649085a9d772edf0c8734bd80d918d3810e6b5797702e27571c36eea9c

                                                                  • C:\Windows\SysWOW64\Kfankifm.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    ba822ba8b2f5a24e70a8a336556074b4

                                                                    SHA1

                                                                    f9212e277d26e01813f0f6aabe0cd3d18970b782

                                                                    SHA256

                                                                    4f9416414c3403d7d57d6456104e9f13beed6615f7381caffdc354efd2c4385d

                                                                    SHA512

                                                                    2a88df6ebc475e042b3fe2b86642106ae342fe4629b319269ec3597e28cb986071cfa5f17ea4a9b0f239b785c29861b49fc29200fc30119f67dfaec50bb8822a

                                                                  • C:\Windows\SysWOW64\Kfckahdj.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    cf379760a40f72ca3c43e128414bcd86

                                                                    SHA1

                                                                    324d917cb84d3752a52c732534ce3b067a9537dd

                                                                    SHA256

                                                                    cf337c1eee445d0d05298a3c224247e1c9f21ade7ddc7d6de93745577c0bf87b

                                                                    SHA512

                                                                    41300fb5f36ab74db76f4a0ae4fb3b7d592911b3c14dffc1d1dda6493ab143191bc38bcc5824205410c3a2de806f015d380be05f880deafb0c3d68bc6aecf035

                                                                  • C:\Windows\SysWOW64\Kfmepi32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    3fd7d1041752ed8740153e3c11520fba

                                                                    SHA1

                                                                    c8c887f210725152988f38351f1381f23abe0f58

                                                                    SHA256

                                                                    7f6f79c91b5985369295b1a4123e976a2091ea3f9449224f6f27911e1177904d

                                                                    SHA512

                                                                    cc4a8b15038f56753c7ceb30a594f093979057e024715af9862979c0b17c18e883a28b5e4c06da0864338df7d19bde10f9da12edce4d3b51744254dff7ea1382

                                                                  • C:\Windows\SysWOW64\Kibgmdcn.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    de9fb1f0ff6467531488578904942300

                                                                    SHA1

                                                                    a61686c8e7dcbcd862f6c3d2ec701cca1aad3206

                                                                    SHA256

                                                                    d48f218093d1f6ce8fca90d79fe48c4988b7a321ac7ff1175bbec9d8aee86b59

                                                                    SHA512

                                                                    6e850ead2b4910fecc97058c0ee823e7441ed3f48cacb98bca2defb3b152667adab8ff6f807d733f635d7fce660fa130baa64b64ad8676b760bb6dcb46699c39

                                                                  • C:\Windows\SysWOW64\Kiidgeki.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    ffcfb99f893bb56886a1226452911ca1

                                                                    SHA1

                                                                    d211f358efb52db385730bbefa93ec0f54d46f8e

                                                                    SHA256

                                                                    c9c13fd9c1d6dfdf5ce91390d2355c1430431242be58af4337afd573258018f7

                                                                    SHA512

                                                                    9ad82be89348fe5b776bac2d7b0a60b0fdfa33069a363ce436a1a51a77498bedadcf7213eb4aab75ebc17e4e8beb9bcf4a446445c694c12464f36260452520c1

                                                                  • C:\Windows\SysWOW64\Kikame32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    0de51197f5bba1f96f5b5aee9d371167

                                                                    SHA1

                                                                    e1e5f25cb66240907f521575d06db9499a4439c0

                                                                    SHA256

                                                                    01845d254d00af47235acc7c0ad6d9a1548a1610179c4b1bec952b56f3902849

                                                                    SHA512

                                                                    5e1c36a1f75e309c69372166573fc2d4eb58a50f98e98f5473ba18fb6579333dd32aae2b6c5c7cf152d60bbe203cc655b274d69f4ed73838b9238e3aa42fec93

                                                                  • C:\Windows\SysWOW64\Kipkhdeq.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    c9b2540d4aef5669024ff6b4aa8b32d7

                                                                    SHA1

                                                                    d6fb0256fb20061958c3493abffc5713797a797b

                                                                    SHA256

                                                                    64a6cf433d59b3cacb1cba12a85af00cc6af693f86797b362cee418004cbb0ba

                                                                    SHA512

                                                                    4a11be2d76787ecc4bec6c1e2f1e2905a85ea0aa01ca8e2293819ceff1b030c0399cb0125904dae05041237a6ee2ff4468bee8891b0acf8bf7bcd90791cc28e1

                                                                  • C:\Windows\SysWOW64\Klgqcqkl.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    6e50a70a285a88b2e6a5b2ec8b6f0a8f

                                                                    SHA1

                                                                    1d54c60018bfc4406a3a70cf7706f8953dd84ee0

                                                                    SHA256

                                                                    909338250b1f06b1b18dbf29b3fee7758cd9c71b91df85f5d9d751694a226a68

                                                                    SHA512

                                                                    ea607acda472bfd21fe614aeba1005c10c025e8c8a34a4771955e7a8c53edbdcca1128403b2ea84e2fab3c662d195c8d40fe7b4d1eceaff98644bea92631474b

                                                                  • C:\Windows\SysWOW64\Klimip32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    94fff4139741b58a4f92b61580c15801

                                                                    SHA1

                                                                    2a7aeac18b3cd07d249794f86243cbbe9bd4bf45

                                                                    SHA256

                                                                    994cf822de19981925a02dc8c3376e30c1a005f9bfa2d55c61920337b4fca1b9

                                                                    SHA512

                                                                    ca1a4abdde1ac9324ddf8f09367bb168683c501b9d5a41a77e247674d4d0d69db0d56f26c6bdbd20996113fbde7d1cca1a1845286863f4c58a3469f0faaa3e3a

                                                                  • C:\Windows\SysWOW64\Klljnp32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    b70f7c0d3c49c7b103561d5869fdd2f5

                                                                    SHA1

                                                                    e1b5f0ed9496877167f2c7b268e08f6aff740e90

                                                                    SHA256

                                                                    bd638f4dbb68bcd64cee531be07608a70082e3595ad1ae4286b125c6a63daf53

                                                                    SHA512

                                                                    9dea8f63f2168d22d8e4d24c6f2a74a0f3d0421292c03c2555143bf15577c2a524e08bc09a7e75981125d8a9cd607a1e8506fcbc7c22d2e4fb62da90e7b19c00

                                                                  • C:\Windows\SysWOW64\Klqcioba.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    c7304ef9478698e9d5e472ca82ea3f50

                                                                    SHA1

                                                                    ba176bbac578da52b0e5e4629d1c58845738c7c1

                                                                    SHA256

                                                                    9ddb8c529d6cd752c9fcb75e431ca9105c3e02c25b371d48d644ae94039e2f41

                                                                    SHA512

                                                                    297e6c014c2467ff004bbb8165db1f01686bd18add2e338ce1b94207c14804ccfe3e2e7cca82e00580421bf3d550a913ff7245902efbd6c0aaaa46e83312e3e7

                                                                  • C:\Windows\SysWOW64\Kpjcdn32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    928a42322ca7e59f988fb7d881259dfa

                                                                    SHA1

                                                                    1e6272f3749bb5655d729a4708507336f0395af5

                                                                    SHA256

                                                                    17a03daf8361c83f83b129ff8c255aeb066d76ee3209c3207064085f7c973767

                                                                    SHA512

                                                                    decd5bf1d5267830e4054c382929c1c5e4272c77da594d97c29c233a14a557cf408fa7189b45d0d6a4b097fea5803d044733f9b5112fd7fafeba6056ce537e51

                                                                  • C:\Windows\SysWOW64\Lbmhlihl.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    e5776fe3a7106ebd75f167602edc6063

                                                                    SHA1

                                                                    f02f753a64a18b84990e31ecc1f31f6768f1b8bc

                                                                    SHA256

                                                                    6c7cd15b50c116339d2a85665f6387a7489bee71bad7e744f8e101cb4f08a9d7

                                                                    SHA512

                                                                    042432a0bc392334e54f8a825bd0df545ae639cff61139c0fd4b7ba59d36c0c23ea59ab24bae6a545be02b68a5cb90f1fc35aa66235080d7165245af3f11fca6

                                                                  • C:\Windows\SysWOW64\Lffhfh32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    ccf995dfcbc1352fb6705d454f86ea38

                                                                    SHA1

                                                                    da156ed96027bdedbbebb0738727b98a5d42ff70

                                                                    SHA256

                                                                    a479c49739cb25c043ea86ce5784654fd0754d68fbfb7fa83fc46d7943a52b85

                                                                    SHA512

                                                                    f5251c19db5d0ee912728dd2cda31446d45e4c74dac9c35a19edcefdbe0011b05f24c1e4cd3ef77fdd19cceca3d8ff488184a779e9c01a2735bb5d8e898ce271

                                                                  • C:\Windows\SysWOW64\Liddbc32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    1b37f119d456db2f0077ccb402e7833e

                                                                    SHA1

                                                                    edca0a7cf8a5127e13f1a4bfa3fa0857633bb7c4

                                                                    SHA256

                                                                    bf2eff17b65cd29825fa1275929c0b8a1921cd14da5c487714b3fbab1563699d

                                                                    SHA512

                                                                    ccbc928c6947afb409be836a81da1982f871e8a4c2fd362269255a1401c7e18956aa908ee1c0690778349d101b91761d616f5b0011d5d11b8f2a6b44ce1d85d7

                                                                  • C:\Windows\SysWOW64\Ligqhc32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    a99c8d40908bb1cedfee33c7bbbe2d53

                                                                    SHA1

                                                                    e0886aef281445f09effbaba27178043553ea372

                                                                    SHA256

                                                                    f0a522a2064154c858546ad5ecffc5bd8a6106fe728a1ac8e9d0ff363b78d7b7

                                                                    SHA512

                                                                    c8c3156d0537e60815ff1acd019cec3cf513e70d78526c87b4ee78e9e8f5000f44da4397ac5369cebfc136ab4e592054697f924136ad453273489c6bc49547c4

                                                                  • C:\Windows\SysWOW64\Llcpoo32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    080c88a65a5d1d497b67ca6c980a5330

                                                                    SHA1

                                                                    dceb697c49b58d438482a0f42c97c3961893c5d2

                                                                    SHA256

                                                                    aa14290c0f5d3a2a9d4f4e1d0c7c59219b1beb8c6c17d17be929d6639e0ef0e4

                                                                    SHA512

                                                                    fc956650019537c64f9e8b6bf0e3be44216aacfae85079814b7f634aa2e7b5d1484d422dcaa328f36396804918a150d09713648c9acdd8fd90aa3a2642c3cd4d

                                                                  • C:\Windows\SysWOW64\Lmbmibhb.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    fb9a271c8d5abdced0e7e1f7abc21417

                                                                    SHA1

                                                                    4ea3ba76ba231d298bc0d81bed8c0d4794b67e54

                                                                    SHA256

                                                                    8431afc229aa6f6372375141d583042756378bec90c21c14746ccac72c8f27ff

                                                                    SHA512

                                                                    004d19fb631b09a215032e3c4444ffc92f72467e0ae0add1e0c4b3ec69ec8d99c495ab3c44b12fbb172f113e49a719b3218a222751814a5eb865ad35c8dbb883

                                                                  • C:\Windows\SysWOW64\Lpebpm32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    bbe4c558c54d639e72870b93c5118ed1

                                                                    SHA1

                                                                    12bc03ff04085812454f0ba47af659903463c6d9

                                                                    SHA256

                                                                    51b67d3fe624a889215eefaf1f776dd89e439b72ae3947d3cf51d4cec6fce639

                                                                    SHA512

                                                                    dd3b2202a6fe079e504f79846a4afbfd49b0abfe9e18c8b0e33545ee2a26bfa97eb52dedccaa913e868f74ffaa3c89df22d19f6c6328b15955780693b5da7e22

                                                                  • C:\Windows\SysWOW64\Nnneknob.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    1386b433985366567bce6168193cb44d

                                                                    SHA1

                                                                    ea30bdd373e224c30088117796619044708783c7

                                                                    SHA256

                                                                    74ca7928fbb5c72ad959f63eb302a5406f42bb48909562f6c8e368dc486b8957

                                                                    SHA512

                                                                    373884dd2ad8ed7b7fef46a67912e112a65275a5b1b61ad4f531bdcef4c01f9281f9a3ecf4e9b17f9394030db24b201cd9b2bb9c100c90747257cfcc9d2f85ea

                                                                  • C:\Windows\SysWOW64\Npfkgjdn.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    a440423fc8dc98a42be1dcc1ed413099

                                                                    SHA1

                                                                    208db6909d3cb9840bd6bf83b55ffa4821787230

                                                                    SHA256

                                                                    2a401474116512e16c27a82af59bc2e33fbc302592423029d304c71d956c2a3f

                                                                    SHA512

                                                                    927108650087155d0610000f9b43e73a92db4c60063d612326fa6e37fbef09f614f0c4e34640d64c44f46a037964ab11906241fccbcf99aece4a8e8af91f5f46

                                                                  • C:\Windows\SysWOW64\Ofqpqo32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    6d1cab6534a78585ad850188c835f53f

                                                                    SHA1

                                                                    09642cc71495746da283db3fab8ebc56aef38384

                                                                    SHA256

                                                                    0bad6bed498e96762ec3c28e7026547786db0dbdec77cf67f46c1b378e2a9070

                                                                    SHA512

                                                                    186b8afd962b076549463d58d79e7d3ca8cf8b9ff9e34b0b9076b2b41e9c06c014fe3604bb46f1c439bd3e599182c16e8a6e6ee0a432b322d12c69d64e3b57e6

                                                                  • C:\Windows\SysWOW64\Pqdqof32.exe

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    2d061c492b063e31e021ac85ae2fe690

                                                                    SHA1

                                                                    437a3b2756cb68d4c43d85a0090d7e14fa31206b

                                                                    SHA256

                                                                    ac9d55d7778b5c69407ddc35932031579b5049284c500165372dad17187421ab

                                                                    SHA512

                                                                    dde1d7b94e1c2bbc88fbd90b86c14025c4913f892a2f87ecc642a8b6e15f5dc4e28819ec6f1e6702fae2b273c2770b98fb1db7651ef36fc4c0e6ccdb67b3e80f

                                                                  • memory/412-72-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/496-525-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/528-353-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/920-347-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1068-377-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1088-317-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1208-161-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1228-588-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1384-329-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1396-393-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1444-24-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1444-566-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1500-341-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1520-335-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1528-323-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1556-395-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1640-184-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1760-232-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1904-128-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1920-539-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1920-1-0x0000000000431000-0x0000000000432000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                  • memory/1920-0-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1976-443-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/1992-574-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2128-48-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2128-587-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2164-581-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2212-365-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2364-560-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2384-16-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2384-559-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2400-437-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2436-121-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2460-311-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2480-224-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2556-287-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2772-533-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2784-104-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2868-553-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2948-8-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2948-552-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/2968-88-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3012-449-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3076-32-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3076-573-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3092-309-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3096-112-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3220-497-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3264-257-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3292-64-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3316-208-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3476-269-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3524-176-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3556-96-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3584-413-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3596-275-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3640-473-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3712-144-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3748-152-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3784-580-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3784-40-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3796-419-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3880-425-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3952-527-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3956-168-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/3960-248-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4000-540-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4100-201-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4104-509-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4176-567-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4288-431-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4300-267-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4368-479-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4432-407-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4456-240-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4472-485-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4556-546-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4584-216-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4592-371-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4648-137-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4652-401-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4664-299-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4668-467-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4712-192-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4732-359-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4776-515-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4840-383-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4852-503-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4860-594-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4860-56-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4876-80-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/4920-455-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/5004-281-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/5032-491-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/5108-461-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB

                                                                  • memory/5112-293-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                    Filesize

                                                                    212KB