Analysis

  • max time kernel
    93s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:56

General

  • Target

    b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe

  • Size

    96KB

  • MD5

    83de0517acf4613ebb2e9e312a511256

  • SHA1

    7e319c69dc695baca29879a9ace6317f9abf6274

  • SHA256

    b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe

  • SHA512

    5bc1adb646435d2235123fbde497fe24b73a5938c06c9532c27d8dde69fd0838c4053e26daac80457c95fab525cdf2d259cec6ba9c2a8ae855463cd7960adc17

  • SSDEEP

    1536:PdDtYR3EXSyl35zo+zztp5jM6mmPHN4huwgnui0vSHG7mftt3duV9jojTIvjr:Ps59yrh/hdNE/grx6mldd69jc0v

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe
    "C:\Users\Admin\AppData\Local\Temp\b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\Jedeph32.exe
      C:\Windows\system32\Jedeph32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\Jpijnqkp.exe
        C:\Windows\system32\Jpijnqkp.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Windows\SysWOW64\Jefbfgig.exe
          C:\Windows\system32\Jefbfgig.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\SysWOW64\Jianff32.exe
            C:\Windows\system32\Jianff32.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\SysWOW64\Jbjcolha.exe
              C:\Windows\system32\Jbjcolha.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1968
              • C:\Windows\SysWOW64\Jidklf32.exe
                C:\Windows\system32\Jidklf32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4968
                • C:\Windows\SysWOW64\Jpnchp32.exe
                  C:\Windows\system32\Jpnchp32.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1620
                  • C:\Windows\SysWOW64\Jfhlejnh.exe
                    C:\Windows\system32\Jfhlejnh.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:5068
                    • C:\Windows\SysWOW64\Jeklag32.exe
                      C:\Windows\system32\Jeklag32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2864
                      • C:\Windows\SysWOW64\Jmbdbd32.exe
                        C:\Windows\system32\Jmbdbd32.exe
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:2704
                        • C:\Windows\SysWOW64\Jpppnp32.exe
                          C:\Windows\system32\Jpppnp32.exe
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:3144
                          • C:\Windows\SysWOW64\Kboljk32.exe
                            C:\Windows\system32\Kboljk32.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3960
                            • C:\Windows\SysWOW64\Klgqcqkl.exe
                              C:\Windows\system32\Klgqcqkl.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:4836
                              • C:\Windows\SysWOW64\Kfmepi32.exe
                                C:\Windows\system32\Kfmepi32.exe
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:2224
                                • C:\Windows\SysWOW64\Kmfmmcbo.exe
                                  C:\Windows\system32\Kmfmmcbo.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:3724
                                  • C:\Windows\SysWOW64\Kdqejn32.exe
                                    C:\Windows\system32\Kdqejn32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4736
                                    • C:\Windows\SysWOW64\Kebbafoj.exe
                                      C:\Windows\system32\Kebbafoj.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:2792
                                      • C:\Windows\SysWOW64\Kmijbcpl.exe
                                        C:\Windows\system32\Kmijbcpl.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:448
                                        • C:\Windows\SysWOW64\Kpgfooop.exe
                                          C:\Windows\system32\Kpgfooop.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:4972
                                          • C:\Windows\SysWOW64\Kipkhdeq.exe
                                            C:\Windows\system32\Kipkhdeq.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:1992
                                            • C:\Windows\SysWOW64\Kmkfhc32.exe
                                              C:\Windows\system32\Kmkfhc32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Suspicious use of WriteProcessMemory
                                              PID:3624
                                              • C:\Windows\SysWOW64\Kpjcdn32.exe
                                                C:\Windows\system32\Kpjcdn32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:3640
                                                • C:\Windows\SysWOW64\Kefkme32.exe
                                                  C:\Windows\system32\Kefkme32.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:2576
                                                  • C:\Windows\SysWOW64\Kplpjn32.exe
                                                    C:\Windows\system32\Kplpjn32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:5052
                                                    • C:\Windows\SysWOW64\Lffhfh32.exe
                                                      C:\Windows\system32\Lffhfh32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      PID:4204
                                                      • C:\Windows\SysWOW64\Lmppcbjd.exe
                                                        C:\Windows\system32\Lmppcbjd.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2204
                                                        • C:\Windows\SysWOW64\Lbmhlihl.exe
                                                          C:\Windows\system32\Lbmhlihl.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Modifies registry class
                                                          PID:3836
                                                          • C:\Windows\SysWOW64\Ligqhc32.exe
                                                            C:\Windows\system32\Ligqhc32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2328
                                                            • C:\Windows\SysWOW64\Ldleel32.exe
                                                              C:\Windows\system32\Ldleel32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:1660
                                                              • C:\Windows\SysWOW64\Liimncmf.exe
                                                                C:\Windows\system32\Liimncmf.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:4332
                                                                • C:\Windows\SysWOW64\Llgjjnlj.exe
                                                                  C:\Windows\system32\Llgjjnlj.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:4516
                                                                  • C:\Windows\SysWOW64\Ldoaklml.exe
                                                                    C:\Windows\system32\Ldoaklml.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:3940
                                                                    • C:\Windows\SysWOW64\Lgmngglp.exe
                                                                      C:\Windows\system32\Lgmngglp.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      PID:1676
                                                                      • C:\Windows\SysWOW64\Lmgfda32.exe
                                                                        C:\Windows\system32\Lmgfda32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        PID:1912
                                                                        • C:\Windows\SysWOW64\Ldanqkki.exe
                                                                          C:\Windows\system32\Ldanqkki.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:3860
                                                                          • C:\Windows\SysWOW64\Lgokmgjm.exe
                                                                            C:\Windows\system32\Lgokmgjm.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            PID:3056
                                                                            • C:\Windows\SysWOW64\Lingibiq.exe
                                                                              C:\Windows\system32\Lingibiq.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:3152
                                                                              • C:\Windows\SysWOW64\Lphoelqn.exe
                                                                                C:\Windows\system32\Lphoelqn.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3080
                                                                                • C:\Windows\SysWOW64\Mbfkbhpa.exe
                                                                                  C:\Windows\system32\Mbfkbhpa.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • Modifies registry class
                                                                                  PID:2676
                                                                                  • C:\Windows\SysWOW64\Medgncoe.exe
                                                                                    C:\Windows\system32\Medgncoe.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:1340
                                                                                    • C:\Windows\SysWOW64\Mlopkm32.exe
                                                                                      C:\Windows\system32\Mlopkm32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1164
                                                                                      • C:\Windows\SysWOW64\Mchhggno.exe
                                                                                        C:\Windows\system32\Mchhggno.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4856
                                                                                        • C:\Windows\SysWOW64\Megdccmb.exe
                                                                                          C:\Windows\system32\Megdccmb.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:2900
                                                                                          • C:\Windows\SysWOW64\Mlampmdo.exe
                                                                                            C:\Windows\system32\Mlampmdo.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1428
                                                                                            • C:\Windows\SysWOW64\Mdhdajea.exe
                                                                                              C:\Windows\system32\Mdhdajea.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              PID:3768
                                                                                              • C:\Windows\SysWOW64\Mgfqmfde.exe
                                                                                                C:\Windows\system32\Mgfqmfde.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:4400
                                                                                                • C:\Windows\SysWOW64\Mmpijp32.exe
                                                                                                  C:\Windows\system32\Mmpijp32.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:3588
                                                                                                  • C:\Windows\SysWOW64\Mpoefk32.exe
                                                                                                    C:\Windows\system32\Mpoefk32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    PID:4612
                                                                                                    • C:\Windows\SysWOW64\Melnob32.exe
                                                                                                      C:\Windows\system32\Melnob32.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1812
                                                                                                      • C:\Windows\SysWOW64\Mmbfpp32.exe
                                                                                                        C:\Windows\system32\Mmbfpp32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:5020
                                                                                                        • C:\Windows\SysWOW64\Mdmnlj32.exe
                                                                                                          C:\Windows\system32\Mdmnlj32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          PID:1820
                                                                                                          • C:\Windows\SysWOW64\Mnebeogl.exe
                                                                                                            C:\Windows\system32\Mnebeogl.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:2200
                                                                                                            • C:\Windows\SysWOW64\Ndokbi32.exe
                                                                                                              C:\Windows\system32\Ndokbi32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              PID:452
                                                                                                              • C:\Windows\SysWOW64\Ngmgne32.exe
                                                                                                                C:\Windows\system32\Ngmgne32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:4316
                                                                                                                • C:\Windows\SysWOW64\Nngokoej.exe
                                                                                                                  C:\Windows\system32\Nngokoej.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:4300
                                                                                                                  • C:\Windows\SysWOW64\Ndaggimg.exe
                                                                                                                    C:\Windows\system32\Ndaggimg.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:464
                                                                                                                    • C:\Windows\SysWOW64\Nebdoa32.exe
                                                                                                                      C:\Windows\system32\Nebdoa32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:4832
                                                                                                                      • C:\Windows\SysWOW64\Nlmllkja.exe
                                                                                                                        C:\Windows\system32\Nlmllkja.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1740
                                                                                                                        • C:\Windows\SysWOW64\Ndcdmikd.exe
                                                                                                                          C:\Windows\system32\Ndcdmikd.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:1556
                                                                                                                          • C:\Windows\SysWOW64\Neeqea32.exe
                                                                                                                            C:\Windows\system32\Neeqea32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:3180
                                                                                                                            • C:\Windows\SysWOW64\Nloiakho.exe
                                                                                                                              C:\Windows\system32\Nloiakho.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1364
                                                                                                                              • C:\Windows\SysWOW64\Ndfqbhia.exe
                                                                                                                                C:\Windows\system32\Ndfqbhia.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:1404
                                                                                                                                • C:\Windows\SysWOW64\Ngdmod32.exe
                                                                                                                                  C:\Windows\system32\Ngdmod32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:1720
                                                                                                                                  • C:\Windows\SysWOW64\Njciko32.exe
                                                                                                                                    C:\Windows\system32\Njciko32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4256
                                                                                                                                    • C:\Windows\SysWOW64\Nlaegk32.exe
                                                                                                                                      C:\Windows\system32\Nlaegk32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      PID:2452
                                                                                                                                      • C:\Windows\SysWOW64\Nckndeni.exe
                                                                                                                                        C:\Windows\system32\Nckndeni.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:4600
                                                                                                                                        • C:\Windows\SysWOW64\Nggjdc32.exe
                                                                                                                                          C:\Windows\system32\Nggjdc32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:876
                                                                                                                                          • C:\Windows\SysWOW64\Njefqo32.exe
                                                                                                                                            C:\Windows\system32\Njefqo32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:3256
                                                                                                                                            • C:\Windows\SysWOW64\Olcbmj32.exe
                                                                                                                                              C:\Windows\system32\Olcbmj32.exe
                                                                                                                                              70⤵
                                                                                                                                                PID:4596
                                                                                                                                                • C:\Windows\SysWOW64\Ogifjcdp.exe
                                                                                                                                                  C:\Windows\system32\Ogifjcdp.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  PID:3864
                                                                                                                                                  • C:\Windows\SysWOW64\Oncofm32.exe
                                                                                                                                                    C:\Windows\system32\Oncofm32.exe
                                                                                                                                                    72⤵
                                                                                                                                                      PID:1068
                                                                                                                                                      • C:\Windows\SysWOW64\Odmgcgbi.exe
                                                                                                                                                        C:\Windows\system32\Odmgcgbi.exe
                                                                                                                                                        73⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:2320
                                                                                                                                                        • C:\Windows\SysWOW64\Ofnckp32.exe
                                                                                                                                                          C:\Windows\system32\Ofnckp32.exe
                                                                                                                                                          74⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:5012
                                                                                                                                                          • C:\Windows\SysWOW64\Oneklm32.exe
                                                                                                                                                            C:\Windows\system32\Oneklm32.exe
                                                                                                                                                            75⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:2700
                                                                                                                                                            • C:\Windows\SysWOW64\Opdghh32.exe
                                                                                                                                                              C:\Windows\system32\Opdghh32.exe
                                                                                                                                                              76⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:4252
                                                                                                                                                              • C:\Windows\SysWOW64\Ocbddc32.exe
                                                                                                                                                                C:\Windows\system32\Ocbddc32.exe
                                                                                                                                                                77⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                PID:3328
                                                                                                                                                                • C:\Windows\SysWOW64\Ofqpqo32.exe
                                                                                                                                                                  C:\Windows\system32\Ofqpqo32.exe
                                                                                                                                                                  78⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  PID:2760
                                                                                                                                                                  • C:\Windows\SysWOW64\Onhhamgg.exe
                                                                                                                                                                    C:\Windows\system32\Onhhamgg.exe
                                                                                                                                                                    79⤵
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:1872
                                                                                                                                                                    • C:\Windows\SysWOW64\Ocdqjceo.exe
                                                                                                                                                                      C:\Windows\system32\Ocdqjceo.exe
                                                                                                                                                                      80⤵
                                                                                                                                                                        PID:4608
                                                                                                                                                                        • C:\Windows\SysWOW64\Ofcmfodb.exe
                                                                                                                                                                          C:\Windows\system32\Ofcmfodb.exe
                                                                                                                                                                          81⤵
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:1320
                                                                                                                                                                          • C:\Windows\SysWOW64\Onjegled.exe
                                                                                                                                                                            C:\Windows\system32\Onjegled.exe
                                                                                                                                                                            82⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:3104
                                                                                                                                                                            • C:\Windows\SysWOW64\Olmeci32.exe
                                                                                                                                                                              C:\Windows\system32\Olmeci32.exe
                                                                                                                                                                              83⤵
                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:392
                                                                                                                                                                              • C:\Windows\SysWOW64\Ogbipa32.exe
                                                                                                                                                                                C:\Windows\system32\Ogbipa32.exe
                                                                                                                                                                                84⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:2288
                                                                                                                                                                                • C:\Windows\SysWOW64\Pmoahijl.exe
                                                                                                                                                                                  C:\Windows\system32\Pmoahijl.exe
                                                                                                                                                                                  85⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:3228
                                                                                                                                                                                  • C:\Windows\SysWOW64\Pqknig32.exe
                                                                                                                                                                                    C:\Windows\system32\Pqknig32.exe
                                                                                                                                                                                    86⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:4628
                                                                                                                                                                                    • C:\Windows\SysWOW64\Pmannhhj.exe
                                                                                                                                                                                      C:\Windows\system32\Pmannhhj.exe
                                                                                                                                                                                      87⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:4236
                                                                                                                                                                                      • C:\Windows\SysWOW64\Pfjcgn32.exe
                                                                                                                                                                                        C:\Windows\system32\Pfjcgn32.exe
                                                                                                                                                                                        88⤵
                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:3448
                                                                                                                                                                                        • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                                                                                                                                                          C:\Windows\system32\Pqpgdfnp.exe
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          PID:1888
                                                                                                                                                                                          • C:\Windows\SysWOW64\Pcncpbmd.exe
                                                                                                                                                                                            C:\Windows\system32\Pcncpbmd.exe
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                            PID:3572
                                                                                                                                                                                            • C:\Windows\SysWOW64\Pgioqq32.exe
                                                                                                                                                                                              C:\Windows\system32\Pgioqq32.exe
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:5168
                                                                                                                                                                                              • C:\Windows\SysWOW64\Pflplnlg.exe
                                                                                                                                                                                                C:\Windows\system32\Pflplnlg.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:5208
                                                                                                                                                                                                • C:\Windows\SysWOW64\Pjhlml32.exe
                                                                                                                                                                                                  C:\Windows\system32\Pjhlml32.exe
                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                  PID:5252
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Pmfhig32.exe
                                                                                                                                                                                                    C:\Windows\system32\Pmfhig32.exe
                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    PID:5296
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Pdmpje32.exe
                                                                                                                                                                                                      C:\Windows\system32\Pdmpje32.exe
                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:5340
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Pcppfaka.exe
                                                                                                                                                                                                        C:\Windows\system32\Pcppfaka.exe
                                                                                                                                                                                                        96⤵
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:5384
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                                                                                                                                                          C:\Windows\system32\Pfolbmje.exe
                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:5428
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Pjjhbl32.exe
                                                                                                                                                                                                            C:\Windows\system32\Pjjhbl32.exe
                                                                                                                                                                                                            98⤵
                                                                                                                                                                                                              PID:5472
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Pnfdcjkg.exe
                                                                                                                                                                                                                C:\Windows\system32\Pnfdcjkg.exe
                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                PID:5516
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Pqdqof32.exe
                                                                                                                                                                                                                  C:\Windows\system32\Pqdqof32.exe
                                                                                                                                                                                                                  100⤵
                                                                                                                                                                                                                    PID:5556
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Pgnilpah.exe
                                                                                                                                                                                                                      C:\Windows\system32\Pgnilpah.exe
                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:5600
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Pjmehkqk.exe
                                                                                                                                                                                                                        C:\Windows\system32\Pjmehkqk.exe
                                                                                                                                                                                                                        102⤵
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:5640
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Qqfmde32.exe
                                                                                                                                                                                                                          C:\Windows\system32\Qqfmde32.exe
                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          PID:5684
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Qceiaa32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Qceiaa32.exe
                                                                                                                                                                                                                            104⤵
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:5728
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Qfcfml32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Qfcfml32.exe
                                                                                                                                                                                                                              105⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:5772
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Qqijje32.exe
                                                                                                                                                                                                                                C:\Windows\system32\Qqijje32.exe
                                                                                                                                                                                                                                106⤵
                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:5816
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Qffbbldm.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Qffbbldm.exe
                                                                                                                                                                                                                                  107⤵
                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  PID:5860
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Aqkgpedc.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Aqkgpedc.exe
                                                                                                                                                                                                                                    108⤵
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    PID:5904
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Anogiicl.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Anogiicl.exe
                                                                                                                                                                                                                                      109⤵
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      PID:5964
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Aqncedbp.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Aqncedbp.exe
                                                                                                                                                                                                                                        110⤵
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        PID:6008
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Aeiofcji.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Aeiofcji.exe
                                                                                                                                                                                                                                          111⤵
                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:6068
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Agglboim.exe
                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:6116
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Afjlnk32.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Afjlnk32.exe
                                                                                                                                                                                                                                              113⤵
                                                                                                                                                                                                                                                PID:5176
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Anadoi32.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Anadoi32.exe
                                                                                                                                                                                                                                                  114⤵
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  PID:5228
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Aqppkd32.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Aqppkd32.exe
                                                                                                                                                                                                                                                    115⤵
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:5304
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Aeklkchg.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Aeklkchg.exe
                                                                                                                                                                                                                                                      116⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                      PID:5376
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Agjhgngj.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Agjhgngj.exe
                                                                                                                                                                                                                                                        117⤵
                                                                                                                                                                                                                                                          PID:5448
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Afmhck32.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Afmhck32.exe
                                                                                                                                                                                                                                                            118⤵
                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                            PID:5548
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ajhddjfn.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Ajhddjfn.exe
                                                                                                                                                                                                                                                              119⤵
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              PID:5692
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Aabmqd32.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Aabmqd32.exe
                                                                                                                                                                                                                                                                120⤵
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                PID:5760
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Acqimo32.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Acqimo32.exe
                                                                                                                                                                                                                                                                  121⤵
                                                                                                                                                                                                                                                                    PID:5836
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Aglemn32.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Aglemn32.exe
                                                                                                                                                                                                                                                                      122⤵
                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                      PID:5896
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\Afoeiklb.exe
                                                                                                                                                                                                                                                                        123⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                        PID:5996
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Anfmjhmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Anfmjhmd.exe
                                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:6080
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Aadifclh.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Aadifclh.exe
                                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:5132
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Accfbokl.exe
                                                                                                                                                                                                                                                                              126⤵
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:5284
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Bnhjohkb.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Bnhjohkb.exe
                                                                                                                                                                                                                                                                                127⤵
                                                                                                                                                                                                                                                                                  PID:5412
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Bagflcje.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Bagflcje.exe
                                                                                                                                                                                                                                                                                    128⤵
                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                    PID:5668
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bmngqdpj.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Bmngqdpj.exe
                                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      PID:5796
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bchomn32.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Bchomn32.exe
                                                                                                                                                                                                                                                                                        130⤵
                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:5916
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\Bgcknmop.exe
                                                                                                                                                                                                                                                                                          131⤵
                                                                                                                                                                                                                                                                                            PID:6028
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\Bffkij32.exe
                                                                                                                                                                                                                                                                                              132⤵
                                                                                                                                                                                                                                                                                                PID:3248
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Balpgb32.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Balpgb32.exe
                                                                                                                                                                                                                                                                                                  133⤵
                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                  PID:5484
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Bfhhoi32.exe
                                                                                                                                                                                                                                                                                                    134⤵
                                                                                                                                                                                                                                                                                                      PID:5676
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Beihma32.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Beihma32.exe
                                                                                                                                                                                                                                                                                                        135⤵
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                        PID:5876
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Bhhdil32.exe
                                                                                                                                                                                                                                                                                                          136⤵
                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                          PID:6104
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Bnbmefbg.exe
                                                                                                                                                                                                                                                                                                            137⤵
                                                                                                                                                                                                                                                                                                              PID:5360
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Bmemac32.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Bmemac32.exe
                                                                                                                                                                                                                                                                                                                138⤵
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                PID:5784
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                                                                                                                                                  139⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                  PID:6088
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Cdabcm32.exe
                                                                                                                                                                                                                                                                                                                    140⤵
                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                    PID:5712
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cnffqf32.exe
                                                                                                                                                                                                                                                                                                                      141⤵
                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                      PID:4408
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Cfbkeh32.exe
                                                                                                                                                                                                                                                                                                                        142⤵
                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                                                                                                                                          143⤵
                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                          PID:5900
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Cjpckf32.exe
                                                                                                                                                                                                                                                                                                                            144⤵
                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            PID:6164
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Cmnpgb32.exe
                                                                                                                                                                                                                                                                                                                              145⤵
                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                              PID:6208
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Chcddk32.exe
                                                                                                                                                                                                                                                                                                                                146⤵
                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                PID:6252
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                                                                                                                                                                                                  147⤵
                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                  PID:6296
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Calhnpgn.exe
                                                                                                                                                                                                                                                                                                                                    148⤵
                                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:6340
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                                                                                                                                                      149⤵
                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      PID:6384
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dfiafg32.exe
                                                                                                                                                                                                                                                                                                                                        150⤵
                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                        PID:6428
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dopigd32.exe
                                                                                                                                                                                                                                                                                                                                          151⤵
                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                          PID:6468
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Danecp32.exe
                                                                                                                                                                                                                                                                                                                                            152⤵
                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                            PID:6516
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                                                                                                                                                                                                              153⤵
                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                              PID:6560
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Dobfld32.exe
                                                                                                                                                                                                                                                                                                                                                154⤵
                                                                                                                                                                                                                                                                                                                                                  PID:6604
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Daqbip32.exe
                                                                                                                                                                                                                                                                                                                                                    155⤵
                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                    PID:6656
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                                                                                                                                                                                                                      156⤵
                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                      PID:6716
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dhkjej32.exe
                                                                                                                                                                                                                                                                                                                                                        157⤵
                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                        PID:6756
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dkifae32.exe
                                                                                                                                                                                                                                                                                                                                                          158⤵
                                                                                                                                                                                                                                                                                                                                                            PID:6808
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Dodbbdbb.exe
                                                                                                                                                                                                                                                                                                                                                              159⤵
                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                              PID:6848
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Ddakjkqi.exe
                                                                                                                                                                                                                                                                                                                                                                160⤵
                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                PID:6896
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                                                                                                                                                                                                                                  161⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:6940
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                                                                                                      162⤵
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                      PID:6980
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Doilmc32.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Doilmc32.exe
                                                                                                                                                                                                                                                                                                                                                                        163⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:7024
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                                                                                                            164⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:7064
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 220
                                                                                                                                                                                                                                                                                                                                                                                165⤵
                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                PID:6172
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7064 -ip 7064
                                        1⤵
                                          PID:7128

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Windows\SysWOW64\Anfmjhmd.exe

                                          Filesize

                                          96KB

                                          MD5

                                          0c876fb28f767e981579fce87d5572f5

                                          SHA1

                                          756f9b2f00916bb4319832bc5cf4bb0d6f54a49f

                                          SHA256

                                          a8b46f40411d1c98647f1344d51164be1cfd64192b23c33a720489b73811de49

                                          SHA512

                                          e036a3eb4cf5a9ea4cf2a7670422e14be4fbbbd3b599fcfee5a8fbe85101c27199149058ba0579091fcf8cafe85f934e40c8715c233b1dea274bccd82a50b1e5

                                        • C:\Windows\SysWOW64\Bagflcje.exe

                                          Filesize

                                          96KB

                                          MD5

                                          79d70d0816bf8e783a9ce2f768657467

                                          SHA1

                                          ea7bce2fe859ff9f5660cc1d24ac9f1ce45a0657

                                          SHA256

                                          e56f50e5cdf408a7b597bbd5206384d81377d192896963de2a481d8b1385f791

                                          SHA512

                                          991335c01520c771298f54578edb30e3da6d51a188853b02e3a76076b4f8584b2812be9d9d863f02e1878f31447462ad34418ee25749ebe0da9302af2305c4ba

                                        • C:\Windows\SysWOW64\Bhhdil32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          25595685d40ce9eb6a2b14df03363d4d

                                          SHA1

                                          c6c066a68228a96aa306dcf1f71bfae064e64015

                                          SHA256

                                          5dffe70ea356cb3cbf8a83d966bcef0e2c281b0e4076bb91516bb2af904aeaf8

                                          SHA512

                                          8ef0466e05324e04e456c965927f24b213bbe0e45b7fbf7100f64ba932014aaad868c9366b1e9368b0472e884d644bc035cc8e12723230c6d4ef0953613c1972

                                        • C:\Windows\SysWOW64\Bmemac32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          b69a717d02f211745979e0d2501d6957

                                          SHA1

                                          08104c14a7fdff1d91cbcf671b7ec191bb79f5ce

                                          SHA256

                                          6471de773a9197b0e41a297e4156f4252f2c7bc16c62538ab24a065b9a24a267

                                          SHA512

                                          495e81b08184645f54007c01408b4bf90a5aabd38682c23233eb7356687172bb2ecf1e21a261bac13c24a490321056e17dbb18c4804b11987e41151d7079020e

                                        • C:\Windows\SysWOW64\Cdabcm32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          404bcb987c8a07900aea23d4d4564e1b

                                          SHA1

                                          40621e14bd95245b3219c3a29815093d32608513

                                          SHA256

                                          07d18ac17d73b471e223b9b72bd557d2781a7477e3b3d2b81e7b6f3218b8c18e

                                          SHA512

                                          f859bee3a730a2cc5e2a38c0f39678db7db22fef27e68daf3b3d50ece3d2ad27a57a5102c5949c49ced587876ca2b71fbecaad75cd5eea6b4827a8ff7068cc9a

                                        • C:\Windows\SysWOW64\Chcddk32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          75cfaf883709a079fc5128c081164630

                                          SHA1

                                          28652e1110973b68a31d6685c069256e2c6c1e83

                                          SHA256

                                          f0d2f29ced162b4ddbd3497cf91994fd3d8b8b0673a5d30f14ab289d81c5511a

                                          SHA512

                                          674f7d4192746a323b8910e1c0a467a70313dd040f647a78d09c9a68ca1a93f5c486e7d7780e44dbc25f2ee3b5eff40ffa61a00ee33da90d231d6c19137e567d

                                        • C:\Windows\SysWOW64\Cnicfe32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          6a052fd649495a0217df8d307e41aaf2

                                          SHA1

                                          e11b40ac8b312f3a9b53e90f4f8a2adf831c17dd

                                          SHA256

                                          791f02afe8d9d6a88538630b6e0b08d3abac407f170fc766988c86bda302d3d0

                                          SHA512

                                          aae4667ea1d5ed25820e61af70fafe237c2a7ea84333f08bdb47f98a09a268a533936d40a8779fd50934410d1288225815bf0c90196b07278e429f9a415e2cb4

                                        • C:\Windows\SysWOW64\Ddakjkqi.exe

                                          Filesize

                                          96KB

                                          MD5

                                          8e5e7dc7ff6bbbecb8c07426a51a82a0

                                          SHA1

                                          95cd6365421b75796ed9539287eea543b869979e

                                          SHA256

                                          4c8d1854869cff482759cb87d49f4bc7d8ec2811d5e8a29f311f239f485b230c

                                          SHA512

                                          91dda395606cf00993bbf5ae4df625deab41453969417a4f2e6705e0a44e7ff531e33b4cd4c0a3d3825c41ea2705bb7d030a4c89aeed8b6c13aee67d70cfd62d

                                        • C:\Windows\SysWOW64\Dmllipeg.exe

                                          Filesize

                                          96KB

                                          MD5

                                          615cb034dbf7be0f4a10a99c5b55805a

                                          SHA1

                                          13c5bd62102e7fdc1c33a9947284676caeedf31b

                                          SHA256

                                          4c90c9a16ffc05f422594d1dea7490645a9bc74898ba9c0b2cd5c9ebba5ebe16

                                          SHA512

                                          3cc0c7721c04b71415f19602a9ebdd05f0f8377cdda564dd667a5919021b70cc76fade004ab14d67c5e3436b893d324ef05fe8a484b26c919276085f9b4204eb

                                        • C:\Windows\SysWOW64\Jbjcolha.exe

                                          Filesize

                                          96KB

                                          MD5

                                          4f0de28df5a188055bca3d92b71a820c

                                          SHA1

                                          08b33331f3ee484680f956dbab50fb5f937609e5

                                          SHA256

                                          38c283ca2d0d3f22fa03e641282b4ddeaa48892b45b62055a722581872f07c3f

                                          SHA512

                                          d29947b517f390f3ebb9f8ac0b0d1fa804ec9a67fb596bc669f3a4d15e652d50102f9aa88b4026cd0dd9898422e23317159e04820ae0ddda275f5b42cfb8409c

                                        • C:\Windows\SysWOW64\Jedeph32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          4e4d2b806022005edecbeb8b0c35250f

                                          SHA1

                                          ddec9d9124d01dc9317f4ceef2fe417513f368f7

                                          SHA256

                                          9ea2c1cf979f198d6ef4a5807d83af244318c500030c1bbae97f35fef2b93884

                                          SHA512

                                          024c9e30380ad44b57edd4eaa810aa3461cc4b3a4a1f5b7e14ca7646727f770dfa55a4453c1ee9bd5d48a8296c71e135b8c290a575448d9a69258b3d17a4e664

                                        • C:\Windows\SysWOW64\Jefbfgig.exe

                                          Filesize

                                          96KB

                                          MD5

                                          87681a2cd4f6a64a1b815daab3753720

                                          SHA1

                                          79b5f53ae0b3fd5d7bf7bd5ef12b894b5179151b

                                          SHA256

                                          5011863449c64bbdaac491ea337b84e882b70f91f1010ea5ad235378efcba3e5

                                          SHA512

                                          0689a6eaaca76984af53aae7d324c7226a0b4ef4e837255baa5f4494798b8642e964e9d00bcddb51824a5e1acb4e19fd87d545a7f5a3be2182e891a76e33d016

                                        • C:\Windows\SysWOW64\Jeklag32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          c698bedc3dc1cb7bdff5f3dc9020ffe7

                                          SHA1

                                          ffb5e3bf9f12c92c7c7caa5f8d21efd4a6c2d6a5

                                          SHA256

                                          88c35f240629656f09508a4daf611072424ae5891d0c4e9aa8a78d633d75acdb

                                          SHA512

                                          7f485d37afec1911e987aa9c790710db0f690ca53c12393ed2cae3589adaf1a21ede274f672437422303398c266e4660a58f77aa44292956104a1c06a1e1c8f9

                                        • C:\Windows\SysWOW64\Jfhlejnh.exe

                                          Filesize

                                          96KB

                                          MD5

                                          26f465375f0653ac4e0a4d8e6ff2b939

                                          SHA1

                                          70eead0691828ed29a3a034d0f8fdd0b39242ab7

                                          SHA256

                                          49f0ea0a9dea4a56f243772861af1599345064519d71e55a3a849027295c5381

                                          SHA512

                                          20fb28e2ca32596a2d6b3f99c0b3caef38b7cd59872348e1909178f4d44a35ef3e0ab07bc47914ba247784c846aa52bbc3bc4d9703c0153568b99cd027f5d817

                                        • C:\Windows\SysWOW64\Jianff32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          5e2835e9776ec7390bd4b4da9a3823f3

                                          SHA1

                                          fa5e856581da9922872ed549702fe7cb99d9afac

                                          SHA256

                                          47706ff44a7f6755fbc938edc98eddd82fbed2b0125d99c5d4208d4dfd41648f

                                          SHA512

                                          3b77bff0e64ed8e4b1d7e811e8447839aab76352c6aecba428ece9af746e65ee033c5384b179a17528b6bd768544d060207379824e68878637a6d9e2d248f0db

                                        • C:\Windows\SysWOW64\Jidklf32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          cc113bb776a8a36fbe8ab4e6533358b0

                                          SHA1

                                          f5620d9377378b5d764cc8584a60696e58da8cc5

                                          SHA256

                                          c58d78543a3c6c5c8a689383cc44cf98ffb91f002a6f1b5ed117c8205817aa62

                                          SHA512

                                          ab8626727e6ffbcc8c557e91f257695b73837ebb7886d7c96376a2026ef1c4de255138cd76d20e8b399838f67a09bbff7560352bb2f413273680ec2cd84c9bd2

                                        • C:\Windows\SysWOW64\Jmbdbd32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          92075f0004f3e8ee470585d950c330a0

                                          SHA1

                                          6c7cfef879dc913b859a14695185ae34d0b5bc36

                                          SHA256

                                          71bffc26e42ee8d5aefc85801478482b0c786e7dc2de6a5886624640182e5675

                                          SHA512

                                          7e2daba9a75b45ea7b9090412ac069e61675a4eebd89744f3a6275718fd0b5eca13cdab9f05b1a9d3e0a7b0c6ee2fdc4e6d0dfc7ab13d5be65840326489e95fc

                                        • C:\Windows\SysWOW64\Jpijnqkp.exe

                                          Filesize

                                          96KB

                                          MD5

                                          8843fbc60e45c8a2ba7aab960424e77d

                                          SHA1

                                          b9d48a4a95dd496a8ca4851f281d0f01e952bd65

                                          SHA256

                                          175827f71e6eb7027de04dd37bce17e1aae25820cf097d97715fbe67269b4264

                                          SHA512

                                          4501e1463f32b04e40060cf89362dae694090edf6efb52f106dc3fe36b1e0b872aca2bcb9164494fd4dd8d050df9be723daaa4545b24328e87a5d2be821a871e

                                        • C:\Windows\SysWOW64\Jpnchp32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          7b2be79e1ab8fdfcf4a41763c4c2a3ab

                                          SHA1

                                          9b5f4736ed607abe1d3991b5addf88b9796af4c8

                                          SHA256

                                          92a89651b011551f0cf3d9c96e197f72cc53ca388b1e84cda20a0992f0b4bd85

                                          SHA512

                                          a8e1b29dd8263a1e712bce4eeb9bf8727c7fcdf3b5ca7fc1e87bdee5bcb578cb540de36ab2130ff97710ef0d0a6271ef0ab96abaf7db97ad23f81979ac908643

                                        • C:\Windows\SysWOW64\Jpppnp32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          82e90491595124dadc9776dabf285b7c

                                          SHA1

                                          1bfdf63225b850b41ad52b81b6d8e11d60c4f9f1

                                          SHA256

                                          9387c31bea5c3588292397c03682a1f89a266af0375aca0ea240812bbe47139f

                                          SHA512

                                          4d9fa7ac3c58af9b40d627e4a75cf80ba7f7c5983f07ebd94ad037e1fbfe3da1578d3f29fa0ab424b931bc51a79f2e9550cab2ccbcfc7a8dfb9b8b898e5fa39d

                                        • C:\Windows\SysWOW64\Kboljk32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          35c4db1ec6e705739cd18156c6960350

                                          SHA1

                                          cc4c03f32833784d6d641df1905d8c49ea8c91cc

                                          SHA256

                                          1c0d93b39dbf67c234c4091adec01bc39ab02ad4748026859c5fbebb37dabaca

                                          SHA512

                                          910aec0f3e11b73b713cacee6b50869a25cd39ab4ec7d614fff5de48f71c56c45e81d3248482da4318e183cf9c64893fd59217d22ad3732a687701c8f043309b

                                        • C:\Windows\SysWOW64\Kdqejn32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          c2fb22ef23cc60dfc327b40b3f6d1b77

                                          SHA1

                                          9086599027ca7240a959e8a24ab0292657672f4e

                                          SHA256

                                          7d2029b108384674f01857a5fc85891b76cd4ad712c10fa26a965a7f374b1ee2

                                          SHA512

                                          88640c889ed2ef296f141452444f046e61703dc4b44faaa1f83011c8c5d192ba915e26ff54ee25ca3685a54cb399d1e3f14b56761b95623505e4223cda018f88

                                        • C:\Windows\SysWOW64\Kebbafoj.exe

                                          Filesize

                                          96KB

                                          MD5

                                          40d544f5b12cb8d4774bc828455b0335

                                          SHA1

                                          20b88235b31fc01e676dedafee840cdf8104f110

                                          SHA256

                                          278065cc059197c96c356c634c7ef057ef2de77b91ae1c034fa0c41ff2681d3f

                                          SHA512

                                          ca4f9d28ce8328d22954790655aedc3db175f51d25bf2dd08ad78134bd71be32c7a3ca6342b65ccdc2837ceffdc8ff0b6b68b18511e1ac0016d86f465ffebeee

                                        • C:\Windows\SysWOW64\Kefkme32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          62c3fa1b3c979f4a672965e770551e72

                                          SHA1

                                          ed4b66e0835b09862ab4eb8688359423b62f84c3

                                          SHA256

                                          ecd4f6c465e3d86ec84ff2b298d8af0a05229b8a331ef2d9a290ee42397680c4

                                          SHA512

                                          9379cd554ee99d6c711f697821f7af6a92f9ccc3dba7418dfadb453507d9aaf5e92dee5478046e020cbd5453165640ee70a42d6c66d926292f6b298c662fd89c

                                        • C:\Windows\SysWOW64\Kfmepi32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          6941dfce7324461882a4dc3099c9fd5f

                                          SHA1

                                          ba7e02587e9b03f22f1b1ca42b5be09b372ca71a

                                          SHA256

                                          90012705b3bc656eb2ffcb83738463271091db6f2647264c4bc78e13b6d31aa4

                                          SHA512

                                          0158de8a2923615442f7e28b754d11d74d72c6d980428d686aa300e9c5a3bb1e1499ea8b6ad209a6acea6e7ffbe80ec59943a6a648c386ca7aaf620a671973df

                                        • C:\Windows\SysWOW64\Kipkhdeq.exe

                                          Filesize

                                          96KB

                                          MD5

                                          312fdfc4fadecac0f882f9f55142a2a4

                                          SHA1

                                          3bda38c90d68b8c4e7858938c4f93aa64935ba79

                                          SHA256

                                          1a9e7283ea6541f3ab298e88be232ea68259bcfee7c93da8e8cfef04933345ae

                                          SHA512

                                          5b44610a33ccee361501429aa978ea4a35efa3bb824cfdada5c8903065f3706a24ef97a94c8e511c0e12fc4c9eb0af33ea301b5b53be4114cf9cb567860276a9

                                        • C:\Windows\SysWOW64\Klgqcqkl.exe

                                          Filesize

                                          96KB

                                          MD5

                                          f0c409657fcc50e6ca44d97e889207e2

                                          SHA1

                                          b1912c6f93d976bb77075fc96e966344e3ef3ffd

                                          SHA256

                                          ae2c440941b752f05740ff13282c43fae16124623938668b95e345de9955f25d

                                          SHA512

                                          c00ee6df79750a49c457a1df1fc232bb3c334caaf3afc01cc43337f20a2249f7db323b0416d04f2c96f33289a7c536a9dca5b15584f6522b7170a688a7efb16a

                                        • C:\Windows\SysWOW64\Kmfmmcbo.exe

                                          Filesize

                                          96KB

                                          MD5

                                          85df14e98236c99d3d92e18722944eb7

                                          SHA1

                                          117a34b102303c6845dcf99150c95fe7cdfbf52d

                                          SHA256

                                          8822b48d45731730bb59bf64b159f33f39db3990c79119308c31a6fdf3a8bc3c

                                          SHA512

                                          93288e1234168d1e05064770c80d4cad0eb8881f00bb9df9e7a28eae5cb968e2da5feeac2e5f07d2e75a5b176f56bad79c41335c8afed7d1bb2754ef7e836a92

                                        • C:\Windows\SysWOW64\Kmijbcpl.exe

                                          Filesize

                                          96KB

                                          MD5

                                          09bb632d9d6c1977899b987765a63b53

                                          SHA1

                                          00afc20797e13169dc0cc8b5ec2c7309e8892bb9

                                          SHA256

                                          95affbb70873fbf0157362bf245f391aff9ec8a00feef67cee3bdeb2d53639e0

                                          SHA512

                                          9ff6fb39af66fc7e6a2e123a7c3914c4ed07550e7a8098b19baf2fb95bf431d644f2f4a8ca3733c0326cde2abe5c1eba2b13a95078eba7519275275dadb1f64a

                                        • C:\Windows\SysWOW64\Kmkfhc32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          43221d2e62832d67d640f1b58ffb5413

                                          SHA1

                                          41b83adcb4cd0ae4cd3e024a08d23e0e9871e9ac

                                          SHA256

                                          581c0cf1b3d8c4df4d594d89debaf002563e45f3da97435da89a93891f42ab8f

                                          SHA512

                                          96bc976e68f1ad5e87508b6985cb6df4e7457e68bcc298cca532d5064d09db74dea13c7b64fcd8304160a1db7d34f223ec4f93d6f2e66841ca4895e5f932fbfe

                                        • C:\Windows\SysWOW64\Kpgfooop.exe

                                          Filesize

                                          96KB

                                          MD5

                                          1708d2713d2011e27a0bea2d87bd7e15

                                          SHA1

                                          2cce064e72f84f7ba45d610d503101c83fec8009

                                          SHA256

                                          cb735342a870b23a70c02c179d7a9bbc2bec15b6cbfd821a27dd13547407791b

                                          SHA512

                                          6d91af71c37934380b79063a9b28b6f98566946a40192b9058110296dc8a74dd12b7217bb59818d0441140c4f26860d7f87051d96098c7b3d632b6168c30b843

                                        • C:\Windows\SysWOW64\Kpjcdn32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          e64fb2ec72da18380183659626ef6dec

                                          SHA1

                                          d41310c62c82075185221c995ca7225e2c8392b8

                                          SHA256

                                          42ec78a054c16d7ed4c4d3f9814291576c38006e3d9f1d953354497f7d4e0eb5

                                          SHA512

                                          2f39c6df2c66baa12c2d57ecef6491b6faa994dafb517cb6a5fa08346458e398398a8e5193d2d4d8cda6193cdcc5b6251a2901f3785368adf13da4f9acf4ca77

                                        • C:\Windows\SysWOW64\Kplpjn32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          20535bee4b840c5968d62db45d0d816b

                                          SHA1

                                          a8aaf3ef505ba15c6446fd5eb600d35473f5d01f

                                          SHA256

                                          759116c6aedb17290e1065289527e6706fb5f628c0b1d9428321b85939ab0245

                                          SHA512

                                          6dbf50dc0ce63a864bbc140c2b93c35747cd3139018c661bbbd5078914b98d04f5587b42f4e2938b9adc511db7245c2b4c822ea631518515aecebb4a4c80cf9e

                                        • C:\Windows\SysWOW64\Lbmhlihl.exe

                                          Filesize

                                          96KB

                                          MD5

                                          0a968134eff5dcf15fb25e01e7636b1f

                                          SHA1

                                          1812220fb8c9f8913a2f060de546f78c41b5d8a7

                                          SHA256

                                          afb7d30fb6214a20d4157ae99160f5321e61c85f4adf9a203606c771d6ae4537

                                          SHA512

                                          989007261bbe26b280f0ea01d5b420ce0b41d5cbbbac6d96035659863206c5724bc0d802e411c93a9d5d1fbabfd9d60edf7a54f13b5dc50702dc5c44c2aad964

                                        • C:\Windows\SysWOW64\Ldleel32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          5dc88b735f88c68c3e89a98f3da8b71c

                                          SHA1

                                          174e83cafdf8ca61d258a1af93983cc194e28924

                                          SHA256

                                          b0464219988040d12aa83ca67f6d8cca0b5d11569e0648a0bec3bcc35fcb9966

                                          SHA512

                                          ad490b7ced23089a37c9da2bd0f48c5a52448cc32a078d04cc26e88d5015cc7beaf2deb7fd56fed94eb0315494eac28dfd6b291cd73d0d755441cc1f9fb39d59

                                        • C:\Windows\SysWOW64\Ldoaklml.exe

                                          Filesize

                                          96KB

                                          MD5

                                          14d90a2026c7d62eb00afc92b1651eb5

                                          SHA1

                                          6900d8470c38f22feb91aaeb9ec3b2a553311137

                                          SHA256

                                          a33276cd29eb9445203180f507b4298dbdd3baaad1d078c829adf4719a616865

                                          SHA512

                                          78565285ad98b59dbc8f2cf81b86ca7d41b5cb93beed5384febcd8f52b96639d59ab079f9c4151ba712d2ddb0215fc13541b6ae9bc0e74ece916f23af337b191

                                        • C:\Windows\SysWOW64\Lffhfh32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          df2a7ba548b5af29343a445b20618043

                                          SHA1

                                          326643957ef1f94c0aa248503cf89c96c3b40954

                                          SHA256

                                          1eed057516fa068dfe2bd091d1df7916fb0308860972a106cd6abc9adb6989f7

                                          SHA512

                                          1260e93f1d97524a0b58f215998212abd040f921fb0afc5edd20d7d7ef2b6586ccdff29f8a29e5f7fa2b58a8cdeda491fa1983a97b93c03427c787e6a5ffd3b8

                                        • C:\Windows\SysWOW64\Ligqhc32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          0086bcbe50eb36f441a52cfbab34e7ba

                                          SHA1

                                          07e805f20b88da4a2051afff6221b392f4d03773

                                          SHA256

                                          235d7cf488ebae2dc1c7e71e7a31355108c932711109d3965273cf48a7aba041

                                          SHA512

                                          89cdea4b4bc255e8c5c9cba3faa2c5a6eaf04dca647154ba43583b8cd6348821d479702226472f0a54fb87a216dcd6dba439b4ee464f0af9fd2764dfad230658

                                        • C:\Windows\SysWOW64\Liimncmf.exe

                                          Filesize

                                          96KB

                                          MD5

                                          e55bcedf77cc7f8ee08a82f66a5fc4a2

                                          SHA1

                                          761d4c1c8214766b003638d04c2e2c768999b0c8

                                          SHA256

                                          f5fd776ff8e8e84e6dc6bc4885cf6b67bf54c02aed707fa59909967dc3da6a1e

                                          SHA512

                                          8bda667313aa00fdf2c2362d59021c3dea655ed49e8a6aa1e59072780fde0575c59edf1486917dd088269fbe7e0189643260e2687c1e9af12169ed67ef615df7

                                        • C:\Windows\SysWOW64\Llgjjnlj.exe

                                          Filesize

                                          96KB

                                          MD5

                                          065704d11e33a35e939c4ba9b884cc03

                                          SHA1

                                          70d463b00f386ce70d6a9b548d458bac5b86b1dc

                                          SHA256

                                          6f1389b3c5937127491991df6b4a346b8f59cd9734c7078c94baba81cac4f41b

                                          SHA512

                                          1ee050394fa78ff3b754ebf200e6b017ac16980b841d4f91a58140c0caa8a667a2aaebd067d772db8706bc99b2ae9c425498818573602cfe1b2aa5dad0098bc6

                                        • C:\Windows\SysWOW64\Lmppcbjd.exe

                                          Filesize

                                          96KB

                                          MD5

                                          2ba21bfd46d6173d1e5d173b7523fb14

                                          SHA1

                                          bdd32600f93910da9c16024c79a1a374ee1064ed

                                          SHA256

                                          3e0f108ae477cc5b235df0a609c756f911053b24b9547d14a9959debb5f16674

                                          SHA512

                                          9626094107d9fbc1598b417e7e1a06e401b3f6cdbbaa4a531610194381f655dcd2e6e1f1164cc8256f30876fbdad324988b681fe6b7132bbd0fccff620997048

                                        • C:\Windows\SysWOW64\Mdhdajea.exe

                                          Filesize

                                          96KB

                                          MD5

                                          73f09a1e1dff93132715d12ddec207da

                                          SHA1

                                          f0ab1b39497fb89f10d77cb3b16d503c5898609d

                                          SHA256

                                          69d9b0022f1b861209eb2284df846af45cf6d9c1de5faa5862d256a306e1b423

                                          SHA512

                                          7b6dbb520a0b121ff5f189c5863b5d8cad5a2942c8d110da57e47e5ec85288273edf8e7492a2baed4cc5f5a5125d0041f1d9c35df2cd7f0e31edda27d29a636a

                                        • C:\Windows\SysWOW64\Mlopkm32.exe

                                          Filesize

                                          64KB

                                          MD5

                                          7e1ea26be86c34ddf42e698de6e4e67b

                                          SHA1

                                          f40e459507eb1f9fe379bca993a6b6321d3a8751

                                          SHA256

                                          0c688de5195a5f60e6622733a2714a35c287c8ed77dfe645ba540b9bbf8d2aad

                                          SHA512

                                          3d7907e37a7b6362cabeaa8079bac2399e14b2f9aae0b1451cc8049ae312663b98f5cf061cba74bdff51ef8670072f04ff369ddeb1817361cfb9715dbdbd86d0

                                        • C:\Windows\SysWOW64\Mmpijp32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          fb88cd7726546b28666e2342b052fe8f

                                          SHA1

                                          44269e794cdb4cb191ff8ed60695bc4325c696ee

                                          SHA256

                                          89c4c1c5aaf406732195c3c48024d4aaaa6746733dfc3c7b9aed9bd57ba4fd37

                                          SHA512

                                          1bc4a46ab0348884b272bb183958473fc27890bb5474bc8075b884c954bfa0a41d452d4885cee03aa59a3b0fa3f63d1426b268749f35182be3a9fd91c11c0b35

                                        • C:\Windows\SysWOW64\Ncnaabfm.dll

                                          Filesize

                                          7KB

                                          MD5

                                          6d428b3b2d6c852311e87a985d10d783

                                          SHA1

                                          3dd6ddc73a07680a81dd2a9ff39d56efd9075e9c

                                          SHA256

                                          84edcef27ab4d145ba3d49d730ad0e3b20de87cdd4608cb83edba5f83f606d86

                                          SHA512

                                          c03d1269ff3dac8d160a7e06984bed99e867e926b662be73b464cecb6536c595f76a3d15de2d41bfcebc8082ff94a49c5108af8de38e7157098485f5b7e39156

                                        • C:\Windows\SysWOW64\Olcbmj32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          9c3a00d29ad7308191bd2f85b9f54eb5

                                          SHA1

                                          1837b7d556216859f361158803e8c04003f2310c

                                          SHA256

                                          7f6d3c09ad0aecca445b83eea38dda413112c0f4bd2fbf203fe9e621c3fe4116

                                          SHA512

                                          83dac3bccebfc4b277f0c7fc08593e6b10e17f487c922e9d5b71c4bd8b425e909508c92a3a7bd8d874c2f5b6445d3c961c9621fef773910f5b6f3994a284c6d9

                                        • C:\Windows\SysWOW64\Pfolbmje.exe

                                          Filesize

                                          96KB

                                          MD5

                                          8c085c3531e2c02cee7ef44c9d408231

                                          SHA1

                                          012b414a0f8362a12230f8ffc37a7f47842e7ba8

                                          SHA256

                                          92d362cd02f4ac846d7adf3b99933e1b82baf3175cb3020e3d028200257952f6

                                          SHA512

                                          953897dbbf803c855d0c26545b5df8c9b9bce80c14cb18a7ab37a5c174552c32587605a5d347cbec1fb3bcab9b2760d460450b2c47f13298112096b45ec03ce0

                                        • C:\Windows\SysWOW64\Pgnilpah.exe

                                          Filesize

                                          96KB

                                          MD5

                                          5b6018579f342aa91f3c21aca3548bb8

                                          SHA1

                                          7d31aa4048783450dd979809f96a9b86c7ae8ae2

                                          SHA256

                                          ab0a1c6443b91e6a7fd3fa978b2547de3cefaf81a5188ebe10464ffc0ccb5a41

                                          SHA512

                                          f077796e7487d54c5d99e78d8293c16d75c1897888ed4f47eb678a5689e550f6aae875bd198e3a5c8ebcade2c739ee0e9af684d117edbfa1600e2a5f8fe6ff02

                                        • C:\Windows\SysWOW64\Pmfhig32.exe

                                          Filesize

                                          96KB

                                          MD5

                                          357aaf4fcd8dc840fc6b70b007c43edc

                                          SHA1

                                          841008e422b50cd3bcf7db7b3958419f58347dca

                                          SHA256

                                          0a1ccd529538c70962ab8356ff3a1045e215b71f69301a9a0a1d0220dc6253af

                                          SHA512

                                          5178432f44be128b18977178defac723a1bb212feef5c2ff3493b78c97e9bff2d8a5bc07e110c29299b139a3a9ddf8883013c5297206fb9386479f208b604e04

                                        • memory/392-563-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/448-149-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/452-382-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/464-400-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/876-466-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1068-490-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1164-310-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1320-549-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1340-304-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1364-430-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1404-436-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1428-328-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1556-418-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1584-32-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1584-572-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1620-593-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1620-56-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1660-232-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1676-262-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1720-442-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1740-412-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1748-7-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1748-551-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1812-358-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1820-370-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1856-23-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1856-565-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1872-532-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1912-268-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1968-579-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1968-39-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1992-164-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2200-376-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2204-208-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2224-112-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2288-566-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2304-558-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2304-15-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2320-496-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2328-223-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2452-454-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2576-184-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2676-298-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2700-508-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2704-84-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2760-531-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2792-136-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2864-71-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2900-322-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3056-280-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3080-292-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3104-552-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3144-88-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3152-286-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3180-424-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3228-577-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3256-472-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3328-525-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3448-594-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3588-346-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3624-172-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3640-175-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3724-119-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3768-334-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3836-216-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3860-278-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3864-484-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3940-261-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/3960-96-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4204-200-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4236-587-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4252-514-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4256-448-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4300-394-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4316-388-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4332-240-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4400-340-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4516-252-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4596-478-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4600-460-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4608-538-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4612-352-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4628-580-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4708-0-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4708-544-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4736-127-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4832-406-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4836-103-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4856-316-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4968-586-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4968-47-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/4972-152-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/5012-502-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/5020-364-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/5052-191-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/5068-64-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB