0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 04:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe
Size

50KB
MD5

0eb636c2d23e0a633f14bbc2fd606b20
SHA1

bfcd45fa874683f1263312462d3db6fc9f346ad4
SHA256

0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7
SHA512

85e72228c4b485d1286c0e896b298b1faf533fa39c396acd6dd1a7074034cde5699a00e2eb2ae2269c7c752cd0e7f90f0121ab96301ef06826ab0f7f2d948f68
SSDEEP

768:6kwBZx09Jf9FWTbcsqIUCVZfexxe3d/8XOPzHHag7ln3nf/IGqQ+X+FPK7WES/1E:6kwBEnP8cdEeCpHaghn3XCXOKavk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdahke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donmbfgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggcjkoml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnfeng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifkmihbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpqcncgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkalajgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abaadj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnphha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcmqphhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bljodmja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqhpai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnofgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmnfnfnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqigkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnnqla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imeeeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmdemoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggcjkoml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcohjmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deimgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnblchqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faepnlnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clcajlbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gplbjamj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjimhifh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmpcce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faepnlnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaglck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idkkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccnjgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfeiip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmankjff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggoapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haeajc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfklnic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khcpenhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bljodmja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqbcghjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpnfic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmmameb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklflk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfcgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfmbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnofgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnblchqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjkinide.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkopf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khcpenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amdilc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphgjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Encgkmkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpjfdbom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaglck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajbpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmacejam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amblfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcgmme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjkqgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpfahlm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmeloe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haeajc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcegbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glpmfdia.exe

Executes dropped EXE 64 IoCs

pid	Process
2508	Bklflk32.exe
2032	Cmpoic32.exe
3204	Cmblob32.exe
3896	Cdkpfpfd.exe
2872	Djmbif32.exe
3844	Dcegbk32.exe
3984	Dqigkp32.exe
348	Dgcohjmn.exe
4412	Degpanlg.exe
1988	Dnpdjcch.exe
3216	Deimgn32.exe
4744	Ekcedhaa.exe
4400	Ecoihjol.exe
952	Eabjan32.exe
1108	Ejkojddf.exe
552	Eecoml32.exe
4116	Eeelcl32.exe
4184	Fnnqla32.exe
3724	Fegihlnd.exe
3908	Fcmfih32.exe
4632	Fjfnfbji.exe
732	Faqfclaf.exe
2780	Fhkopf32.exe
2152	Feooik32.exe
2744	Faepnlnq.exe
3380	Gjndgada.exe
4188	Gaglck32.exe
4552	Golmmp32.exe
2432	Glpmfdia.exe
4820	Gonibohe.exe
4972	Gjdjgp32.exe
1280	Gobcno32.exe
768	Hlfcgc32.exe
4784	Hdahke32.exe
5068	Hafieion.exe
3592	Hecakh32.exe
4540	Hlnihbma.exe
4424	Hajbpi32.exe
3284	Hmacejam.exe
1092	Idkkad32.exe
1316	Imcpji32.exe
4532	Idmhgcfg.exe
4960	Ikgpdn32.exe
484	Inflpi32.exe
1568	Ilglnqeg.exe
1776	Inhiei32.exe
3756	Iafalg32.exe
5012	Iddnhb32.exe
2316	Jedjbe32.exe
4548	Jdigcalj.exe
3772	Jkelelad.exe
5064	Jnfeggoe.exe
1372	Jdpmcq32.exe
3328	Kfpjnc32.exe
3748	Kljbjnea.exe
4620	Kohnfide.exe
4728	Kfbfcc32.exe
4256	Khcpenhc.exe
4428	Kkalajgf.exe
3648	Kdlmoold.exe
4892	Pbfahl32.exe
3996	Qefkjg32.exe
2548	Qeigpfgo.exe
2640	Amblfc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hecakh32.exe	Hafieion.exe
File created	C:\Windows\SysWOW64\Abaadj32.exe	Amdilc32.exe
File created	C:\Windows\SysWOW64\Bodaei32.exe	Bnbemagl.exe
File created	C:\Windows\SysWOW64\Pdnkib32.dll	Fpqcncgg.exe
File created	C:\Windows\SysWOW64\Cfepbboo.exe	Ccfcfg32.exe
File created	C:\Windows\SysWOW64\Plpfmhnn.dll	Copaqh32.exe
File created	C:\Windows\SysWOW64\Gjmmlk32.exe	Ggoapp32.exe
File created	C:\Windows\SysWOW64\Ohgmcihl.dll	Hpeeppdp.exe
File opened for modification	C:\Windows\SysWOW64\Dfclcqbo.exe	Cncndo32.exe
File created	C:\Windows\SysWOW64\Hmeloe32.exe	Hnblchqd.exe
File created	C:\Windows\SysWOW64\Ipcaan32.exe	Imeeeb32.exe
File opened for modification	C:\Windows\SysWOW64\Deimgn32.exe	Dnpdjcch.exe
File created	C:\Windows\SysWOW64\Hafieion.exe	Hdahke32.exe
File created	C:\Windows\SysWOW64\Hdeocc32.dll	Apeannam.exe
File opened for modification	C:\Windows\SysWOW64\Cjnomaik.exe	Bljodmja.exe
File opened for modification	C:\Windows\SysWOW64\Gaglck32.exe	Gjndgada.exe
File opened for modification	C:\Windows\SysWOW64\Eqbcghjj.exe	Encgkmkg.exe
File created	C:\Windows\SysWOW64\Lemomfoe.dll	Ggoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Iddnhb32.exe	Iafalg32.exe
File created	C:\Windows\SysWOW64\Fcqhjakk.exe	Fablnflh.exe
File created	C:\Windows\SysWOW64\Klhhlkea.dll	Gjaggjlp.exe
File created	C:\Windows\SysWOW64\Gjdcmj32.exe	Ghegao32.exe
File opened for modification	C:\Windows\SysWOW64\Ccnjgf32.exe	Clcajlbf.exe
File opened for modification	C:\Windows\SysWOW64\Idmamm32.exe	Hdfklnic.exe
File created	C:\Windows\SysWOW64\Gpoacm32.dll	Idkkad32.exe
File created	C:\Windows\SysWOW64\Fjhdal32.exe	Fgjgepeg.exe
File created	C:\Windows\SysWOW64\Mmpmidap.dll	Fjkqgk32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpdjcch.exe	Degpanlg.exe
File opened for modification	C:\Windows\SysWOW64\Imcpji32.exe	Idkkad32.exe
File opened for modification	C:\Windows\SysWOW64\Ilglnqeg.exe	Inflpi32.exe
File opened for modification	C:\Windows\SysWOW64\Jnfeggoe.exe	Jkelelad.exe
File created	C:\Windows\SysWOW64\Gbhing32.dll	Donmbfgm.exe
File created	C:\Windows\SysWOW64\Fnaclk32.exe	Ffjkkm32.exe
File created	C:\Windows\SysWOW64\Golmmp32.exe	Gaglck32.exe
File opened for modification	C:\Windows\SysWOW64\Fjfnfbji.exe	Fcmfih32.exe
File created	C:\Windows\SysWOW64\Imcpji32.exe	Idkkad32.exe
File created	C:\Windows\SysWOW64\Fpgflq32.dll	Iddnhb32.exe
File created	C:\Windows\SysWOW64\Cjnomaik.exe	Bljodmja.exe
File created	C:\Windows\SysWOW64\Inflpi32.exe	Ikgpdn32.exe
File opened for modification	C:\Windows\SysWOW64\Kdlmoold.exe	Kkalajgf.exe
File created	C:\Windows\SysWOW64\Qnienneo.dll	Cjchha32.exe
File opened for modification	C:\Windows\SysWOW64\Cncndo32.exe	Ccnjgf32.exe
File created	C:\Windows\SysWOW64\Gpgiob32.exe	Gmimcg32.exe
File created	C:\Windows\SysWOW64\Fcmfih32.exe	Fegihlnd.exe
File created	C:\Windows\SysWOW64\Fbdifn32.dll	Hafieion.exe
File created	C:\Windows\SysWOW64\Jnfeggoe.exe	Jkelelad.exe
File created	C:\Windows\SysWOW64\Kldekbfi.dll	Dfheop32.exe
File opened for modification	C:\Windows\SysWOW64\Egnhibpd.exe	Eqdpmh32.exe
File created	C:\Windows\SysWOW64\Koqnnf32.dll	Fplicd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmblob32.exe	Cmpoic32.exe
File opened for modification	C:\Windows\SysWOW64\Idmhgcfg.exe	Imcpji32.exe
File created	C:\Windows\SysWOW64\Kohnfide.exe	Kljbjnea.exe
File opened for modification	C:\Windows\SysWOW64\Gmimcg32.exe	Fjkqgk32.exe
File created	C:\Windows\SysWOW64\Cbqpafdl.dll	Glpmfdia.exe
File created	C:\Windows\SysWOW64\Jiphaoab.dll	0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe
File opened for modification	C:\Windows\SysWOW64\Feooik32.exe	Fhkopf32.exe
File opened for modification	C:\Windows\SysWOW64\Gjndgada.exe	Faepnlnq.exe
File created	C:\Windows\SysWOW64\Lfamnfdp.dll	Qeigpfgo.exe
File created	C:\Windows\SysWOW64\Opkpkh32.dll	Gplbjamj.exe
File opened for modification	C:\Windows\SysWOW64\Ikgpdn32.exe	Idmhgcfg.exe
File created	C:\Windows\SysWOW64\Cknbfd32.dll	Ecpocc32.exe
File created	C:\Windows\SysWOW64\Kpaaah32.dll	Fgenjqil.exe
File created	C:\Windows\SysWOW64\Gfkdbkpa.exe	Gpaleq32.exe
File created	C:\Windows\SysWOW64\Hafnbmbf.dll	Cfepbboo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6040	5972	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnnqla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkhba32.dll"	Ccfcfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnobc32.dll"	Gjdcmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpgccmdn.dll"	Hjkinide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklflk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khcpenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabghefk.dll"	Encgkmkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpcpdcee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjdcmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knejehee.dll"	Bklflk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Degpanlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqooceii.dll"	Cmpoic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhnihdi.dll"	Ecoihjol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eecoml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egnhibpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdpkp32.dll"	Iafalg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgbpkcj.dll"	Hnfeng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpoic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keippf32.dll"	Feooik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjocbc32.dll"	Hajbpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlmgl32.dll"	Kohnfide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpcpdcee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meajlb32.dll"	Eecoml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojgmdbj.dll"	Boohjjap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccfcfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmdemoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gobcno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfeiip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbafod32.dll"	Haeajc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipcaan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angljiji.dll"	Degpanlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmacejam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpkemkf.dll"	Fgjgepeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcohjmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eggbic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqpfahlm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idmamm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnfeng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejahfjp.dll"	Fjfnfbji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Golmmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilglnqeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkihfpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbacc32.dll"	Hmgiddel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpdjcch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcmfih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjchha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqigkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apeannam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpjfdbom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnblchqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imeeeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hajbpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeigpfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaji32.dll"	Abaadj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcgmme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migpkfbb.dll"	Hdfklnic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agafph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdgeck32.dll"	Ejmdemoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idmamm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdlmoold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjkqgk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2508	2348	0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe	82
PID 2348 wrote to memory of 2508	2348	0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe	82
PID 2348 wrote to memory of 2508	2348	0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe	82
PID 2508 wrote to memory of 2032	2508	Bklflk32.exe	83
PID 2508 wrote to memory of 2032	2508	Bklflk32.exe	83
PID 2508 wrote to memory of 2032	2508	Bklflk32.exe	83
PID 2032 wrote to memory of 3204	2032	Cmpoic32.exe	84
PID 2032 wrote to memory of 3204	2032	Cmpoic32.exe	84
PID 2032 wrote to memory of 3204	2032	Cmpoic32.exe	84
PID 3204 wrote to memory of 3896	3204	Cmblob32.exe	85
PID 3204 wrote to memory of 3896	3204	Cmblob32.exe	85
PID 3204 wrote to memory of 3896	3204	Cmblob32.exe	85
PID 3896 wrote to memory of 2872	3896	Cdkpfpfd.exe	86
PID 3896 wrote to memory of 2872	3896	Cdkpfpfd.exe	86
PID 3896 wrote to memory of 2872	3896	Cdkpfpfd.exe	86
PID 2872 wrote to memory of 3844	2872	Djmbif32.exe	87
PID 2872 wrote to memory of 3844	2872	Djmbif32.exe	87
PID 2872 wrote to memory of 3844	2872	Djmbif32.exe	87
PID 3844 wrote to memory of 3984	3844	Dcegbk32.exe	88
PID 3844 wrote to memory of 3984	3844	Dcegbk32.exe	88
PID 3844 wrote to memory of 3984	3844	Dcegbk32.exe	88
PID 3984 wrote to memory of 348	3984	Dqigkp32.exe	89
PID 3984 wrote to memory of 348	3984	Dqigkp32.exe	89
PID 3984 wrote to memory of 348	3984	Dqigkp32.exe	89
PID 348 wrote to memory of 4412	348	Dgcohjmn.exe	90
PID 348 wrote to memory of 4412	348	Dgcohjmn.exe	90
PID 348 wrote to memory of 4412	348	Dgcohjmn.exe	90
PID 4412 wrote to memory of 1988	4412	Degpanlg.exe	91
PID 4412 wrote to memory of 1988	4412	Degpanlg.exe	91
PID 4412 wrote to memory of 1988	4412	Degpanlg.exe	91
PID 1988 wrote to memory of 3216	1988	Dnpdjcch.exe	92
PID 1988 wrote to memory of 3216	1988	Dnpdjcch.exe	92
PID 1988 wrote to memory of 3216	1988	Dnpdjcch.exe	92
PID 3216 wrote to memory of 4744	3216	Deimgn32.exe	93
PID 3216 wrote to memory of 4744	3216	Deimgn32.exe	93
PID 3216 wrote to memory of 4744	3216	Deimgn32.exe	93
PID 4744 wrote to memory of 4400	4744	Ekcedhaa.exe	94
PID 4744 wrote to memory of 4400	4744	Ekcedhaa.exe	94
PID 4744 wrote to memory of 4400	4744	Ekcedhaa.exe	94
PID 4400 wrote to memory of 952	4400	Ecoihjol.exe	95
PID 4400 wrote to memory of 952	4400	Ecoihjol.exe	95
PID 4400 wrote to memory of 952	4400	Ecoihjol.exe	95
PID 952 wrote to memory of 1108	952	Eabjan32.exe	96
PID 952 wrote to memory of 1108	952	Eabjan32.exe	96
PID 952 wrote to memory of 1108	952	Eabjan32.exe	96
PID 1108 wrote to memory of 552	1108	Ejkojddf.exe	97
PID 1108 wrote to memory of 552	1108	Ejkojddf.exe	97
PID 1108 wrote to memory of 552	1108	Ejkojddf.exe	97
PID 552 wrote to memory of 4116	552	Eecoml32.exe	98
PID 552 wrote to memory of 4116	552	Eecoml32.exe	98
PID 552 wrote to memory of 4116	552	Eecoml32.exe	98
PID 4116 wrote to memory of 4184	4116	Eeelcl32.exe	99
PID 4116 wrote to memory of 4184	4116	Eeelcl32.exe	99
PID 4116 wrote to memory of 4184	4116	Eeelcl32.exe	99
PID 4184 wrote to memory of 3724	4184	Fnnqla32.exe	100
PID 4184 wrote to memory of 3724	4184	Fnnqla32.exe	100
PID 4184 wrote to memory of 3724	4184	Fnnqla32.exe	100
PID 3724 wrote to memory of 3908	3724	Fegihlnd.exe	101
PID 3724 wrote to memory of 3908	3724	Fegihlnd.exe	101
PID 3724 wrote to memory of 3908	3724	Fegihlnd.exe	101
PID 3908 wrote to memory of 4632	3908	Fcmfih32.exe	102
PID 3908 wrote to memory of 4632	3908	Fcmfih32.exe	102
PID 3908 wrote to memory of 4632	3908	Fcmfih32.exe	102
PID 4632 wrote to memory of 732	4632	Fjfnfbji.exe	103

C:\Users\Admin\AppData\Local\Temp\0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe
"C:\Users\Admin\AppData\Local\Temp\0159dd44b9fdec419bc32b8538bd1a38e1ce37cb27f5a2c464e174698bd302e7.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\Bklflk32.exe
  C:\Windows\system32\Bklflk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\Cmpoic32.exe
    C:\Windows\system32\Cmpoic32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\Cmblob32.exe
      C:\Windows\system32\Cmblob32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\SysWOW64\Cdkpfpfd.exe
        
        C:\Windows\system32\Cdkpfpfd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\SysWOW64\Djmbif32.exe
        
        C:\Windows\system32\Djmbif32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Dcegbk32.exe
        
        C:\Windows\system32\Dcegbk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Dqigkp32.exe
        
        C:\Windows\system32\Dqigkp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dgcohjmn.exe
        
        C:\Windows\system32\Dgcohjmn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Degpanlg.exe
        
        C:\Windows\system32\Degpanlg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Dnpdjcch.exe
        
        C:\Windows\system32\Dnpdjcch.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Deimgn32.exe
        
        C:\Windows\system32\Deimgn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ekcedhaa.exe
        
        C:\Windows\system32\Ekcedhaa.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ecoihjol.exe
        
        C:\Windows\system32\Ecoihjol.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Eabjan32.exe
        
        C:\Windows\system32\Eabjan32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Ejkojddf.exe
        
        C:\Windows\system32\Ejkojddf.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Eecoml32.exe
        
        C:\Windows\system32\Eecoml32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Eeelcl32.exe
        
        C:\Windows\system32\Eeelcl32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Fnnqla32.exe
        
        C:\Windows\system32\Fnnqla32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Fegihlnd.exe
        
        C:\Windows\system32\Fegihlnd.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Fcmfih32.exe
        
        C:\Windows\system32\Fcmfih32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Fjfnfbji.exe
        
        C:\Windows\system32\Fjfnfbji.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Faqfclaf.exe
        
        C:\Windows\system32\Faqfclaf.exe
        23⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Fhkopf32.exe
        
        C:\Windows\system32\Fhkopf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Feooik32.exe
        
        C:\Windows\system32\Feooik32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Faepnlnq.exe
        
        C:\Windows\system32\Faepnlnq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Gjndgada.exe
        
        C:\Windows\system32\Gjndgada.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Gaglck32.exe
        
        C:\Windows\system32\Gaglck32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Golmmp32.exe
        
        C:\Windows\system32\Golmmp32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Glpmfdia.exe
        
        C:\Windows\system32\Glpmfdia.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Gonibohe.exe
        
        C:\Windows\system32\Gonibohe.exe
        31⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Gjdjgp32.exe
        
        C:\Windows\system32\Gjdjgp32.exe
        32⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Gobcno32.exe
        
        C:\Windows\system32\Gobcno32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Hlfcgc32.exe
        
        C:\Windows\system32\Hlfcgc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Hdahke32.exe
        
        C:\Windows\system32\Hdahke32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Hafieion.exe
        
        C:\Windows\system32\Hafieion.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Hecakh32.exe
        
        C:\Windows\system32\Hecakh32.exe
        37⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Hlnihbma.exe
        
        C:\Windows\system32\Hlnihbma.exe
        38⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Hajbpi32.exe
        
        C:\Windows\system32\Hajbpi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Hmacejam.exe
        
        C:\Windows\system32\Hmacejam.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Idkkad32.exe
        
        C:\Windows\system32\Idkkad32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Imcpji32.exe
        
        C:\Windows\system32\Imcpji32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Idmhgcfg.exe
        
        C:\Windows\system32\Idmhgcfg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ikgpdn32.exe
        
        C:\Windows\system32\Ikgpdn32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Inflpi32.exe
        
        C:\Windows\system32\Inflpi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:484
        
        C:\Windows\SysWOW64\Ilglnqeg.exe
        
        C:\Windows\system32\Ilglnqeg.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Inhiei32.exe
        
        C:\Windows\system32\Inhiei32.exe
        47⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Iafalg32.exe
        
        C:\Windows\system32\Iafalg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Iddnhb32.exe
        
        C:\Windows\system32\Iddnhb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Jedjbe32.exe
        
        C:\Windows\system32\Jedjbe32.exe
        50⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Jdigcalj.exe
        
        C:\Windows\system32\Jdigcalj.exe
        51⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Jkelelad.exe
        
        C:\Windows\system32\Jkelelad.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Jnfeggoe.exe
        
        C:\Windows\system32\Jnfeggoe.exe
        53⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Jdpmcq32.exe
        
        C:\Windows\system32\Jdpmcq32.exe
        54⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Kfpjnc32.exe
        
        C:\Windows\system32\Kfpjnc32.exe
        55⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Kljbjnea.exe
        
        C:\Windows\system32\Kljbjnea.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Kohnfide.exe
        
        C:\Windows\system32\Kohnfide.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Kfbfcc32.exe
        
        C:\Windows\system32\Kfbfcc32.exe
        58⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Khcpenhc.exe
        
        C:\Windows\system32\Khcpenhc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Kkalajgf.exe
        
        C:\Windows\system32\Kkalajgf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Kdlmoold.exe
        
        C:\Windows\system32\Kdlmoold.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Pbfahl32.exe
        
        C:\Windows\system32\Pbfahl32.exe
        62⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Qefkjg32.exe
        
        C:\Windows\system32\Qefkjg32.exe
        63⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Qeigpfgo.exe
        
        C:\Windows\system32\Qeigpfgo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Amblfc32.exe
        
        C:\Windows\system32\Amblfc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Amdilc32.exe
        
        C:\Windows\system32\Amdilc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Abaadj32.exe
        
        C:\Windows\system32\Abaadj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Apeannam.exe
        
        C:\Windows\system32\Apeannam.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Aebjfeod.exe
        
        C:\Windows\system32\Aebjfeod.exe
        69⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Agafph32.exe
        
        C:\Windows\system32\Agafph32.exe
        70⤵
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Boohjjap.exe
        
        C:\Windows\system32\Boohjjap.exe
        71⤵
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Bnphha32.exe
        
        C:\Windows\system32\Bnphha32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2292
        
        C:\Windows\SysWOW64\Bcmqphhf.exe
        
        C:\Windows\system32\Bcmqphhf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:528
        
        C:\Windows\SysWOW64\Bnbemagl.exe
        
        C:\Windows\system32\Bnbemagl.exe
        74⤵
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Bodaei32.exe
        
        C:\Windows\system32\Bodaei32.exe
        75⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Bljodmja.exe
        
        C:\Windows\system32\Bljodmja.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Cjnomaik.exe
        
        C:\Windows\system32\Cjnomaik.exe
        77⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Cphgjl32.exe
        
        C:\Windows\system32\Cphgjl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Ccfcfg32.exe
        
        C:\Windows\system32\Ccfcfg32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cfepbboo.exe
        
        C:\Windows\system32\Cfepbboo.exe
        80⤵
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Cjqlca32.exe
        
        C:\Windows\system32\Cjqlca32.exe
        81⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Cpjdpkoe.exe
        
        C:\Windows\system32\Cpjdpkoe.exe
        82⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Cciplgni.exe
        
        C:\Windows\system32\Cciplgni.exe
        83⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Cgdlle32.exe
        
        C:\Windows\system32\Cgdlle32.exe
        84⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Cjchha32.exe
        
        C:\Windows\system32\Cjchha32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Copaqh32.exe
        
        C:\Windows\system32\Copaqh32.exe
        86⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Cfjimbkj.exe
        
        C:\Windows\system32\Cfjimbkj.exe
        87⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Clcajlbf.exe
        
        C:\Windows\system32\Clcajlbf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ccnjgf32.exe
        
        C:\Windows\system32\Ccnjgf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Cncndo32.exe
        
        C:\Windows\system32\Cncndo32.exe
        90⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Dfclcqbo.exe
        
        C:\Windows\system32\Dfclcqbo.exe
        91⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Dqhpai32.exe
        
        C:\Windows\system32\Dqhpai32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4808
        
        C:\Windows\SysWOW64\Dcgmme32.exe
        
        C:\Windows\system32\Dcgmme32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dfeiip32.exe
        
        C:\Windows\system32\Dfeiip32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Donmbfgm.exe
        
        C:\Windows\system32\Donmbfgm.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Dfheop32.exe
        
        C:\Windows\system32\Dfheop32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Dmankjff.exe
        
        C:\Windows\system32\Dmankjff.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3120
        
        C:\Windows\SysWOW64\Eggbic32.exe
        
        C:\Windows\system32\Eggbic32.exe
        98⤵
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Eqpfahlm.exe
        
        C:\Windows\system32\Eqpfahlm.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Encgkmkg.exe
        
        C:\Windows\system32\Encgkmkg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Eqbcghjj.exe
        
        C:\Windows\system32\Eqbcghjj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3408
        
        C:\Windows\SysWOW64\Ecpocc32.exe
        
        C:\Windows\system32\Ecpocc32.exe
        102⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ejjgpnak.exe
        
        C:\Windows\system32\Ejjgpnak.exe
        103⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Eqdpmh32.exe
        
        C:\Windows\system32\Eqdpmh32.exe
        104⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Egnhibpd.exe
        
        C:\Windows\system32\Egnhibpd.exe
        105⤵
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Ejmdemoh.exe
        
        C:\Windows\system32\Ejmdemoh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Eqfmbg32.exe
        
        C:\Windows\system32\Eqfmbg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Eceinc32.exe
        
        C:\Windows\system32\Eceinc32.exe
        108⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Fmmmgh32.exe
        
        C:\Windows\system32\Fmmmgh32.exe
        109⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Fplicd32.exe
        
        C:\Windows\system32\Fplicd32.exe
        110⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Fmpjmh32.exe
        
        C:\Windows\system32\Fmpjmh32.exe
        111⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Fpnfic32.exe
        
        C:\Windows\system32\Fpnfic32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4828
        
        C:\Windows\SysWOW64\Fgenjqil.exe
        
        C:\Windows\system32\Fgenjqil.exe
        113⤵
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fnofgk32.exe
        
        C:\Windows\system32\Fnofgk32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Fpqcncgg.exe
        
        C:\Windows\system32\Fpqcncgg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ffjkkm32.exe
        
        C:\Windows\system32\Ffjkkm32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Fnaclk32.exe
        
        C:\Windows\system32\Fnaclk32.exe
        117⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Fpcpdcee.exe
        
        C:\Windows\system32\Fpcpdcee.exe
        118⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Fgjgepeg.exe
        
        C:\Windows\system32\Fgjgepeg.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Fjhdal32.exe
        
        C:\Windows\system32\Fjhdal32.exe
        120⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Fablnflh.exe
        
        C:\Windows\system32\Fablnflh.exe
        121⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Fcqhjakk.exe
        
        C:\Windows\system32\Fcqhjakk.exe
        122⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Fjkqgk32.exe
        
        C:\Windows\system32\Fjkqgk32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Gmimcg32.exe
        
        C:\Windows\system32\Gmimcg32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Gpgiob32.exe
        
        C:\Windows\system32\Gpgiob32.exe
        125⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Ggoapp32.exe
        
        C:\Windows\system32\Ggoapp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Gjmmlk32.exe
        
        C:\Windows\system32\Gjmmlk32.exe
        127⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Gmkihfpi.exe
        
        C:\Windows\system32\Gmkihfpi.exe
        128⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Gpjfdbom.exe
        
        C:\Windows\system32\Gpjfdbom.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Gfdnal32.exe
        
        C:\Windows\system32\Gfdnal32.exe
        130⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Gmnfnfnf.exe
        
        C:\Windows\system32\Gmnfnfnf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Gplbjamj.exe
        
        C:\Windows\system32\Gplbjamj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Ggcjkoml.exe
        
        C:\Windows\system32\Ggcjkoml.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Gjaggjlp.exe
        
        C:\Windows\system32\Gjaggjlp.exe
        134⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Gmpcce32.exe
        
        C:\Windows\system32\Gmpcce32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Gpoopa32.exe
        
        C:\Windows\system32\Gpoopa32.exe
        136⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Ghegao32.exe
        
        C:\Windows\system32\Ghegao32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Gjdcmj32.exe
        
        C:\Windows\system32\Gjdcmj32.exe
        138⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Gmbpie32.exe
        
        C:\Windows\system32\Gmbpie32.exe
        139⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Gpaleq32.exe
        
        C:\Windows\system32\Gpaleq32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Gfkdbkpa.exe
        
        C:\Windows\system32\Gfkdbkpa.exe
        141⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Hnblchqd.exe
        
        C:\Windows\system32\Hnblchqd.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Hmeloe32.exe
        
        C:\Windows\system32\Hmeloe32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Hdodko32.exe
        
        C:\Windows\system32\Hdodko32.exe
        144⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Hhjqlngd.exe
        
        C:\Windows\system32\Hhjqlngd.exe
        145⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Hjimhifh.exe
        
        C:\Windows\system32\Hjimhifh.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Hmgiddel.exe
        
        C:\Windows\system32\Hmgiddel.exe
        147⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Hpeeppdp.exe
        
        C:\Windows\system32\Hpeeppdp.exe
        148⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Hhmmameb.exe
        
        C:\Windows\system32\Hhmmameb.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Hjkinide.exe
        
        C:\Windows\system32\Hjkinide.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Hnfeng32.exe
        
        C:\Windows\system32\Hnfeng32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Haeajc32.exe
        
        C:\Windows\system32\Haeajc32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Hdfklnic.exe
        
        C:\Windows\system32\Hdfklnic.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Idmamm32.exe
        
        C:\Windows\system32\Idmamm32.exe
        154⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ifkmihbo.exe
        
        C:\Windows\system32\Ifkmihbo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Imeeeb32.exe
        
        C:\Windows\system32\Imeeeb32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ipcaan32.exe
        
        C:\Windows\system32\Ipcaan32.exe
        157⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Ifnjnhpl.exe
        
        C:\Windows\system32\Ifnjnhpl.exe
        158⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 408
        159⤵
        Program crash
        
        PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5972 -ip 5972
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bklflk32.exe

Filesize
50KB

MD5
746196ceed54f5a90a98da4cdb8ffeb9

SHA1
c51bcfbab0baf98acd017e7a64ba2e4fe32a2220

SHA256
d99806a663f04ec3eb240077074d6e618fe1568c4e7b5e0953edbb8b758e27cf

SHA512
fc905b4a2eba1a1b320d0f39fb2ad5883d6e4c84e86bd35049e2b4ea5b7e82089ccfa4e11348bea0c0e5904924e70066f48476cfb26dad26e58e3365ea1aad55

Download Submit
C:\Windows\SysWOW64\Bklflk32.exe

Filesize
50KB

MD5
746196ceed54f5a90a98da4cdb8ffeb9

SHA1
c51bcfbab0baf98acd017e7a64ba2e4fe32a2220

SHA256
d99806a663f04ec3eb240077074d6e618fe1568c4e7b5e0953edbb8b758e27cf

SHA512
fc905b4a2eba1a1b320d0f39fb2ad5883d6e4c84e86bd35049e2b4ea5b7e82089ccfa4e11348bea0c0e5904924e70066f48476cfb26dad26e58e3365ea1aad55

Download Submit
C:\Windows\SysWOW64\Cdkpfpfd.exe

Filesize
50KB

MD5
59db0bba8b613c1660a10f5802f8ce10

SHA1
8205329016e433a30fedde3c3215c4cc2e86b217

SHA256
71cd94b42c6e8ec332e21717cc588af52b4d19f5c00b7f0db3f93b34d1570167

SHA512
6ce90b06d7e851f6bb03150dab5c91d777b3a2438dac7d145acd50ebd04a34855c8c0f925b86cc0f31293f1dbeb981ad11355247c7c894260d20ddb847eb0121

Download Submit
C:\Windows\SysWOW64\Cdkpfpfd.exe

Filesize
50KB

MD5
59db0bba8b613c1660a10f5802f8ce10

SHA1
8205329016e433a30fedde3c3215c4cc2e86b217

SHA256
71cd94b42c6e8ec332e21717cc588af52b4d19f5c00b7f0db3f93b34d1570167

SHA512
6ce90b06d7e851f6bb03150dab5c91d777b3a2438dac7d145acd50ebd04a34855c8c0f925b86cc0f31293f1dbeb981ad11355247c7c894260d20ddb847eb0121

Download Submit
C:\Windows\SysWOW64\Cmblob32.exe

Filesize
50KB

MD5
7c82e29bf95de195573d1146c157ee7a

SHA1
691081f77eb9a6dc2c9a5a6f7c06716e15abdbf4

SHA256
a37c68cfe5a53f1b77eeac774250e927d2d1377893c5596a888c5965a45e2ae5

SHA512
c10a15272a351aed8a614126a84af3001e10e1140ff8dc77e85031d4a6feffb8b8c8a1771ba556dfeb259634a7e2cf4bfa499c0d3d2a625661b4844ce02512f0

Download Submit
C:\Windows\SysWOW64\Cmblob32.exe

Filesize
50KB

MD5
7c82e29bf95de195573d1146c157ee7a

SHA1
691081f77eb9a6dc2c9a5a6f7c06716e15abdbf4

SHA256
a37c68cfe5a53f1b77eeac774250e927d2d1377893c5596a888c5965a45e2ae5

SHA512
c10a15272a351aed8a614126a84af3001e10e1140ff8dc77e85031d4a6feffb8b8c8a1771ba556dfeb259634a7e2cf4bfa499c0d3d2a625661b4844ce02512f0

Download Submit
C:\Windows\SysWOW64\Cmpoic32.exe

Filesize
50KB

MD5
03008e174c443bb3f0a885109dec195c

SHA1
1fdaa5e1b2027352991e735ff8ea197876e3b503

SHA256
a4b90565cc0cba8183cc37eb8e6e756dba1cd76ffcc83dc49d5d746b8e048d02

SHA512
e4122cd96325ba8b7df51764f0194d09ac4497f1edbd4967a765c2e7065a990111c6051e94bcb947f4adc70e96587cb26e9ee9a9c7b0f3345b42c67e4525d781

Download Submit
C:\Windows\SysWOW64\Cmpoic32.exe

Filesize
50KB

MD5
03008e174c443bb3f0a885109dec195c

SHA1
1fdaa5e1b2027352991e735ff8ea197876e3b503

SHA256
a4b90565cc0cba8183cc37eb8e6e756dba1cd76ffcc83dc49d5d746b8e048d02

SHA512
e4122cd96325ba8b7df51764f0194d09ac4497f1edbd4967a765c2e7065a990111c6051e94bcb947f4adc70e96587cb26e9ee9a9c7b0f3345b42c67e4525d781

Download Submit
C:\Windows\SysWOW64\Dcegbk32.exe

Filesize
50KB

MD5
bf582c32d4afe2d2de2015aa4e8b2e5b

SHA1
3c2599efa39813ff61158f3750dd9ce5547a893a

SHA256
466dbd6c145dd29216f8f22e65339079c81b8810e842d5e4a21f07f1adf3e9a6

SHA512
260d74c589b776758c070f641150424eb90213410810065edb58cccb79d09abc81ff5a251fd9808ebc5703858a3d9d52fce15655b59dcfc6c7efa76dabe4e992

Download Submit
C:\Windows\SysWOW64\Dcegbk32.exe

Filesize
50KB

MD5
bf582c32d4afe2d2de2015aa4e8b2e5b

SHA1
3c2599efa39813ff61158f3750dd9ce5547a893a

SHA256
466dbd6c145dd29216f8f22e65339079c81b8810e842d5e4a21f07f1adf3e9a6

SHA512
260d74c589b776758c070f641150424eb90213410810065edb58cccb79d09abc81ff5a251fd9808ebc5703858a3d9d52fce15655b59dcfc6c7efa76dabe4e992

Download Submit
C:\Windows\SysWOW64\Degpanlg.exe

Filesize
50KB

MD5
83ea21e044345cfdca7b8ed8b779c203

SHA1
6f6ea06f8462160e9ec623e9dfb0eeb20e49381a

SHA256
69ffddb3d286ec820364032967ad814cb20fd9c090ea96e06a1e133a326d4a92

SHA512
7af0375cc996087104b6e331d82c4938e33f3f25edfe508b227cbb97e50e20450472b578200b32f36e9b066f3fb2d022671e89c9c6afbf142b29fa52e17316ae

Download Submit
C:\Windows\SysWOW64\Degpanlg.exe

Filesize
50KB

MD5
83ea21e044345cfdca7b8ed8b779c203

SHA1
6f6ea06f8462160e9ec623e9dfb0eeb20e49381a

SHA256
69ffddb3d286ec820364032967ad814cb20fd9c090ea96e06a1e133a326d4a92

SHA512
7af0375cc996087104b6e331d82c4938e33f3f25edfe508b227cbb97e50e20450472b578200b32f36e9b066f3fb2d022671e89c9c6afbf142b29fa52e17316ae

Download Submit
C:\Windows\SysWOW64\Deimgn32.exe

Filesize
50KB

MD5
06b4e2261e900d712acfa43bc09a001e

SHA1
50a26ef65d591c77c35343e81fa179b2fad056d9

SHA256
44acefaa036e6dce1b32002b551c3410de218b7c7bd3d877e99cb49e7731088c

SHA512
57b1d99b5eba0c54b12dcb2496a9218739734f3b74df1904703acd2918d74a6cd15a5476952c07dc7da16cf1778ccd4c335f4d74a87e30f0d5059138a53668ba

Download Submit
C:\Windows\SysWOW64\Deimgn32.exe

Filesize
50KB

MD5
06b4e2261e900d712acfa43bc09a001e

SHA1
50a26ef65d591c77c35343e81fa179b2fad056d9

SHA256
44acefaa036e6dce1b32002b551c3410de218b7c7bd3d877e99cb49e7731088c

SHA512
57b1d99b5eba0c54b12dcb2496a9218739734f3b74df1904703acd2918d74a6cd15a5476952c07dc7da16cf1778ccd4c335f4d74a87e30f0d5059138a53668ba

Download Submit
C:\Windows\SysWOW64\Dgcohjmn.exe

Filesize
50KB

MD5
009e865c5a37aba60190828ef3b256b4

SHA1
5eaf21d6479760599cbb07a802c467537c52de36

SHA256
723b8c9474b795ab72460fb717d0c5c793cdec3f93358f522501200f15e14e12

SHA512
3fe08b7811ac1a24ab4e36b848a7d78741b8d95e11ea8574a5d7ef174fe5e4705842d9d36fec62c31c81f7d70df3ea2c716eb2f0e3d884a561048b1e8a9dcf4d

Download Submit
C:\Windows\SysWOW64\Dgcohjmn.exe

Filesize
50KB

MD5
009e865c5a37aba60190828ef3b256b4

SHA1
5eaf21d6479760599cbb07a802c467537c52de36

SHA256
723b8c9474b795ab72460fb717d0c5c793cdec3f93358f522501200f15e14e12

SHA512
3fe08b7811ac1a24ab4e36b848a7d78741b8d95e11ea8574a5d7ef174fe5e4705842d9d36fec62c31c81f7d70df3ea2c716eb2f0e3d884a561048b1e8a9dcf4d

Download Submit
C:\Windows\SysWOW64\Djmbif32.exe

Filesize
50KB

MD5
fe2d34ca79ad7c87c0976c177a8f48a1

SHA1
e93237c5ba2b6a89c11ce6373caa09e896188a58

SHA256
ca2f53ba988cc23b27cc53bf997c8c579ef4f67da4429c3719e45f27145db79c

SHA512
057d62b6c878655d5618f7b925b3a81bc2e52d265da0f74b2e98ebf787f2b1608903e8c7abd0deb744471595951759e852c5baa3ee259d9fd17cb1239b7d1fdd

Download Submit
C:\Windows\SysWOW64\Djmbif32.exe

Filesize
50KB

MD5
fe2d34ca79ad7c87c0976c177a8f48a1

SHA1
e93237c5ba2b6a89c11ce6373caa09e896188a58

SHA256
ca2f53ba988cc23b27cc53bf997c8c579ef4f67da4429c3719e45f27145db79c

SHA512
057d62b6c878655d5618f7b925b3a81bc2e52d265da0f74b2e98ebf787f2b1608903e8c7abd0deb744471595951759e852c5baa3ee259d9fd17cb1239b7d1fdd

Download Submit
C:\Windows\SysWOW64\Dnpdjcch.exe

Filesize
50KB

MD5
19e0fc7b207cecaeeeba3df99f419f12

SHA1
7163e57fd04c8eb580777928026ac357d34f494d

SHA256
6d3207b519f76a2c5c38f6dc01457d3e3da6d2d3de90ce7d86547f4a63aa87a0

SHA512
7bb14eeee9f68202b6605a2a1b75f98017477fecdd2db6cccd34284ad462d0a9aaa3eb3c27ed663f3004b25a38de3c69cb9bd592cd5bb697065e2ab6b0a44fdd

Download Submit
C:\Windows\SysWOW64\Dnpdjcch.exe

Filesize
50KB

MD5
19e0fc7b207cecaeeeba3df99f419f12

SHA1
7163e57fd04c8eb580777928026ac357d34f494d

SHA256
6d3207b519f76a2c5c38f6dc01457d3e3da6d2d3de90ce7d86547f4a63aa87a0

SHA512
7bb14eeee9f68202b6605a2a1b75f98017477fecdd2db6cccd34284ad462d0a9aaa3eb3c27ed663f3004b25a38de3c69cb9bd592cd5bb697065e2ab6b0a44fdd

Download Submit
C:\Windows\SysWOW64\Dqigkp32.exe

Filesize
50KB

MD5
93cd5528a7c28bdc3e1ad3c9432cb935

SHA1
a7e1bc3f7e529e2d8c3995588d87824c6e45dca9

SHA256
2c72972437025f72c50cccba4963c55dc52042efd8b50630694c258822950de3

SHA512
2e382f2b962e8198c082ca2c1fde47c59c2dbb947b11aaab06a0ca8333b12d54a4e11a4bd9f65e2ce9f7f97157fe68352725c8e5457c08f8ea6370ae462adcd9

Download Submit
C:\Windows\SysWOW64\Dqigkp32.exe

Filesize
50KB

MD5
93cd5528a7c28bdc3e1ad3c9432cb935

SHA1
a7e1bc3f7e529e2d8c3995588d87824c6e45dca9

SHA256
2c72972437025f72c50cccba4963c55dc52042efd8b50630694c258822950de3

SHA512
2e382f2b962e8198c082ca2c1fde47c59c2dbb947b11aaab06a0ca8333b12d54a4e11a4bd9f65e2ce9f7f97157fe68352725c8e5457c08f8ea6370ae462adcd9

Download Submit
C:\Windows\SysWOW64\Eabjan32.exe

Filesize
50KB

MD5
81fa73a7a3ecbab6c4bca23da2144e63

SHA1
3c3d71459602cf777bdd76c849245c64c28a6ec1

SHA256
aa0ed56f6bfcc88a69aa759f76c4cb617b9ef1b5d80498177bde2ecc239107ce

SHA512
af56f8065ebb7e88c28e5f117ef098b0761234fa141b8a82b7d01dabdb65ec9bbe4e666385cbfdbb8969a5b0bdbeb6490b9fd3d394a19ddd3926d770d0588e8a

Download Submit
C:\Windows\SysWOW64\Eabjan32.exe

Filesize
50KB

MD5
81fa73a7a3ecbab6c4bca23da2144e63

SHA1
3c3d71459602cf777bdd76c849245c64c28a6ec1

SHA256
aa0ed56f6bfcc88a69aa759f76c4cb617b9ef1b5d80498177bde2ecc239107ce

SHA512
af56f8065ebb7e88c28e5f117ef098b0761234fa141b8a82b7d01dabdb65ec9bbe4e666385cbfdbb8969a5b0bdbeb6490b9fd3d394a19ddd3926d770d0588e8a

Download Submit
C:\Windows\SysWOW64\Ecoihjol.exe

Filesize
50KB

MD5
ab755a658e57672bb905df5fe87dfae0

SHA1
4aee3b1716110e9464e03fc67355c881e0388156

SHA256
ddf92933e5c32bdaea5aa0c7f546ae133e5fdccae022c65fbf72cfb5ae91fbf2

SHA512
892e5654d8991d1ef70739360173452579a0af59b8188ee7dea36925929bc0de395e6c4f43a83a6bd0b6c0a7b1e7cfcfbbe67da56c9451dff00556475666491e

Download Submit
C:\Windows\SysWOW64\Ecoihjol.exe

Filesize
50KB

MD5
ab755a658e57672bb905df5fe87dfae0

SHA1
4aee3b1716110e9464e03fc67355c881e0388156

SHA256
ddf92933e5c32bdaea5aa0c7f546ae133e5fdccae022c65fbf72cfb5ae91fbf2

SHA512
892e5654d8991d1ef70739360173452579a0af59b8188ee7dea36925929bc0de395e6c4f43a83a6bd0b6c0a7b1e7cfcfbbe67da56c9451dff00556475666491e

Download Submit
C:\Windows\SysWOW64\Eecoml32.exe

Filesize
50KB

MD5
2b716f0195e5644659751fa222623269

SHA1
fc38e1c63ba8addeb0ed18272243a0017ec118df

SHA256
1a763c4a39f753b594505aacc00e93b32f1c79d8151879f5dd7c466e5d670075

SHA512
535bd5c380092068ee779e649d8e6aa11d94b784773945e849d694db4824be4c6beaf80e57d75c680e41516b90fc9dbf722696e716f9e5f45fbde6929e5cac55

Download Submit
C:\Windows\SysWOW64\Eecoml32.exe

Filesize
50KB

MD5
2b716f0195e5644659751fa222623269

SHA1
fc38e1c63ba8addeb0ed18272243a0017ec118df

SHA256
1a763c4a39f753b594505aacc00e93b32f1c79d8151879f5dd7c466e5d670075

SHA512
535bd5c380092068ee779e649d8e6aa11d94b784773945e849d694db4824be4c6beaf80e57d75c680e41516b90fc9dbf722696e716f9e5f45fbde6929e5cac55

Download Submit
C:\Windows\SysWOW64\Eeelcl32.exe

Filesize
50KB

MD5
ec90e7c6628a37640bf3041326d21a1d

SHA1
0c30017be6c39a8c31f71107baec39a6326e9db1

SHA256
d28fbc5eb7eb71ac3d189f9dd294988052f45f6700fc5a06fc5b97bcf1128014

SHA512
d4c9cb251980d188d8fed7e309d592fd1762ecac8dca47a7faf20ae853a3eca4884cac1753adef3fca823e016cc6ff921b949f149a7c44b6843d05258545d8fe

Download Submit
C:\Windows\SysWOW64\Eeelcl32.exe

Filesize
50KB

MD5
ec90e7c6628a37640bf3041326d21a1d

SHA1
0c30017be6c39a8c31f71107baec39a6326e9db1

SHA256
d28fbc5eb7eb71ac3d189f9dd294988052f45f6700fc5a06fc5b97bcf1128014

SHA512
d4c9cb251980d188d8fed7e309d592fd1762ecac8dca47a7faf20ae853a3eca4884cac1753adef3fca823e016cc6ff921b949f149a7c44b6843d05258545d8fe

Download Submit
C:\Windows\SysWOW64\Ejkojddf.exe

Filesize
50KB

MD5
fdcab1efc1c5730d67519d2aff3ff59f

SHA1
07a95282a133f02c2dbfc2ffacc42e09943c7378

SHA256
f7bace0e2c2da108ef391f48529a9cdebdb870f42e6f6dc18d7331b16753b687

SHA512
cf712766d86f6910f03f19a95f5a88faa46aff33a52aca2edf826ca3736c416e46671f8346d660a6a40bcbad20f802cb44dea5fc97e0cf4278dfabf716f91f5f

Download Submit
C:\Windows\SysWOW64\Ejkojddf.exe

Filesize
50KB

MD5
fdcab1efc1c5730d67519d2aff3ff59f

SHA1
07a95282a133f02c2dbfc2ffacc42e09943c7378

SHA256
f7bace0e2c2da108ef391f48529a9cdebdb870f42e6f6dc18d7331b16753b687

SHA512
cf712766d86f6910f03f19a95f5a88faa46aff33a52aca2edf826ca3736c416e46671f8346d660a6a40bcbad20f802cb44dea5fc97e0cf4278dfabf716f91f5f

Download Submit
C:\Windows\SysWOW64\Ekcedhaa.exe

Filesize
50KB

MD5
612b3b0eed34519e673c4610ec20677b

SHA1
0edf02427862005dbe337270cfd6c2cb96594993

SHA256
826af934f78fb2227248e28df58ba2083d0732b071d36f5d835c2445b36fe078

SHA512
860b28c5ef01d449a8c92c8467ca289d5ccb9295614968d5acc23574f526d9faff24a6758374f94316d29746d6cdc3acee080e56ae098c403d78e8cbe1cf35ad

Download Submit
C:\Windows\SysWOW64\Ekcedhaa.exe

Filesize
50KB

MD5
612b3b0eed34519e673c4610ec20677b

SHA1
0edf02427862005dbe337270cfd6c2cb96594993

SHA256
826af934f78fb2227248e28df58ba2083d0732b071d36f5d835c2445b36fe078

SHA512
860b28c5ef01d449a8c92c8467ca289d5ccb9295614968d5acc23574f526d9faff24a6758374f94316d29746d6cdc3acee080e56ae098c403d78e8cbe1cf35ad

Download Submit
C:\Windows\SysWOW64\Faepnlnq.exe

Filesize
50KB

MD5
49b8a68be64e966f48d61b25d7076ef8

SHA1
fb26e341998213f3016e6ff96e201ab1be32e4a4

SHA256
5d1f638629fd40bed6e8fd9b76e2ba915e95c0ad40ed46a28ba0103d8486ed04

SHA512
d6b51e24f7f730aae28b6cf060e4a0a269e57d3103328679eee7b0da45e8fd7c8cfb837bb76776634658e52fe0d239df814f4bce41b47100d3e04b5d1b2348e6

Download Submit
C:\Windows\SysWOW64\Faepnlnq.exe

Filesize
50KB

MD5
49b8a68be64e966f48d61b25d7076ef8

SHA1
fb26e341998213f3016e6ff96e201ab1be32e4a4

SHA256
5d1f638629fd40bed6e8fd9b76e2ba915e95c0ad40ed46a28ba0103d8486ed04

SHA512
d6b51e24f7f730aae28b6cf060e4a0a269e57d3103328679eee7b0da45e8fd7c8cfb837bb76776634658e52fe0d239df814f4bce41b47100d3e04b5d1b2348e6

Download Submit
C:\Windows\SysWOW64\Faqfclaf.exe

Filesize
50KB

MD5
9a50f0bb34c2542ad1d345258f77d5ac

SHA1
91dd024c6d53ac6122fd50ec86c7b5e1d004ff52

SHA256
abb5abb9f689a31ac9aaa34d9d0825e8b84f5b4286df647caac0bdae22e536c9

SHA512
1c7967a0cd326cba10fe90a99b9045553d9da1fbd7121bbd6ae1c3dd7411fc656c6bcf0260e4cb6b3358dca27ce7ef6d0fe31af08c88902a6296ed8f7667ff60

Download Submit
C:\Windows\SysWOW64\Faqfclaf.exe

Filesize
50KB

MD5
9a50f0bb34c2542ad1d345258f77d5ac

SHA1
91dd024c6d53ac6122fd50ec86c7b5e1d004ff52

SHA256
abb5abb9f689a31ac9aaa34d9d0825e8b84f5b4286df647caac0bdae22e536c9

SHA512
1c7967a0cd326cba10fe90a99b9045553d9da1fbd7121bbd6ae1c3dd7411fc656c6bcf0260e4cb6b3358dca27ce7ef6d0fe31af08c88902a6296ed8f7667ff60

Download Submit
C:\Windows\SysWOW64\Fcmfih32.exe

Filesize
50KB

MD5
6052e6bc498c1fb736a432a7dda691ea

SHA1
2df4ceb299c32e3367d494483350339e9086f290

SHA256
3e7a6e319be44fc3d93e06883816fc0b1d5dbdbb5091f8ae7145731cadb3aec3

SHA512
25d90e879d96fb54b6da30d8ec905942dda012a950d0b2e89204bcad29388dc72cf9618b72d56bb34a98a667f9e3c7099d815c7f94ba496435ea5be36446dca4

Download Submit
C:\Windows\SysWOW64\Fcmfih32.exe

Filesize
50KB

MD5
6052e6bc498c1fb736a432a7dda691ea

SHA1
2df4ceb299c32e3367d494483350339e9086f290

SHA256
3e7a6e319be44fc3d93e06883816fc0b1d5dbdbb5091f8ae7145731cadb3aec3

SHA512
25d90e879d96fb54b6da30d8ec905942dda012a950d0b2e89204bcad29388dc72cf9618b72d56bb34a98a667f9e3c7099d815c7f94ba496435ea5be36446dca4

Download Submit
C:\Windows\SysWOW64\Fegihlnd.exe

Filesize
50KB

MD5
5fa42e0ccd908a246998952ed94d2122

SHA1
670441f301e2132e6ba7d264254cda0ba2d4e372

SHA256
bf833e1fe3dfd839572f19910c4ad4328a6f9eddc960dc9727f7387b0edb0379

SHA512
2e14522533a5bd88991b3632a4a3af6cf6af02182784e1b9124a3a37c89d174edf649d35d7df5fbcc8952489e40db931be4763c64d6ff0f0983eba0b8e0c727f

Download Submit
C:\Windows\SysWOW64\Fegihlnd.exe

Filesize
50KB

MD5
5fa42e0ccd908a246998952ed94d2122

SHA1
670441f301e2132e6ba7d264254cda0ba2d4e372

SHA256
bf833e1fe3dfd839572f19910c4ad4328a6f9eddc960dc9727f7387b0edb0379

SHA512
2e14522533a5bd88991b3632a4a3af6cf6af02182784e1b9124a3a37c89d174edf649d35d7df5fbcc8952489e40db931be4763c64d6ff0f0983eba0b8e0c727f

Download Submit
C:\Windows\SysWOW64\Feooik32.exe

Filesize
50KB

MD5
c8d1357bb651b61f0039eadabae60795

SHA1
fb13559a58233d53bab5949c9ffa274f3bfeaa0f

SHA256
d6c9544458a439bfb25bb0be766085d7df3c078ebd963130455cf429430d8552

SHA512
24b9454907995278459e446b7fdaf18fc6d10273df7a4b9e0bf053e15b4fd27553a730690b207b7e5ddfac7ddc644d76a8729bb96b382c824294286622d5f8ea

Download Submit
C:\Windows\SysWOW64\Feooik32.exe

Filesize
50KB

MD5
c8d1357bb651b61f0039eadabae60795

SHA1
fb13559a58233d53bab5949c9ffa274f3bfeaa0f

SHA256
d6c9544458a439bfb25bb0be766085d7df3c078ebd963130455cf429430d8552

SHA512
24b9454907995278459e446b7fdaf18fc6d10273df7a4b9e0bf053e15b4fd27553a730690b207b7e5ddfac7ddc644d76a8729bb96b382c824294286622d5f8ea

Download Submit
C:\Windows\SysWOW64\Fhkopf32.exe

Filesize
50KB

MD5
4a3f499b34d840b5da38245550d2fb4a

SHA1
59575ede5cbac56285a675dbcaf84e2dc3932854

SHA256
2636391794b37a1396497b870e7e7622fd60b3a9aa7c05ea3a3b45ff335e8c8c

SHA512
4cbcff0a97608cf8e8e363dd970f862af87f1dfcb96853cf69590034cea5ecd8e94d493ad3fab0d07398349f53c32ed08aaf2a2d7a170dd495ca17e74dd95b5e

Download Submit
C:\Windows\SysWOW64\Fhkopf32.exe

Filesize
50KB

MD5
4a3f499b34d840b5da38245550d2fb4a

SHA1
59575ede5cbac56285a675dbcaf84e2dc3932854

SHA256
2636391794b37a1396497b870e7e7622fd60b3a9aa7c05ea3a3b45ff335e8c8c

SHA512
4cbcff0a97608cf8e8e363dd970f862af87f1dfcb96853cf69590034cea5ecd8e94d493ad3fab0d07398349f53c32ed08aaf2a2d7a170dd495ca17e74dd95b5e

Download Submit
C:\Windows\SysWOW64\Fjfnfbji.exe

Filesize
50KB

MD5
19e1d75a96509ab7af06176ec7b6edd1

SHA1
8a156ae0e1893a91ea6ff0bcea49d02785d60752

SHA256
cdcc443f850b3d21dc71a31b01fda7a5658baa53e9405ca970a92987ed71e5cf

SHA512
bb6e456dd1e25cdcbaf962407a2960f1f95973d60469dc11c607d44d3cf4c3e9b7adfbc88ccf1bd995fff2675e194f057ff3b5511f453da9fff02ccee9a39a53

Download Submit
C:\Windows\SysWOW64\Fjfnfbji.exe

Filesize
50KB

MD5
19e1d75a96509ab7af06176ec7b6edd1

SHA1
8a156ae0e1893a91ea6ff0bcea49d02785d60752

SHA256
cdcc443f850b3d21dc71a31b01fda7a5658baa53e9405ca970a92987ed71e5cf

SHA512
bb6e456dd1e25cdcbaf962407a2960f1f95973d60469dc11c607d44d3cf4c3e9b7adfbc88ccf1bd995fff2675e194f057ff3b5511f453da9fff02ccee9a39a53

Download Submit
C:\Windows\SysWOW64\Fnnqla32.exe

Filesize
50KB

MD5
4c2c04924a7613c9a9a7ab18d8d2e487

SHA1
4543aa4615047b08b66f868053de2e50af2922e0

SHA256
2e3a70b1b179dc3a9b9acc571f2d8ac2242a269199482a6e6960e354524968c3

SHA512
6ea814151698c0c7ebc7e5941ac6b25fc386526fa0453170b470e2fdab9263a505014997675371881a8e8e2fabca4e75af36712801f4122901cee3f15b5e5969

Download Submit
C:\Windows\SysWOW64\Fnnqla32.exe

Filesize
50KB

MD5
4c2c04924a7613c9a9a7ab18d8d2e487

SHA1
4543aa4615047b08b66f868053de2e50af2922e0

SHA256
2e3a70b1b179dc3a9b9acc571f2d8ac2242a269199482a6e6960e354524968c3

SHA512
6ea814151698c0c7ebc7e5941ac6b25fc386526fa0453170b470e2fdab9263a505014997675371881a8e8e2fabca4e75af36712801f4122901cee3f15b5e5969

Download Submit
C:\Windows\SysWOW64\Gaglck32.exe

Filesize
50KB

MD5
4303b2ae2e1245176edd6d23d359ed87

SHA1
c530b592a1d42f63ecd7d606542ea39f77d1ae2a

SHA256
54bd6484c303259bcb6c55821b04e111f486b6a356aefc3f4840f300bd7cf5f8

SHA512
01225eef0f597b53f2df0b501c6b988e22eef118a7872b8f645d480428f070129b36408446f098c458da2eeb2feb157205eba619b670b4a3dcae6ad2383e9fac

Download Submit
C:\Windows\SysWOW64\Gaglck32.exe

Filesize
50KB

MD5
4303b2ae2e1245176edd6d23d359ed87

SHA1
c530b592a1d42f63ecd7d606542ea39f77d1ae2a

SHA256
54bd6484c303259bcb6c55821b04e111f486b6a356aefc3f4840f300bd7cf5f8

SHA512
01225eef0f597b53f2df0b501c6b988e22eef118a7872b8f645d480428f070129b36408446f098c458da2eeb2feb157205eba619b670b4a3dcae6ad2383e9fac

Download Submit
C:\Windows\SysWOW64\Gjdjgp32.exe

Filesize
50KB

MD5
6c3e1089f7acc9c3c5ece5a2499b87ba

SHA1
0e8a66e404a032705824e4cf56c0a6ae96f2fda1

SHA256
f1ebdfe701470bce572388c744a584757540eb41574294b133f28e55034aabdb

SHA512
68a9e6e3919daabaf34c98c675881fda780e1dc67303bb305208c982e5c27f915b62662d1b6aa917bda3b7d1da90b22df40a9b5de9efbec2c57b597f55d633c2

Download Submit
C:\Windows\SysWOW64\Gjdjgp32.exe

Filesize
50KB

MD5
6c3e1089f7acc9c3c5ece5a2499b87ba

SHA1
0e8a66e404a032705824e4cf56c0a6ae96f2fda1

SHA256
f1ebdfe701470bce572388c744a584757540eb41574294b133f28e55034aabdb

SHA512
68a9e6e3919daabaf34c98c675881fda780e1dc67303bb305208c982e5c27f915b62662d1b6aa917bda3b7d1da90b22df40a9b5de9efbec2c57b597f55d633c2

Download Submit
C:\Windows\SysWOW64\Gjndgada.exe

Filesize
50KB

MD5
c9e8ab7c703bb3ef0504b5d8e32b96e9

SHA1
e9bfad0aa63d6c07b7c6854193bcaca344f18b26

SHA256
7ccaae619c100fa9e39f17e9f57b30b1cf203ecf5cd682e474cd386cfc48d3fc

SHA512
052df9ae53e76dff0e5bee36b8b35657838dcbf93a2cc5c397fc42c854efb89f5107db63a43cf85617f460bdd61397205c62171242d8451ca45c1a4cc51d8373

Download Submit
C:\Windows\SysWOW64\Gjndgada.exe

Filesize
50KB

MD5
c9e8ab7c703bb3ef0504b5d8e32b96e9

SHA1
e9bfad0aa63d6c07b7c6854193bcaca344f18b26

SHA256
7ccaae619c100fa9e39f17e9f57b30b1cf203ecf5cd682e474cd386cfc48d3fc

SHA512
052df9ae53e76dff0e5bee36b8b35657838dcbf93a2cc5c397fc42c854efb89f5107db63a43cf85617f460bdd61397205c62171242d8451ca45c1a4cc51d8373

Download Submit
C:\Windows\SysWOW64\Glpmfdia.exe

Filesize
50KB

MD5
d94c92efbb12c1ffdfd46cb50499da35

SHA1
1a82417a50ddf53ebe59eebda855eccbb5ec7731

SHA256
63dd70c59601ebcf7bd5369b4b66d3d0380848b2466be3e44e313bd96ac80b69

SHA512
fa44011cb47cf81f9b64b9b46bec4b1de392a2071e803c66f062a15e7400ab027ed65d45f3b0686e5104a041d05020bdbf07855ea7cdefda5382b325544ae871

Download Submit
C:\Windows\SysWOW64\Glpmfdia.exe

Filesize
50KB

MD5
d94c92efbb12c1ffdfd46cb50499da35

SHA1
1a82417a50ddf53ebe59eebda855eccbb5ec7731

SHA256
63dd70c59601ebcf7bd5369b4b66d3d0380848b2466be3e44e313bd96ac80b69

SHA512
fa44011cb47cf81f9b64b9b46bec4b1de392a2071e803c66f062a15e7400ab027ed65d45f3b0686e5104a041d05020bdbf07855ea7cdefda5382b325544ae871

Download Submit
C:\Windows\SysWOW64\Gobcno32.exe

Filesize
50KB

MD5
7b5db65277f4d6a39f31da1d8b5fbdbb

SHA1
f13cc19d4175e5e95e9a3c75bb249b47d9b4b63a

SHA256
f943524a12863bd8b78b410fa17c81249f78aafb742dded99abdb29d34e7f9a9

SHA512
d051d16d101d0fd8a43cca22a8b4faa3ece2f71fa1fd444e8614dfd9d609a5d443a423feefc15564393d8bbf76ea98105a96e0893e38c8b7f0801e015729d513

Download Submit
C:\Windows\SysWOW64\Gobcno32.exe

Filesize
50KB

MD5
7b5db65277f4d6a39f31da1d8b5fbdbb

SHA1
f13cc19d4175e5e95e9a3c75bb249b47d9b4b63a

SHA256
f943524a12863bd8b78b410fa17c81249f78aafb742dded99abdb29d34e7f9a9

SHA512
d051d16d101d0fd8a43cca22a8b4faa3ece2f71fa1fd444e8614dfd9d609a5d443a423feefc15564393d8bbf76ea98105a96e0893e38c8b7f0801e015729d513

Download Submit
C:\Windows\SysWOW64\Golmmp32.exe

Filesize
50KB

MD5
c3c983db33d96a0c130b92b1a608eeca

SHA1
7c7fd970f3cae11d37a48642a102e838a41b1af0

SHA256
bfc12fae214a0e342f4b4057c01640ac34238471a60872c333b4163a2acdf13b

SHA512
77060c09a21a407049e817374e5bacc73102a32c4d491f31a136a5b5ebd37ce8e2c762daba304abc3b59113ee2a4c3d564f14df7682398d3da1e4ce944fba2da

Download Submit
C:\Windows\SysWOW64\Golmmp32.exe

Filesize
50KB

MD5
c3c983db33d96a0c130b92b1a608eeca

SHA1
7c7fd970f3cae11d37a48642a102e838a41b1af0

SHA256
bfc12fae214a0e342f4b4057c01640ac34238471a60872c333b4163a2acdf13b

SHA512
77060c09a21a407049e817374e5bacc73102a32c4d491f31a136a5b5ebd37ce8e2c762daba304abc3b59113ee2a4c3d564f14df7682398d3da1e4ce944fba2da

Download Submit
C:\Windows\SysWOW64\Gonibohe.exe

Filesize
50KB

MD5
6de992a17cf57eac0351f336ace2d0aa

SHA1
4f2e51d3bb26e1f5d4e9c88ec73d86d8857f98ad

SHA256
663cf812360a39901de77da2dffc589aafba13b701aeb63e489336bc146ece3c

SHA512
d67c0cd35a2ba0062190af9bf0650220a6d10c81c6de5cf5754ef6b5e6a8b9e12cf186a4c3c5ce91ac2f450d4bb77b576209b6c16b47f8c8a9c18881b71b65ef

Download Submit
C:\Windows\SysWOW64\Gonibohe.exe

Filesize
50KB

MD5
6de992a17cf57eac0351f336ace2d0aa

SHA1
4f2e51d3bb26e1f5d4e9c88ec73d86d8857f98ad

SHA256
663cf812360a39901de77da2dffc589aafba13b701aeb63e489336bc146ece3c

SHA512
d67c0cd35a2ba0062190af9bf0650220a6d10c81c6de5cf5754ef6b5e6a8b9e12cf186a4c3c5ce91ac2f450d4bb77b576209b6c16b47f8c8a9c18881b71b65ef

Download Submit
memory/348-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/484-290-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/552-235-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/732-245-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/768-277-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1092-285-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1280-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1316-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1568-291-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1988-185-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2032-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2152-249-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2316-304-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2348-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2432-258-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2508-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2548-323-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2744-250-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2780-246-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3204-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3216-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3284-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3328-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3380-252-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3592-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3648-320-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3724-241-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3748-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3756-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3772-306-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3844-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3896-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3908-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-181-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3996-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4116-237-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4184-238-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4188-255-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4256-313-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4400-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4412-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-283-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4428-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4532-288-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4540-282-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4548-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4552-257-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4620-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4632-243-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4728-312-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4744-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4784-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4820-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4892-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4960-289-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4972-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5012-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5064-307-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-280-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download