7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e

Analysis

max time kernel
112s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe
Size

50KB
MD5

b053b4e97e0b15725b0a11d823f85f50
SHA1

45f83ed9fd1e8274575fb5db680ecbee655b5662
SHA256

7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e
SHA512

bb98e03939ca5fdd4bfc31d128a22c94ff26a4ad29a9effb6da3729e312197bb653d9f08667fd341dd07a784349ea2051ee11e86cd60b722d66541351cde0f2b
SSDEEP

768:T4EpI2xCFURWO947coJKk4HlW3CX1x8KZTJuOrheRvr/TPLfzeDXr/Tn7Pj3LfzZ:TE+CFfm4IfHY3aASd9eRBMAXTwf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Aqbepc32.exeLbqdhgbl.exePaolmidq.exeOnkopd32.exeNpijknpl.exeJkkifeof.exeOoicfh32.exeMgpifn32.exeGbfnokqf.exeKdejdkcc.exeAnlpalfh.exeAdiddf32.exeJbmhlc32.exeEolonh32.exePjagbjkc.exePifdnfec.exeMfdoldpm.exeOflhfmpm.exeLmobda32.exeBjemlm32.exeJmiebani.exeLghlki32.exeLgbjlj32.exeQjfqmj32.exeQkqclm32.exePaaibi32.exePddojcml.exeHfmhbq32.exeDgaadl32.exeAggqpa32.exeAbfomkqd.exeMelicpbb.exeMmakidic.exeJhlmjjpb.exeBmffnhgk.exeJhgcok32.exeEbbheibp.exeKncocfij.exeMahnocea.exeMppgephg.exeAdfhof32.exeMdndmk32.exeOkooihne.exeKgkmae32.exeOgqbal32.exeJbodac32.exeLfbfha32.exeOjiifqll.exeMmdhodgq.exeMfglbdnk.exeBalifcca.exeMmoncd32.exeLaigmbei.exeOenbgc32.exeOfpjka32.exeCignkeql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbepc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbqdhgbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paolmidq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkopd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npijknpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkkifeof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooicfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgpifn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbepc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbfnokqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdejdkcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlpalfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adiddf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmhlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eolonh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjagbjkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifdnfec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfdoldpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onkopd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflhfmpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmobda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjemlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmiebani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghlki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbjlj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfqmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbfnokqf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkqclm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjagbjkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paaibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddojcml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfmhbq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaadl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aggqpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkkifeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfomkqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melicpbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmakidic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhlmjjpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abfomkqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmffnhgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbheibp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncocfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahnocea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mppgephg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdndmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okooihne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgkmae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogqbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbodac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbfha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojiifqll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqdhgbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmdhodgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adiddf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfglbdnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balifcca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmoncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laigmbei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oenbgc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofpjka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cignkeql.exe

Executes dropped EXE 64 IoCs

Processes:

Ccildpbn.exeMdndmk32.exeMemagnah.exeOjiifqll.exeOfpjka32.exeOnkopd32.exeOkooihne.exeOnphkckf.exePccgdice.exeQlceck32.exeAfaoohee.exeAlcabnog.exeBadcfd32.exeBalifcca.exeCignkeql.exeCkfjehho.exeCohpnlkn.exeCphlho32.exeCpjinnpn.exeDanbkf32.exeDngpeg32.exeDjnpjhmp.exeDgaadl32.exeEjbjeg32.exeEcmkdl32.exeEmepmbdh.exeEbbheibp.exeFiomgbhj.exeFalnad32.exeFnpoki32.exeFmelle32.exeFfnpdkmd.exeGpfemp32.exeGiniff32.exeGbfnokqf.exeGbijdkoc.exeGicbaefp.exeGlclcpca.exeJkddonpg.exeEolonh32.exeIkhnijgi.exeJpaopnfb.exeJglgmh32.exeJilpnc32.exeKlmipnha.exeKcgamh32.exeKeenid32.exeKlpfeneo.exeKdkkjp32.exeKncocfij.exeKqakoain.exeKkgpljhd.exeKnelhegh.exeKqdhda32.exeKqfejq32.exeLmmeoajm.exeLgbjlj32.exeLmobda32.exeLonnqm32.exeLfgfmgok.exeLopkfl32.exeLbngbhdo.exeLobhllci.exeLbqdhgbl.exe

pid	process
1768	Ccildpbn.exe
2020	Mdndmk32.exe
2016	Memagnah.exe
1344	Ojiifqll.exe
768	Ofpjka32.exe
1868	Onkopd32.exe
852	Okooihne.exe
288	Onphkckf.exe
1764	Pccgdice.exe
1068	Qlceck32.exe
1472	Afaoohee.exe
1752	Alcabnog.exe
1372	Badcfd32.exe
1628	Balifcca.exe
1072	Cignkeql.exe
1772	Ckfjehho.exe
844	Cohpnlkn.exe
268	Cphlho32.exe
1660	Cpjinnpn.exe
240	Danbkf32.exe
1964	Dngpeg32.exe
1584	Djnpjhmp.exe
1612	Dgaadl32.exe
1064	Ejbjeg32.exe
1988	Ecmkdl32.exe
2024	Emepmbdh.exe
1980	Ebbheibp.exe
868	Fiomgbhj.exe
1160	Falnad32.exe
832	Fnpoki32.exe
1320	Fmelle32.exe
932	Ffnpdkmd.exe
1900	Gpfemp32.exe
1348	Giniff32.exe
1316	Gbfnokqf.exe
1296	Gbijdkoc.exe
316	Gicbaefp.exe
760	Glclcpca.exe
828	Jkddonpg.exe
1608	Eolonh32.exe
1736	Ikhnijgi.exe
1008	Jpaopnfb.exe
900	Jglgmh32.exe
524	Jilpnc32.exe
668	Klmipnha.exe
848	Kcgamh32.exe
1292	Keenid32.exe
1572	Klpfeneo.exe
1364	Kdkkjp32.exe
1116	Kncocfij.exe
1880	Kqakoain.exe
572	Kkgpljhd.exe
1468	Knelhegh.exe
1684	Kqdhda32.exe
1352	Kqfejq32.exe
1500	Lmmeoajm.exe
1888	Lgbjlj32.exe
2000	Lmobda32.exe
1996	Lonnqm32.exe
1404	Lfgfmgok.exe
1820	Lopkfl32.exe
1784	Lbngbhdo.exe
1616	Lobhllci.exe
2004	Lbqdhgbl.exe

Loads dropped DLL 64 IoCs

Processes:

7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exeCcildpbn.exeMdndmk32.exeMemagnah.exeOjiifqll.exeOfpjka32.exeOnkopd32.exeOkooihne.exeOnphkckf.exePccgdice.exeQlceck32.exeAfaoohee.exeAlcabnog.exeBadcfd32.exeBalifcca.exeCignkeql.exeCkfjehho.exeCohpnlkn.exeCphlho32.exeCpjinnpn.exeDanbkf32.exeDngpeg32.exeDjnpjhmp.exeDgaadl32.exeEjbjeg32.exeEcmkdl32.exeEmepmbdh.exeEbbheibp.exeFiomgbhj.exeFalnad32.exeFnpoki32.exeFmelle32.exe

pid	process
2044	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe
2044	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe
1768	Ccildpbn.exe
1768	Ccildpbn.exe
2020	Mdndmk32.exe
2020	Mdndmk32.exe
2016	Memagnah.exe
2016	Memagnah.exe
1344	Ojiifqll.exe
1344	Ojiifqll.exe
768	Ofpjka32.exe
768	Ofpjka32.exe
1868	Onkopd32.exe
1868	Onkopd32.exe
852	Okooihne.exe
852	Okooihne.exe
288	Onphkckf.exe
288	Onphkckf.exe
1764	Pccgdice.exe
1764	Pccgdice.exe
1068	Qlceck32.exe
1068	Qlceck32.exe
1472	Afaoohee.exe
1472	Afaoohee.exe
1752	Alcabnog.exe
1752	Alcabnog.exe
1372	Badcfd32.exe
1372	Badcfd32.exe
1628	Balifcca.exe
1628	Balifcca.exe
1072	Cignkeql.exe
1072	Cignkeql.exe
1772	Ckfjehho.exe
1772	Ckfjehho.exe
844	Cohpnlkn.exe
844	Cohpnlkn.exe
268	Cphlho32.exe
268	Cphlho32.exe
1660	Cpjinnpn.exe
1660	Cpjinnpn.exe
240	Danbkf32.exe
240	Danbkf32.exe
1964	Dngpeg32.exe
1964	Dngpeg32.exe
1584	Djnpjhmp.exe
1584	Djnpjhmp.exe
1612	Dgaadl32.exe
1612	Dgaadl32.exe
1064	Ejbjeg32.exe
1064	Ejbjeg32.exe
1988	Ecmkdl32.exe
1988	Ecmkdl32.exe
2024	Emepmbdh.exe
2024	Emepmbdh.exe
1980	Ebbheibp.exe
1980	Ebbheibp.exe
868	Fiomgbhj.exe
868	Fiomgbhj.exe
1160	Falnad32.exe
1160	Falnad32.exe
832	Fnpoki32.exe
832	Fnpoki32.exe
1320	Fmelle32.exe
1320	Fmelle32.exe

Drops file in System32 directory 64 IoCs

Processes:

Mmoncd32.exePdbbdd32.exeMnbqff32.exeEcmkdl32.exeLmmeoajm.exeMgpifn32.exeAhpgie32.exeBcnaeb32.exeJepmcnol.exeOkooihne.exeAfaoohee.exeGicbaefp.exePcllal32.exeJhojojno.exeOoicfh32.exeGiniff32.exePlbdebfi.exeQjfqmj32.exeJlcpoilq.exeJbodac32.exeLdjpom32.exeMgjeolaf.exe7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exeNnjnakhi.exeKdejdkcc.exeLaigmbei.exeLkfeqg32.exeMkcdjk32.exeLgnmpnqd.exeQlbpde32.exeKcmdkg32.exeKjiimq32.exeKdkkjp32.exeNlkaepif.exeNbejbj32.exeLfbfha32.exeJenqnoqn.exeLmobda32.exeJidccnmm.exeKekpgbem.exeMcfcpiqj.exeFiomgbhj.exeMiehnomn.exeCohpnlkn.exeLonnqm32.exeMnokng32.exePldqjb32.exePjagbjkc.exeLljbolid.exeDjnpjhmp.exeEmepmbdh.exeGbfnokqf.exeMahnocea.exeNpijknpl.exeEjbjeg32.exeHfmhbq32.exeBalifcca.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Icmmjejg.dll	Mmoncd32.exe
File created	C:\Windows\SysWOW64\Pkljan32.exe	Pdbbdd32.exe
File opened for modification	C:\Windows\SysWOW64\Melicpbb.exe	Mnbqff32.exe
File opened for modification	C:\Windows\SysWOW64\Emepmbdh.exe	Ecmkdl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbjlj32.exe	Lmmeoajm.exe
File created	C:\Windows\SysWOW64\Gedknn32.dll	Mgpifn32.exe
File created	C:\Windows\SysWOW64\Kbiakl32.dll	Ahpgie32.exe
File created	C:\Windows\SysWOW64\Bjhjbmhg.exe	Bcnaeb32.exe
File created	C:\Windows\SysWOW64\Jhojojno.exe	Jepmcnol.exe
File created	C:\Windows\SysWOW64\Hgiini32.dll	Okooihne.exe
File created	C:\Windows\SysWOW64\Ffccbc32.dll	Afaoohee.exe
File created	C:\Windows\SysWOW64\Clkqdg32.dll	Gicbaefp.exe
File created	C:\Windows\SysWOW64\Paolmidq.exe	Pcllal32.exe
File opened for modification	C:\Windows\SysWOW64\Jkmflemc.exe	Jhojojno.exe
File created	C:\Windows\SysWOW64\Blljnf32.dll	Ooicfh32.exe
File opened for modification	C:\Windows\SysWOW64\Gbfnokqf.exe	Giniff32.exe
File created	C:\Windows\SysWOW64\Nkfadm32.dll	Plbdebfi.exe
File created	C:\Windows\SysWOW64\Nigeccen.dll	Qjfqmj32.exe
File opened for modification	C:\Windows\SysWOW64\Joalkekd.exe	Jlcpoilq.exe
File opened for modification	C:\Windows\SysWOW64\Jenqnoqn.exe	Jbodac32.exe
File opened for modification	C:\Windows\SysWOW64\Lghlki32.exe	Ldjpom32.exe
File opened for modification	C:\Windows\SysWOW64\Ocmepkmm.exe	Mgjeolaf.exe
File opened for modification	C:\Windows\SysWOW64\Ccildpbn.exe	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe
File created	C:\Windows\SysWOW64\Nbejbj32.exe	Nnjnakhi.exe
File created	C:\Windows\SysWOW64\Lgggnijh.dll	Pdbbdd32.exe
File created	C:\Windows\SysWOW64\Klclnmol.exe	Kdejdkcc.exe
File opened for modification	C:\Windows\SysWOW64\Ldgcindl.exe	Laigmbei.exe
File created	C:\Windows\SysWOW64\Lmgahomb.exe	Lkfeqg32.exe
File created	C:\Windows\SysWOW64\Mnbqff32.exe	Mkcdjk32.exe
File created	C:\Windows\SysWOW64\Kajecfgm.dll	Lgnmpnqd.exe
File created	C:\Windows\SysWOW64\Bhiahdcf.dll	Pcllal32.exe
File opened for modification	C:\Windows\SysWOW64\Qjfqmj32.exe	Qlbpde32.exe
File created	C:\Windows\SysWOW64\Kekpgbem.exe	Kcmdkg32.exe
File created	C:\Windows\SysWOW64\Pbigenfl.dll	Kjiimq32.exe
File opened for modification	C:\Windows\SysWOW64\Kncocfij.exe	Kdkkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjnakhi.exe	Nlkaepif.exe
File opened for modification	C:\Windows\SysWOW64\Necfnepf.exe	Nbejbj32.exe
File created	C:\Windows\SysWOW64\Ajcabdgc.dll	Lfbfha32.exe
File opened for modification	C:\Windows\SysWOW64\Jhlmjjpb.exe	Jenqnoqn.exe
File created	C:\Windows\SysWOW64\Lonnqm32.exe	Lmobda32.exe
File opened for modification	C:\Windows\SysWOW64\Jhgcok32.exe	Jidccnmm.exe
File created	C:\Windows\SysWOW64\Knbhhpfo.exe	Kekpgbem.exe
File created	C:\Windows\SysWOW64\Mfdoldpm.exe	Mcfcpiqj.exe
File created	C:\Windows\SysWOW64\Ahdggdaf.dll	Fiomgbhj.exe
File created	C:\Windows\SysWOW64\Mafaidgd.exe	Lgnmpnqd.exe
File created	C:\Windows\SysWOW64\Necfnepf.exe	Nbejbj32.exe
File created	C:\Windows\SysWOW64\Mhielgjk.dll	Kdejdkcc.exe
File created	C:\Windows\SysWOW64\Ioncgh32.dll	Miehnomn.exe
File created	C:\Windows\SysWOW64\Jonobafd.dll	Cohpnlkn.exe
File opened for modification	C:\Windows\SysWOW64\Lfgfmgok.exe	Lonnqm32.exe
File opened for modification	C:\Windows\SysWOW64\Mmakidic.exe	Mnokng32.exe
File created	C:\Windows\SysWOW64\Paaibi32.exe	Pldqjb32.exe
File created	C:\Windows\SysWOW64\Kdfjodpj.dll	Pjagbjkc.exe
File created	C:\Windows\SysWOW64\Dgjegc32.dll	Jlcpoilq.exe
File created	C:\Windows\SysWOW64\Lcdjlf32.exe	Lljbolid.exe
File opened for modification	C:\Windows\SysWOW64\Dgaadl32.exe	Djnpjhmp.exe
File created	C:\Windows\SysWOW64\Ebbheibp.exe	Emepmbdh.exe
File opened for modification	C:\Windows\SysWOW64\Gbijdkoc.exe	Gbfnokqf.exe
File opened for modification	C:\Windows\SysWOW64\Mmoncd32.exe	Mahnocea.exe
File opened for modification	C:\Windows\SysWOW64\Nefbcenc.exe	Npijknpl.exe
File created	C:\Windows\SysWOW64\Ecmkdl32.exe	Ejbjeg32.exe
File opened for modification	C:\Windows\SysWOW64\Jegjmpgf.exe	Hfmhbq32.exe
File created	C:\Windows\SysWOW64\Nggmdn32.dll	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe
File opened for modification	C:\Windows\SysWOW64\Cignkeql.exe	Balifcca.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1824 1896 WerFault.exe Oagobd32.exe

pid	pid_target	process	target process
1824	1896	WerFault.exe	Oagobd32.exe

Modifies registry class 64 IoCs

Processes:

Emepmbdh.exeBalifcca.exeCohpnlkn.exeAmifddbm.exeKekpgbem.exeLmgahomb.exeOoicfh32.exeOnphkckf.exeQkqclm32.exeAfmabkmb.exeAhpgie32.exeLdlmdm32.exeIkhnijgi.exeOflhfmpm.exeBjemlm32.exeMelicpbb.exePhidjc32.exeAggqpa32.exeJbkkfd32.exeAbcbglbg.exeOocqgjqo.exeOpfjebdj.exePjagbjkc.exeAhknnflf.exeKpcajkcp.exeDanbkf32.exeNlkaepif.exeOhkeqpgo.exePkljan32.exeJegjmpgf.exeDngpeg32.exeMbqpgk32.exeLgbjlj32.exeMmoncd32.exeBmffnhgk.exeGiniff32.exeFchifb32.exeJoalkekd.exeKcmdkg32.exeOcmepkmm.exeJglgmh32.exeMnokng32.exeJepmcnol.exeOhokin32.exeOnkopd32.exeOpifjabh.exeAnolglde.exeBbmemjjl.exeJhlmjjpb.exeKqdhda32.exePifdnfec.exeLljbolid.exeMmlkco32.exePafbnhni.exeBgljkaga.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqael32.dll"	Emepmbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balifcca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonobafd.dll"	Cohpnlkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amifddbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokph32.dll"	Kekpgbem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgahomb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blljnf32.dll"	Ooicfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpneq32.dll"	Onphkckf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balifcca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkqclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmegmjbf.dll"	Afmabkmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmabkmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpgie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldlmdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikhnijgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflhfmpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjemlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdnmp32.dll"	Melicpbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phidjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aggqpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljdlagc.dll"	Jbkkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcbglbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oocqgjqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckpcm32.dll"	Opfjebdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjagbjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabbenii.dll"	Ahknnflf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekpgbem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfifakeh.dll"	Kpcajkcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmpnf32.dll"	Balifcca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danbkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlkaepif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkeqpgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opfjebdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bploolmo.dll"	Pkljan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdchn32.dll"	Jegjmpgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dngpeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbqpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbjlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmoncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchcie32.dll"	Aggqpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paolfo32.dll"	Bmffnhgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emepmbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giniff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggqpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fchifb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaonif32.dll"	Joalkekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcmdkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocmepkmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jglgmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnokng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifohad32.dll"	Jepmcnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohokin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onkopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opifjabh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahknnflf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anolglde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmemjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhlmjjpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbgjn32.dll"	Kqdhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pifdnfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljbolid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlkco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdelicif.dll"	Pafbnhni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgljkaga.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2044 wrote to memory of 1768	2044	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe	Ccildpbn.exe
PID 2044 wrote to memory of 1768	2044	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe	Ccildpbn.exe
PID 2044 wrote to memory of 1768	2044	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe	Ccildpbn.exe
PID 2044 wrote to memory of 1768	2044	7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe	Ccildpbn.exe
PID 1768 wrote to memory of 2020	1768	Ccildpbn.exe	Mdndmk32.exe
PID 1768 wrote to memory of 2020	1768	Ccildpbn.exe	Mdndmk32.exe
PID 1768 wrote to memory of 2020	1768	Ccildpbn.exe	Mdndmk32.exe
PID 1768 wrote to memory of 2020	1768	Ccildpbn.exe	Mdndmk32.exe
PID 2020 wrote to memory of 2016	2020	Mdndmk32.exe	Memagnah.exe
PID 2020 wrote to memory of 2016	2020	Mdndmk32.exe	Memagnah.exe
PID 2020 wrote to memory of 2016	2020	Mdndmk32.exe	Memagnah.exe
PID 2020 wrote to memory of 2016	2020	Mdndmk32.exe	Memagnah.exe
PID 2016 wrote to memory of 1344	2016	Memagnah.exe	Ojiifqll.exe
PID 2016 wrote to memory of 1344	2016	Memagnah.exe	Ojiifqll.exe
PID 2016 wrote to memory of 1344	2016	Memagnah.exe	Ojiifqll.exe
PID 2016 wrote to memory of 1344	2016	Memagnah.exe	Ojiifqll.exe
PID 1344 wrote to memory of 768	1344	Ojiifqll.exe	Ofpjka32.exe
PID 1344 wrote to memory of 768	1344	Ojiifqll.exe	Ofpjka32.exe
PID 1344 wrote to memory of 768	1344	Ojiifqll.exe	Ofpjka32.exe
PID 1344 wrote to memory of 768	1344	Ojiifqll.exe	Ofpjka32.exe
PID 768 wrote to memory of 1868	768	Ofpjka32.exe	Onkopd32.exe
PID 768 wrote to memory of 1868	768	Ofpjka32.exe	Onkopd32.exe
PID 768 wrote to memory of 1868	768	Ofpjka32.exe	Onkopd32.exe
PID 768 wrote to memory of 1868	768	Ofpjka32.exe	Onkopd32.exe
PID 1868 wrote to memory of 852	1868	Onkopd32.exe	Okooihne.exe
PID 1868 wrote to memory of 852	1868	Onkopd32.exe	Okooihne.exe
PID 1868 wrote to memory of 852	1868	Onkopd32.exe	Okooihne.exe
PID 1868 wrote to memory of 852	1868	Onkopd32.exe	Okooihne.exe
PID 852 wrote to memory of 288	852	Okooihne.exe	Onphkckf.exe
PID 852 wrote to memory of 288	852	Okooihne.exe	Onphkckf.exe
PID 852 wrote to memory of 288	852	Okooihne.exe	Onphkckf.exe
PID 852 wrote to memory of 288	852	Okooihne.exe	Onphkckf.exe
PID 288 wrote to memory of 1764	288	Onphkckf.exe	Pccgdice.exe
PID 288 wrote to memory of 1764	288	Onphkckf.exe	Pccgdice.exe
PID 288 wrote to memory of 1764	288	Onphkckf.exe	Pccgdice.exe
PID 288 wrote to memory of 1764	288	Onphkckf.exe	Pccgdice.exe
PID 1764 wrote to memory of 1068	1764	Pccgdice.exe	Qlceck32.exe
PID 1764 wrote to memory of 1068	1764	Pccgdice.exe	Qlceck32.exe
PID 1764 wrote to memory of 1068	1764	Pccgdice.exe	Qlceck32.exe
PID 1764 wrote to memory of 1068	1764	Pccgdice.exe	Qlceck32.exe
PID 1068 wrote to memory of 1472	1068	Qlceck32.exe	Afaoohee.exe
PID 1068 wrote to memory of 1472	1068	Qlceck32.exe	Afaoohee.exe
PID 1068 wrote to memory of 1472	1068	Qlceck32.exe	Afaoohee.exe
PID 1068 wrote to memory of 1472	1068	Qlceck32.exe	Afaoohee.exe
PID 1472 wrote to memory of 1752	1472	Afaoohee.exe	Alcabnog.exe
PID 1472 wrote to memory of 1752	1472	Afaoohee.exe	Alcabnog.exe
PID 1472 wrote to memory of 1752	1472	Afaoohee.exe	Alcabnog.exe
PID 1472 wrote to memory of 1752	1472	Afaoohee.exe	Alcabnog.exe
PID 1752 wrote to memory of 1372	1752	Alcabnog.exe	Badcfd32.exe
PID 1752 wrote to memory of 1372	1752	Alcabnog.exe	Badcfd32.exe
PID 1752 wrote to memory of 1372	1752	Alcabnog.exe	Badcfd32.exe
PID 1752 wrote to memory of 1372	1752	Alcabnog.exe	Badcfd32.exe
PID 1372 wrote to memory of 1628	1372	Badcfd32.exe	Balifcca.exe
PID 1372 wrote to memory of 1628	1372	Badcfd32.exe	Balifcca.exe
PID 1372 wrote to memory of 1628	1372	Badcfd32.exe	Balifcca.exe
PID 1372 wrote to memory of 1628	1372	Badcfd32.exe	Balifcca.exe
PID 1628 wrote to memory of 1072	1628	Balifcca.exe	Cignkeql.exe
PID 1628 wrote to memory of 1072	1628	Balifcca.exe	Cignkeql.exe
PID 1628 wrote to memory of 1072	1628	Balifcca.exe	Cignkeql.exe
PID 1628 wrote to memory of 1072	1628	Balifcca.exe	Cignkeql.exe
PID 1072 wrote to memory of 1772	1072	Cignkeql.exe	Ckfjehho.exe
PID 1072 wrote to memory of 1772	1072	Cignkeql.exe	Ckfjehho.exe
PID 1072 wrote to memory of 1772	1072	Cignkeql.exe	Ckfjehho.exe
PID 1072 wrote to memory of 1772	1072	Cignkeql.exe	Ckfjehho.exe

C:\Users\Admin\AppData\Local\Temp\7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe
"C:\Users\Admin\AppData\Local\Temp\7a5bd9a19205c092e07546b9d59bb15542b66b0eced308eda58e5a41f39f648e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\Ccildpbn.exe
  C:\Windows\system32\Ccildpbn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\Mdndmk32.exe
    C:\Windows\system32\Mdndmk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\Memagnah.exe
      C:\Windows\system32\Memagnah.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\Ojiifqll.exe
        
        C:\Windows\system32\Ojiifqll.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\SysWOW64\Ofpjka32.exe
        
        C:\Windows\system32\Ofpjka32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Onkopd32.exe
        
        C:\Windows\system32\Onkopd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Okooihne.exe
        
        C:\Windows\system32\Okooihne.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Onphkckf.exe
        
        C:\Windows\system32\Onphkckf.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\Pccgdice.exe
        
        C:\Windows\system32\Pccgdice.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Qlceck32.exe
        
        C:\Windows\system32\Qlceck32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Afaoohee.exe
        
        C:\Windows\system32\Afaoohee.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Alcabnog.exe
        
        C:\Windows\system32\Alcabnog.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Badcfd32.exe
        
        C:\Windows\system32\Badcfd32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Balifcca.exe
        
        C:\Windows\system32\Balifcca.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Cignkeql.exe
        
        C:\Windows\system32\Cignkeql.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Ckfjehho.exe
        
        C:\Windows\system32\Ckfjehho.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1772
        
        C:\Windows\SysWOW64\Cohpnlkn.exe
        
        C:\Windows\system32\Cohpnlkn.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Cphlho32.exe
        
        C:\Windows\system32\Cphlho32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:268
        
        C:\Windows\SysWOW64\Cpjinnpn.exe
        
        C:\Windows\system32\Cpjinnpn.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1660
        
        C:\Windows\SysWOW64\Danbkf32.exe
        
        C:\Windows\system32\Danbkf32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\Dngpeg32.exe
        
        C:\Windows\system32\Dngpeg32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Djnpjhmp.exe
        
        C:\Windows\system32\Djnpjhmp.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Dgaadl32.exe
        
        C:\Windows\system32\Dgaadl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1612
        
        C:\Windows\SysWOW64\Ejbjeg32.exe
        
        C:\Windows\system32\Ejbjeg32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ecmkdl32.exe
        
        C:\Windows\system32\Ecmkdl32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Emepmbdh.exe
        
        C:\Windows\system32\Emepmbdh.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ebbheibp.exe
        
        C:\Windows\system32\Ebbheibp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1980
        
        C:\Windows\SysWOW64\Fiomgbhj.exe
        
        C:\Windows\system32\Fiomgbhj.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Falnad32.exe
        
        C:\Windows\system32\Falnad32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1160
        
        C:\Windows\SysWOW64\Fnpoki32.exe
        
        C:\Windows\system32\Fnpoki32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:832
        
        C:\Windows\SysWOW64\Fmelle32.exe
        
        C:\Windows\system32\Fmelle32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1320
        
        C:\Windows\SysWOW64\Ffnpdkmd.exe
        
        C:\Windows\system32\Ffnpdkmd.exe
        33⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Gpfemp32.exe
        
        C:\Windows\system32\Gpfemp32.exe
        34⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Giniff32.exe
        
        C:\Windows\system32\Giniff32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Gbfnokqf.exe
        
        C:\Windows\system32\Gbfnokqf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Gbijdkoc.exe
        
        C:\Windows\system32\Gbijdkoc.exe
        37⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Gicbaefp.exe
        
        C:\Windows\system32\Gicbaefp.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Glclcpca.exe
        
        C:\Windows\system32\Glclcpca.exe
        39⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Jkddonpg.exe
        
        C:\Windows\system32\Jkddonpg.exe
        40⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\Eolonh32.exe
        
        C:\Windows\system32\Eolonh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Ikhnijgi.exe
        
        C:\Windows\system32\Ikhnijgi.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Jpaopnfb.exe
        
        C:\Windows\system32\Jpaopnfb.exe
        43⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Jglgmh32.exe
        
        C:\Windows\system32\Jglgmh32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Jilpnc32.exe
        
        C:\Windows\system32\Jilpnc32.exe
        45⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Windows\SysWOW64\Klmipnha.exe
        
        C:\Windows\system32\Klmipnha.exe
        46⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Kcgamh32.exe
        
        C:\Windows\system32\Kcgamh32.exe
        47⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Keenid32.exe
        
        C:\Windows\system32\Keenid32.exe
        48⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Klpfeneo.exe
        
        C:\Windows\system32\Klpfeneo.exe
        49⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Kdkkjp32.exe
        
        C:\Windows\system32\Kdkkjp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Kncocfij.exe
        
        C:\Windows\system32\Kncocfij.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Kqakoain.exe
        
        C:\Windows\system32\Kqakoain.exe
        52⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Kkgpljhd.exe
        
        C:\Windows\system32\Kkgpljhd.exe
        53⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Knelhegh.exe
        
        C:\Windows\system32\Knelhegh.exe
        54⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Kqdhda32.exe
        
        C:\Windows\system32\Kqdhda32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Kqfejq32.exe
        
        C:\Windows\system32\Kqfejq32.exe
        56⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Lmmeoajm.exe
        
        C:\Windows\system32\Lmmeoajm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Lgbjlj32.exe
        
        C:\Windows\system32\Lgbjlj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Lmobda32.exe
        
        C:\Windows\system32\Lmobda32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Lonnqm32.exe
        
        C:\Windows\system32\Lonnqm32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Lfgfmgok.exe
        
        C:\Windows\system32\Lfgfmgok.exe
        61⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Lopkfl32.exe
        
        C:\Windows\system32\Lopkfl32.exe
        62⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Lbngbhdo.exe
        
        C:\Windows\system32\Lbngbhdo.exe
        63⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Lobhllci.exe
        
        C:\Windows\system32\Lobhllci.exe
        64⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Lbqdhgbl.exe
        
        C:\Windows\system32\Lbqdhgbl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Lgnmpnqd.exe
        
        C:\Windows\system32\Lgnmpnqd.exe
        66⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Mafaidgd.exe
        
        C:\Windows\system32\Mafaidgd.exe
        67⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Mgpifn32.exe
        
        C:\Windows\system32\Mgpifn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Mahnocea.exe
        
        C:\Windows\system32\Mahnocea.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Mmoncd32.exe
        
        C:\Windows\system32\Mmoncd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Mnokng32.exe
        
        C:\Windows\system32\Mnokng32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Mmakidic.exe
        
        C:\Windows\system32\Mmakidic.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1152
        
        C:\Windows\SysWOW64\Mppgephg.exe
        
        C:\Windows\system32\Mppgephg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1312
        
        C:\Windows\SysWOW64\Mmdhodgq.exe
        
        C:\Windows\system32\Mmdhodgq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1200
        
        C:\Windows\SysWOW64\Mbqpgk32.exe
        
        C:\Windows\system32\Mbqpgk32.exe
        75⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Npdqpo32.exe
        
        C:\Windows\system32\Npdqpo32.exe
        76⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Neaihf32.exe
        
        C:\Windows\system32\Neaihf32.exe
        77⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Nlkaepif.exe
        
        C:\Windows\system32\Nlkaepif.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Nnjnakhi.exe
        
        C:\Windows\system32\Nnjnakhi.exe
        79⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Nbejbj32.exe
        
        C:\Windows\system32\Nbejbj32.exe
        80⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Necfnepf.exe
        
        C:\Windows\system32\Necfnepf.exe
        81⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Niobod32.exe
        
        C:\Windows\system32\Niobod32.exe
        82⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Npijknpl.exe
        
        C:\Windows\system32\Npijknpl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Nefbcenc.exe
        
        C:\Windows\system32\Nefbcenc.exe
        84⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Nhdopqmg.exe
        
        C:\Windows\system32\Nhdopqmg.exe
        85⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Namcif32.exe
        
        C:\Windows\system32\Namcif32.exe
        86⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Nlbgfocn.exe
        
        C:\Windows\system32\Nlbgfocn.exe
        87⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Noqdbjba.exe
        
        C:\Windows\system32\Noqdbjba.exe
        88⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Oflhfmpm.exe
        
        C:\Windows\system32\Oflhfmpm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Oocqgjqo.exe
        
        C:\Windows\system32\Oocqgjqo.exe
        90⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Oaamdepb.exe
        
        C:\Windows\system32\Oaamdepb.exe
        91⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Ohkeqpgo.exe
        
        C:\Windows\system32\Ohkeqpgo.exe
        92⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Okjamkfc.exe
        
        C:\Windows\system32\Okjamkfc.exe
        93⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Omhnifeg.exe
        
        C:\Windows\system32\Omhnifeg.exe
        94⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Opfjebdj.exe
        
        C:\Windows\system32\Opfjebdj.exe
        95⤵
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Ogqbal32.exe
        
        C:\Windows\system32\Ogqbal32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2172
        
        C:\Windows\SysWOW64\Oionng32.exe
        
        C:\Windows\system32\Oionng32.exe
        97⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Omjjnfcd.exe
        
        C:\Windows\system32\Omjjnfcd.exe
        98⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Opifjabh.exe
        
        C:\Windows\system32\Opifjabh.exe
        99⤵
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Oddbkp32.exe
        
        C:\Windows\system32\Oddbkp32.exe
        100⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Oefobhqo.exe
        
        C:\Windows\system32\Oefobhqo.exe
        101⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Oonckngp.exe
        
        C:\Windows\system32\Oonckngp.exe
        102⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Plbdebfi.exe
        
        C:\Windows\system32\Plbdebfi.exe
        103⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ppnpea32.exe
        
        C:\Windows\system32\Ppnpea32.exe
        104⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Pcllal32.exe
        
        C:\Windows\system32\Pcllal32.exe
        105⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Paolmidq.exe
        
        C:\Windows\system32\Paolmidq.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2256
        
        C:\Windows\SysWOW64\Pifdnfec.exe
        
        C:\Windows\system32\Pifdnfec.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Phidjc32.exe
        
        C:\Windows\system32\Phidjc32.exe
        108⤵
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Pldqjb32.exe
        
        C:\Windows\system32\Pldqjb32.exe
        109⤵
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Paaibi32.exe
        
        C:\Windows\system32\Paaibi32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2324
        
        C:\Windows\SysWOW64\Pemecgjg.exe
        
        C:\Windows\system32\Pemecgjg.exe
        111⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Phkaocik.exe
        
        C:\Windows\system32\Phkaocik.exe
        112⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Plgmpa32.exe
        
        C:\Windows\system32\Plgmpa32.exe
        113⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Pnhjhjhb.exe
        
        C:\Windows\system32\Pnhjhjhb.exe
        114⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Pacfhh32.exe
        
        C:\Windows\system32\Pacfhh32.exe
        115⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Pdbbdd32.exe
        
        C:\Windows\system32\Pdbbdd32.exe
        116⤵
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Pkljan32.exe
        
        C:\Windows\system32\Pkljan32.exe
        117⤵
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Pogfamoe.exe
        
        C:\Windows\system32\Pogfamoe.exe
        118⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Pafbnhni.exe
        
        C:\Windows\system32\Pafbnhni.exe
        119⤵
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Pddojcml.exe
        
        C:\Windows\system32\Pddojcml.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2552
        
        C:\Windows\SysWOW64\Pjagbjkc.exe
        
        C:\Windows\system32\Pjagbjkc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Pdgkpckj.exe
        
        C:\Windows\system32\Pdgkpckj.exe
        122⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Qkqclm32.exe
        
        C:\Windows\system32\Qkqclm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Qlbpde32.exe
        
        C:\Windows\system32\Qlbpde32.exe
        124⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Qjfqmj32.exe
        
        C:\Windows\system32\Qjfqmj32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Afmabkmb.exe
        
        C:\Windows\system32\Afmabkmb.exe
        126⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ahknnflf.exe
        
        C:\Windows\system32\Ahknnflf.exe
        127⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Aqbepc32.exe
        
        C:\Windows\system32\Aqbepc32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2880
        
        C:\Windows\SysWOW64\Aoefkpcc.exe
        
        C:\Windows\system32\Aoefkpcc.exe
        129⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Abcbglbg.exe
        
        C:\Windows\system32\Abcbglbg.exe
        130⤵
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ahmjdf32.exe
        
        C:\Windows\system32\Ahmjdf32.exe
        131⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Amifddbm.exe
        
        C:\Windows\system32\Amifddbm.exe
        132⤵
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Aogbqpap.exe
        
        C:\Windows\system32\Aogbqpap.exe
        133⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Abfomkqd.exe
        
        C:\Windows\system32\Abfomkqd.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2928
        
        C:\Windows\SysWOW64\Ahpgie32.exe
        
        C:\Windows\system32\Ahpgie32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Anlpalfh.exe
        
        C:\Windows\system32\Anlpalfh.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2944
        
        C:\Windows\SysWOW64\Adfhof32.exe
        
        C:\Windows\system32\Adfhof32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2952
        
        C:\Windows\SysWOW64\Anolglde.exe
        
        C:\Windows\system32\Anolglde.exe
        138⤵
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Aqmhcgci.exe
        
        C:\Windows\system32\Aqmhcgci.exe
        139⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Adiddf32.exe
        
        C:\Windows\system32\Adiddf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2976
        
        C:\Windows\SysWOW64\Aggqpa32.exe
        
        C:\Windows\system32\Aggqpa32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Bjemlm32.exe
        
        C:\Windows\system32\Bjemlm32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bbmemjjl.exe
        
        C:\Windows\system32\Bbmemjjl.exe
        143⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bcnaeb32.exe
        
        C:\Windows\system32\Bcnaeb32.exe
        144⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Bjhjbmhg.exe
        
        C:\Windows\system32\Bjhjbmhg.exe
        145⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Bmffnhgk.exe
        
        C:\Windows\system32\Bmffnhgk.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bennoegm.exe
        
        C:\Windows\system32\Bennoegm.exe
        147⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Bgljkaga.exe
        
        C:\Windows\system32\Bgljkaga.exe
        148⤵
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bnfbhk32.exe
        
        C:\Windows\system32\Bnfbhk32.exe
        149⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Fchifb32.exe
        
        C:\Windows\system32\Fchifb32.exe
        150⤵
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Hfmhbq32.exe
        
        C:\Windows\system32\Hfmhbq32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Jegjmpgf.exe
        
        C:\Windows\system32\Jegjmpgf.exe
        152⤵
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Jmnbnmgi.exe
        
        C:\Windows\system32\Jmnbnmgi.exe
        153⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Jplojhfl.exe
        
        C:\Windows\system32\Jplojhfl.exe
        154⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Jooofe32.exe
        
        C:\Windows\system32\Jooofe32.exe
        155⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Jbkkfd32.exe
        
        C:\Windows\system32\Jbkkfd32.exe
        156⤵
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Jidccnmm.exe
        
        C:\Windows\system32\Jidccnmm.exe
        157⤵
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Jhgcok32.exe
        
        C:\Windows\system32\Jhgcok32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2780
        
        C:\Windows\SysWOW64\Jlcpoilq.exe
        
        C:\Windows\system32\Jlcpoilq.exe
        159⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Joalkekd.exe
        
        C:\Windows\system32\Joalkekd.exe
        160⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jbmhlc32.exe
        
        C:\Windows\system32\Jbmhlc32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Jekdho32.exe
        
        C:\Windows\system32\Jekdho32.exe
        162⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Jigpinkj.exe
        
        C:\Windows\system32\Jigpinkj.exe
        163⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Jleleijn.exe
        
        C:\Windows\system32\Jleleijn.exe
        164⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Jodhadia.exe
        
        C:\Windows\system32\Jodhadia.exe
        165⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Jbodac32.exe
        
        C:\Windows\system32\Jbodac32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Jenqnoqn.exe
        
        C:\Windows\system32\Jenqnoqn.exe
        167⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Jhlmjjpb.exe
        
        C:\Windows\system32\Jhlmjjpb.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Jkkifeof.exe
        
        C:\Windows\system32\Jkkifeof.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1344
        
        C:\Windows\SysWOW64\Jmiebani.exe
        
        C:\Windows\system32\Jmiebani.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:768
        
        C:\Windows\SysWOW64\Jepmcnol.exe
        
        C:\Windows\system32\Jepmcnol.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Jhojojno.exe
        
        C:\Windows\system32\Jhojojno.exe
        172⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Jkmflemc.exe
        
        C:\Windows\system32\Jkmflemc.exe
        173⤵
        
        PID:288
        
        C:\Windows\SysWOW64\Jmkbhqlg.exe
        
        C:\Windows\system32\Jmkbhqlg.exe
        174⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Kdejdkcc.exe
        
        C:\Windows\system32\Kdejdkcc.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Klclnmol.exe
        
        C:\Windows\system32\Klclnmol.exe
        176⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Kcmdkg32.exe
        
        C:\Windows\system32\Kcmdkg32.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Kekpgbem.exe
        
        C:\Windows\system32\Kekpgbem.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Knbhhpfo.exe
        
        C:\Windows\system32\Knbhhpfo.exe
        179⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Kocdph32.exe
        
        C:\Windows\system32\Kocdph32.exe
        180⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Kgkmae32.exe
        
        C:\Windows\system32\Kgkmae32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Kjiimq32.exe
        
        C:\Windows\system32\Kjiimq32.exe
        182⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Kpcajkcp.exe
        
        C:\Windows\system32\Kpcajkcp.exe
        183⤵
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kcamffbc.exe
        
        C:\Windows\system32\Kcamffbc.exe
        184⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Kjkecpip.exe
        
        C:\Windows\system32\Kjkecpip.exe
        185⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Lljbolid.exe
        
        C:\Windows\system32\Lljbolid.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Lcdjlf32.exe
        
        C:\Windows\system32\Lcdjlf32.exe
        187⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Lfbfha32.exe
        
        C:\Windows\system32\Lfbfha32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Lhqbdm32.exe
        
        C:\Windows\system32\Lhqbdm32.exe
        189⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Lokkqgfe.exe
        
        C:\Windows\system32\Lokkqgfe.exe
        190⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Laigmbei.exe
        
        C:\Windows\system32\Laigmbei.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ldgcindl.exe
        
        C:\Windows\system32\Ldgcindl.exe
        192⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\Lgfpei32.exe
        
        C:\Windows\system32\Lgfpei32.exe
        193⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Lbkdbb32.exe
        
        C:\Windows\system32\Lbkdbb32.exe
        194⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Ldjpom32.exe
        
        C:\Windows\system32\Ldjpom32.exe
        195⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Lghlki32.exe
        
        C:\Windows\system32\Lghlki32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1108
        
        C:\Windows\SysWOW64\Lnbdgchj.exe
        
        C:\Windows\system32\Lnbdgchj.exe
        197⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Ldlmdm32.exe
        
        C:\Windows\system32\Ldlmdm32.exe
        198⤵
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Lkfeqg32.exe
        
        C:\Windows\system32\Lkfeqg32.exe
        199⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Lmgahomb.exe
        
        C:\Windows\system32\Lmgahomb.exe
        200⤵
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Mgobkhke.exe
        
        C:\Windows\system32\Mgobkhke.exe
        201⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Mmlkco32.exe
        
        C:\Windows\system32\Mmlkco32.exe
        202⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Mqggdmaf.exe
        
        C:\Windows\system32\Mqggdmaf.exe
        203⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Mcfcpiqj.exe
        
        C:\Windows\system32\Mcfcpiqj.exe
        204⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Mfdoldpm.exe
        
        C:\Windows\system32\Mfdoldpm.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1720
        
        C:\Windows\SysWOW64\Mjpkmc32.exe
        
        C:\Windows\system32\Mjpkmc32.exe
        206⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Mbkpae32.exe
        
        C:\Windows\system32\Mbkpae32.exe
        207⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Mfglbdnk.exe
        
        C:\Windows\system32\Mfglbdnk.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Miehnomn.exe
        
        C:\Windows\system32\Miehnomn.exe
        209⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Mkcdjk32.exe
        
        C:\Windows\system32\Mkcdjk32.exe
        210⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Mnbqff32.exe
        
        C:\Windows\system32\Mnbqff32.exe
        211⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Melicpbb.exe
        
        C:\Windows\system32\Melicpbb.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Mgjeolaf.exe
        
        C:\Windows\system32\Mgjeolaf.exe
        213⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ocmepkmm.exe
        
        C:\Windows\system32\Ocmepkmm.exe
        214⤵
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Oenbgc32.exe
        
        C:\Windows\system32\Oenbgc32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1980
        
        C:\Windows\SysWOW64\Olhjdmjh.exe
        
        C:\Windows\system32\Olhjdmjh.exe
        216⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Ooffpiil.exe
        
        C:\Windows\system32\Ooffpiil.exe
        217⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Ofnnafjn.exe
        
        C:\Windows\system32\Ofnnafjn.exe
        218⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Ohokin32.exe
        
        C:\Windows\system32\Ohokin32.exe
        219⤵
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ooicfh32.exe
        
        C:\Windows\system32\Ooicfh32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Oagobd32.exe
        
        C:\Windows\system32\Oagobd32.exe
        221⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 140
        222⤵
        Program crash
        
        PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afaoohee.exe

Filesize
50KB

MD5
25da9b4d9e8ee07a7ccecfe8bc140755

SHA1
9bd72c86790428073ab448f8948c6a2513765f29

SHA256
83359def89e16275a1e84e894404887e38e870df55fbab51c6442bc8da75d09b

SHA512
ce944a0fc9becde9dd2516bf819cfbba911e957bba42fa13149c1710595d114544090e6e0407bce95dbbb764b2b86c2b8a6b39974bfdeb4584f5c18e75803bf3

Download Submit
C:\Windows\SysWOW64\Afaoohee.exe

Filesize
50KB

MD5
25da9b4d9e8ee07a7ccecfe8bc140755

SHA1
9bd72c86790428073ab448f8948c6a2513765f29

SHA256
83359def89e16275a1e84e894404887e38e870df55fbab51c6442bc8da75d09b

SHA512
ce944a0fc9becde9dd2516bf819cfbba911e957bba42fa13149c1710595d114544090e6e0407bce95dbbb764b2b86c2b8a6b39974bfdeb4584f5c18e75803bf3

Download Submit
C:\Windows\SysWOW64\Alcabnog.exe

Filesize
50KB

MD5
a6217f13ba8cb53f0c878d5a7059f76a

SHA1
ab5e69192aaf85494cf48c7be682e6e421f169ce

SHA256
1a1d38ac7cb4d0c40fd68e129c25a3c1c62a2731c5f4ae1e6ea7262df90236a2

SHA512
ccfa7440f4571ac878942bce10f6796055589bee488cfeb8314e65c9ba7eb48f1d52444fbbeb632949f295897776caab003fdc7ff97a17d71ded1415db547e52

Download Submit
C:\Windows\SysWOW64\Alcabnog.exe

Filesize
50KB

MD5
a6217f13ba8cb53f0c878d5a7059f76a

SHA1
ab5e69192aaf85494cf48c7be682e6e421f169ce

SHA256
1a1d38ac7cb4d0c40fd68e129c25a3c1c62a2731c5f4ae1e6ea7262df90236a2

SHA512
ccfa7440f4571ac878942bce10f6796055589bee488cfeb8314e65c9ba7eb48f1d52444fbbeb632949f295897776caab003fdc7ff97a17d71ded1415db547e52

Download Submit
C:\Windows\SysWOW64\Badcfd32.exe

Filesize
50KB

MD5
9c73f5cfc3b0ca2c08fad08b4683b557

SHA1
78faa7361a911e627c88ecf5617768adb9c87f62

SHA256
4ca744076d1944123e531d23b9be4739a489b9553042ee75cb8887286ce461bb

SHA512
2833e74d8c1c3e647c6e3c1f3fd5979343e24cc8e65d7e5be532d73e414c15674b6959fdd2ca67a62573ceb1c29b4227ca22d4bed2d96ec2679412792d8f6c71

Download Submit
C:\Windows\SysWOW64\Badcfd32.exe

Filesize
50KB

MD5
9c73f5cfc3b0ca2c08fad08b4683b557

SHA1
78faa7361a911e627c88ecf5617768adb9c87f62

SHA256
4ca744076d1944123e531d23b9be4739a489b9553042ee75cb8887286ce461bb

SHA512
2833e74d8c1c3e647c6e3c1f3fd5979343e24cc8e65d7e5be532d73e414c15674b6959fdd2ca67a62573ceb1c29b4227ca22d4bed2d96ec2679412792d8f6c71

Download Submit
C:\Windows\SysWOW64\Balifcca.exe

Filesize
50KB

MD5
892a335efc1510ac1adfcc335f35167f

SHA1
5cf3a370d26092d0e34f1a01a044e2993002639c

SHA256
b4f98a1bb9c9be1ef1a4f6336f79a29f463d24528d0d3c9d11e3b4e23e449485

SHA512
e81729369a548d330f78983fa1256e7169287334d5c07f0af9d3e761c18f23c192c955ae59fc2004017edc37386aa1bdb5f5ed998702bbef5b0ad30612512d40

Download Submit
C:\Windows\SysWOW64\Balifcca.exe

Filesize
50KB

MD5
892a335efc1510ac1adfcc335f35167f

SHA1
5cf3a370d26092d0e34f1a01a044e2993002639c

SHA256
b4f98a1bb9c9be1ef1a4f6336f79a29f463d24528d0d3c9d11e3b4e23e449485

SHA512
e81729369a548d330f78983fa1256e7169287334d5c07f0af9d3e761c18f23c192c955ae59fc2004017edc37386aa1bdb5f5ed998702bbef5b0ad30612512d40

Download Submit
C:\Windows\SysWOW64\Ccildpbn.exe

Filesize
50KB

MD5
33f056cb1f1b855d8dc9a885b7eb13a6

SHA1
0fcaf3b0f9f4ac4734c60093e08d6e68d615bfd7

SHA256
9e06496d3341948982a760dce80456b63e4df6c1a67d8760e414ae848a825bd8

SHA512
2babcb86f2e93c12ad1f82ad8483cab75871fbf81b4a58427e2fd73d8dffac83b25a2c930369a15b409c5da3908b05d8dbef124dcc61defdb48ab8fef258ac25

Download Submit
C:\Windows\SysWOW64\Ccildpbn.exe

Filesize
50KB

MD5
33f056cb1f1b855d8dc9a885b7eb13a6

SHA1
0fcaf3b0f9f4ac4734c60093e08d6e68d615bfd7

SHA256
9e06496d3341948982a760dce80456b63e4df6c1a67d8760e414ae848a825bd8

SHA512
2babcb86f2e93c12ad1f82ad8483cab75871fbf81b4a58427e2fd73d8dffac83b25a2c930369a15b409c5da3908b05d8dbef124dcc61defdb48ab8fef258ac25

Download Submit
C:\Windows\SysWOW64\Cignkeql.exe

Filesize
50KB

MD5
8918dd64b6242724f8db79b87913a2b8

SHA1
446e4beb693ebc9d7a4132adf0dae5d28da09e9b

SHA256
48b3d5f1d01fd63cb5b38bc9e3c0f6533601d0e56f10e8e54afe8054f967d040

SHA512
05e0a8f6d39f0d7c44dc218053ab10536a17def545633076429340751ee968f192a88a6255e9b0a453fa9ee6005ac956cee0cd41e3b140fe32ee7979fdb08886

Download Submit
C:\Windows\SysWOW64\Cignkeql.exe

Filesize
50KB

MD5
8918dd64b6242724f8db79b87913a2b8

SHA1
446e4beb693ebc9d7a4132adf0dae5d28da09e9b

SHA256
48b3d5f1d01fd63cb5b38bc9e3c0f6533601d0e56f10e8e54afe8054f967d040

SHA512
05e0a8f6d39f0d7c44dc218053ab10536a17def545633076429340751ee968f192a88a6255e9b0a453fa9ee6005ac956cee0cd41e3b140fe32ee7979fdb08886

Download Submit
C:\Windows\SysWOW64\Ckfjehho.exe

Filesize
50KB

MD5
b71a550bc5dfd4748a2459a8554c3ec5

SHA1
0c1df7c39040292b57ca0bc5a97deb23be4f7372

SHA256
3857ac769272bc0ae564622a0b1c9a30762597fe57f2793976bbff849ad27c1d

SHA512
c60dae08619a6018c56e00f91441c8a3cb100674fb7b4326d1ecab88f5527d67b9b0278b29a4aaedb7771f9860f6929648bf70b8149a5e6949ed344e1ee616cd

Download Submit
C:\Windows\SysWOW64\Ckfjehho.exe

Filesize
50KB

MD5
b71a550bc5dfd4748a2459a8554c3ec5

SHA1
0c1df7c39040292b57ca0bc5a97deb23be4f7372

SHA256
3857ac769272bc0ae564622a0b1c9a30762597fe57f2793976bbff849ad27c1d

SHA512
c60dae08619a6018c56e00f91441c8a3cb100674fb7b4326d1ecab88f5527d67b9b0278b29a4aaedb7771f9860f6929648bf70b8149a5e6949ed344e1ee616cd

Download Submit
C:\Windows\SysWOW64\Mdndmk32.exe

Filesize
50KB

MD5
fde974f77bb9995a1ffbb004d1acd09e

SHA1
254f48b74a5ef1a77b8bef70a70101d8550d5eac

SHA256
b0b1eec43dd00bf22369fe7ff2891e74bc6b7a5a0ac9b5be17e993240e585746

SHA512
94c7da90a92fa07a76d31a3904b3715b7509a7a12cba4d2bcbb11b3951af08e66efa04d3b5d23b6ebde79185dc1a8577a1d06ee936a359d43c61afd9b6cdda5e

Download Submit
C:\Windows\SysWOW64\Mdndmk32.exe

Filesize
50KB

MD5
fde974f77bb9995a1ffbb004d1acd09e

SHA1
254f48b74a5ef1a77b8bef70a70101d8550d5eac

SHA256
b0b1eec43dd00bf22369fe7ff2891e74bc6b7a5a0ac9b5be17e993240e585746

SHA512
94c7da90a92fa07a76d31a3904b3715b7509a7a12cba4d2bcbb11b3951af08e66efa04d3b5d23b6ebde79185dc1a8577a1d06ee936a359d43c61afd9b6cdda5e

Download Submit
C:\Windows\SysWOW64\Memagnah.exe

Filesize
50KB

MD5
d733a2d33fc694b7d514bb0c252ec66a

SHA1
f0088f467ba2bf2de5e9d50ed3ac501e10eb941c

SHA256
cfd0d217a6de4aa702a3bce88356ba7d1142de7fe7c484c874f0d91cbd019a8e

SHA512
7080c75871644b86f327d659f2899312cc7ea7b3c2dece5281d19a1b7cc0932b5a63171762fbeda94db105dd785a76069fdedb80a96924499a0035a6564d5310

Download Submit
C:\Windows\SysWOW64\Memagnah.exe

Filesize
50KB

MD5
d733a2d33fc694b7d514bb0c252ec66a

SHA1
f0088f467ba2bf2de5e9d50ed3ac501e10eb941c

SHA256
cfd0d217a6de4aa702a3bce88356ba7d1142de7fe7c484c874f0d91cbd019a8e

SHA512
7080c75871644b86f327d659f2899312cc7ea7b3c2dece5281d19a1b7cc0932b5a63171762fbeda94db105dd785a76069fdedb80a96924499a0035a6564d5310

Download Submit
C:\Windows\SysWOW64\Ofpjka32.exe

Filesize
50KB

MD5
3c720cd8da388c64601a742c268906da

SHA1
c259a007ced2988906065deb74873434497aa4ed

SHA256
64cf1c05d535f39a923abec11ac585e5aedd9bfcd43c8795f53c9da36db9c9a4

SHA512
3d5a5f0c37b2e55902fcec84590ab11d0e9967686219af69cc396a500839a7c9b5592a806bc5e59ef5b75b01afe3349018b20d540a51ea90b00572e9d48e0c6f

Download Submit
C:\Windows\SysWOW64\Ofpjka32.exe

Filesize
50KB

MD5
3c720cd8da388c64601a742c268906da

SHA1
c259a007ced2988906065deb74873434497aa4ed

SHA256
64cf1c05d535f39a923abec11ac585e5aedd9bfcd43c8795f53c9da36db9c9a4

SHA512
3d5a5f0c37b2e55902fcec84590ab11d0e9967686219af69cc396a500839a7c9b5592a806bc5e59ef5b75b01afe3349018b20d540a51ea90b00572e9d48e0c6f

Download Submit
C:\Windows\SysWOW64\Ojiifqll.exe

Filesize
50KB

MD5
00c0b05a282814819c1a2c95361183ee

SHA1
93207b457039daf69c1d6a3e9f74f596d69e7795

SHA256
9845137fd13ddeb250eb8fa17c14dc7066f444312c54946449fb7a40674cba8c

SHA512
899f3c5cff165315aaa54e2478c263fd6ffdbade37b69edffc6d5415465bce6a590c88c159edda1fb79db0c17d27d3429807c36e486935d57ef098db7be0ba48

Download Submit
C:\Windows\SysWOW64\Ojiifqll.exe

Filesize
50KB

MD5
00c0b05a282814819c1a2c95361183ee

SHA1
93207b457039daf69c1d6a3e9f74f596d69e7795

SHA256
9845137fd13ddeb250eb8fa17c14dc7066f444312c54946449fb7a40674cba8c

SHA512
899f3c5cff165315aaa54e2478c263fd6ffdbade37b69edffc6d5415465bce6a590c88c159edda1fb79db0c17d27d3429807c36e486935d57ef098db7be0ba48

Download Submit
C:\Windows\SysWOW64\Okooihne.exe

Filesize
50KB

MD5
289306f4fa525da107d9d2622ab7b635

SHA1
0a687adf47897f27afc910ca29c150d78215b723

SHA256
a2b2f00d8d8a7343b5450bb6ae290a4c7d8523b867b96b5524a543fc805c784f

SHA512
cd7898aff544a928ec747680f136e942fbf83ef349b5d48e40969ee326facac94a42c5f603344afec7ae0f87d025769ade11d358c3e83e45950f3f5ced518ee2

Download Submit
C:\Windows\SysWOW64\Okooihne.exe

Filesize
50KB

MD5
289306f4fa525da107d9d2622ab7b635

SHA1
0a687adf47897f27afc910ca29c150d78215b723

SHA256
a2b2f00d8d8a7343b5450bb6ae290a4c7d8523b867b96b5524a543fc805c784f

SHA512
cd7898aff544a928ec747680f136e942fbf83ef349b5d48e40969ee326facac94a42c5f603344afec7ae0f87d025769ade11d358c3e83e45950f3f5ced518ee2

Download Submit
C:\Windows\SysWOW64\Onkopd32.exe

Filesize
50KB

MD5
6b34e0b9f401d890027c61ba22e3d9f6

SHA1
abc09b9d1e46d235fe0586aefa34199e624c67ef

SHA256
6805cb3079b19444135209563b213a7ece38751faf5324ca34cf87f05cba8bd4

SHA512
1985906628a6d8037285421889a0ba90d37a9bd3d79d2c1f5d9d1a94a84781111051a8bedc8e3d03c8e61dbb66145a695f976637bb0c5f1d174f7861a95db95a

Download Submit
C:\Windows\SysWOW64\Onkopd32.exe

Filesize
50KB

MD5
6b34e0b9f401d890027c61ba22e3d9f6

SHA1
abc09b9d1e46d235fe0586aefa34199e624c67ef

SHA256
6805cb3079b19444135209563b213a7ece38751faf5324ca34cf87f05cba8bd4

SHA512
1985906628a6d8037285421889a0ba90d37a9bd3d79d2c1f5d9d1a94a84781111051a8bedc8e3d03c8e61dbb66145a695f976637bb0c5f1d174f7861a95db95a

Download Submit
C:\Windows\SysWOW64\Onphkckf.exe

Filesize
50KB

MD5
1412ca6865bf318fbb5a8a4200eca4ef

SHA1
96c947dafab2164096ee51e15c0bad266d4c85e4

SHA256
5757cd35700a539a5d740e0bfcea880c255cad4d049e971a7442ad6cd2a8b1b6

SHA512
ba112d5368dae73285a00126e57a331ff77456324a61672c55317711f2c961e486289b9ae1484a438545aa2dae7166ba4e8a55b3517d1357971c46a0ea0a213a

Download Submit
C:\Windows\SysWOW64\Onphkckf.exe

Filesize
50KB

MD5
1412ca6865bf318fbb5a8a4200eca4ef

SHA1
96c947dafab2164096ee51e15c0bad266d4c85e4

SHA256
5757cd35700a539a5d740e0bfcea880c255cad4d049e971a7442ad6cd2a8b1b6

SHA512
ba112d5368dae73285a00126e57a331ff77456324a61672c55317711f2c961e486289b9ae1484a438545aa2dae7166ba4e8a55b3517d1357971c46a0ea0a213a

Download Submit
C:\Windows\SysWOW64\Pccgdice.exe

Filesize
50KB

MD5
21d7bff38ab59efc07e1964b05679292

SHA1
7700f84209fcfa2008c6c55e235ef8ada5262f31

SHA256
12ff632098fc8df26ae3e25c111522e7a37d15f95457004d34cdf04d6cebbe8c

SHA512
d4bfa3638d4d02c7f71220956441c7ed7244dec53c6406d1760c46e158b2e3daf04cc707997936286b013fc7542bc3e2d1848e64ee28c6f92de725470f90b2df

Download Submit
C:\Windows\SysWOW64\Pccgdice.exe

Filesize
50KB

MD5
21d7bff38ab59efc07e1964b05679292

SHA1
7700f84209fcfa2008c6c55e235ef8ada5262f31

SHA256
12ff632098fc8df26ae3e25c111522e7a37d15f95457004d34cdf04d6cebbe8c

SHA512
d4bfa3638d4d02c7f71220956441c7ed7244dec53c6406d1760c46e158b2e3daf04cc707997936286b013fc7542bc3e2d1848e64ee28c6f92de725470f90b2df

Download Submit
C:\Windows\SysWOW64\Qlceck32.exe

Filesize
50KB

MD5
b462718a2a6fe137129be6e969d9bca2

SHA1
9137b73620dc1038295373b93a831d05272ba72f

SHA256
d0c3784867d0252c88a30f1119137d168873e6dcfed0c51f1d24ea90c96fac6d

SHA512
f8158109714fb2530214a9c09836a3b751f607e5ae914cf0798eab8bc0ddf88b489acf381166928a4db66cd86c2d626d6736d8f5cb776791225b37cd23fb01c3

Download Submit
C:\Windows\SysWOW64\Qlceck32.exe

Filesize
50KB

MD5
b462718a2a6fe137129be6e969d9bca2

SHA1
9137b73620dc1038295373b93a831d05272ba72f

SHA256
d0c3784867d0252c88a30f1119137d168873e6dcfed0c51f1d24ea90c96fac6d

SHA512
f8158109714fb2530214a9c09836a3b751f607e5ae914cf0798eab8bc0ddf88b489acf381166928a4db66cd86c2d626d6736d8f5cb776791225b37cd23fb01c3

Download Submit
\Windows\SysWOW64\Afaoohee.exe

Filesize
50KB

MD5
25da9b4d9e8ee07a7ccecfe8bc140755

SHA1
9bd72c86790428073ab448f8948c6a2513765f29

SHA256
83359def89e16275a1e84e894404887e38e870df55fbab51c6442bc8da75d09b

SHA512
ce944a0fc9becde9dd2516bf819cfbba911e957bba42fa13149c1710595d114544090e6e0407bce95dbbb764b2b86c2b8a6b39974bfdeb4584f5c18e75803bf3

Download Submit
\Windows\SysWOW64\Afaoohee.exe

Filesize
50KB

MD5
25da9b4d9e8ee07a7ccecfe8bc140755

SHA1
9bd72c86790428073ab448f8948c6a2513765f29

SHA256
83359def89e16275a1e84e894404887e38e870df55fbab51c6442bc8da75d09b

SHA512
ce944a0fc9becde9dd2516bf819cfbba911e957bba42fa13149c1710595d114544090e6e0407bce95dbbb764b2b86c2b8a6b39974bfdeb4584f5c18e75803bf3

Download Submit
\Windows\SysWOW64\Alcabnog.exe

Filesize
50KB

MD5
a6217f13ba8cb53f0c878d5a7059f76a

SHA1
ab5e69192aaf85494cf48c7be682e6e421f169ce

SHA256
1a1d38ac7cb4d0c40fd68e129c25a3c1c62a2731c5f4ae1e6ea7262df90236a2

SHA512
ccfa7440f4571ac878942bce10f6796055589bee488cfeb8314e65c9ba7eb48f1d52444fbbeb632949f295897776caab003fdc7ff97a17d71ded1415db547e52

Download Submit
\Windows\SysWOW64\Alcabnog.exe

Filesize
50KB

MD5
a6217f13ba8cb53f0c878d5a7059f76a

SHA1
ab5e69192aaf85494cf48c7be682e6e421f169ce

SHA256
1a1d38ac7cb4d0c40fd68e129c25a3c1c62a2731c5f4ae1e6ea7262df90236a2

SHA512
ccfa7440f4571ac878942bce10f6796055589bee488cfeb8314e65c9ba7eb48f1d52444fbbeb632949f295897776caab003fdc7ff97a17d71ded1415db547e52

Download Submit
\Windows\SysWOW64\Badcfd32.exe

Filesize
50KB

MD5
9c73f5cfc3b0ca2c08fad08b4683b557

SHA1
78faa7361a911e627c88ecf5617768adb9c87f62

SHA256
4ca744076d1944123e531d23b9be4739a489b9553042ee75cb8887286ce461bb

SHA512
2833e74d8c1c3e647c6e3c1f3fd5979343e24cc8e65d7e5be532d73e414c15674b6959fdd2ca67a62573ceb1c29b4227ca22d4bed2d96ec2679412792d8f6c71

Download Submit
\Windows\SysWOW64\Badcfd32.exe

Filesize
50KB

MD5
9c73f5cfc3b0ca2c08fad08b4683b557

SHA1
78faa7361a911e627c88ecf5617768adb9c87f62

SHA256
4ca744076d1944123e531d23b9be4739a489b9553042ee75cb8887286ce461bb

SHA512
2833e74d8c1c3e647c6e3c1f3fd5979343e24cc8e65d7e5be532d73e414c15674b6959fdd2ca67a62573ceb1c29b4227ca22d4bed2d96ec2679412792d8f6c71

Download Submit
\Windows\SysWOW64\Balifcca.exe

Filesize
50KB

MD5
892a335efc1510ac1adfcc335f35167f

SHA1
5cf3a370d26092d0e34f1a01a044e2993002639c

SHA256
b4f98a1bb9c9be1ef1a4f6336f79a29f463d24528d0d3c9d11e3b4e23e449485

SHA512
e81729369a548d330f78983fa1256e7169287334d5c07f0af9d3e761c18f23c192c955ae59fc2004017edc37386aa1bdb5f5ed998702bbef5b0ad30612512d40

Download Submit
\Windows\SysWOW64\Balifcca.exe

Filesize
50KB

MD5
892a335efc1510ac1adfcc335f35167f

SHA1
5cf3a370d26092d0e34f1a01a044e2993002639c

SHA256
b4f98a1bb9c9be1ef1a4f6336f79a29f463d24528d0d3c9d11e3b4e23e449485

SHA512
e81729369a548d330f78983fa1256e7169287334d5c07f0af9d3e761c18f23c192c955ae59fc2004017edc37386aa1bdb5f5ed998702bbef5b0ad30612512d40

Download Submit
\Windows\SysWOW64\Ccildpbn.exe

Filesize
50KB

MD5
33f056cb1f1b855d8dc9a885b7eb13a6

SHA1
0fcaf3b0f9f4ac4734c60093e08d6e68d615bfd7

SHA256
9e06496d3341948982a760dce80456b63e4df6c1a67d8760e414ae848a825bd8

SHA512
2babcb86f2e93c12ad1f82ad8483cab75871fbf81b4a58427e2fd73d8dffac83b25a2c930369a15b409c5da3908b05d8dbef124dcc61defdb48ab8fef258ac25

Download Submit
\Windows\SysWOW64\Ccildpbn.exe

Filesize
50KB

MD5
33f056cb1f1b855d8dc9a885b7eb13a6

SHA1
0fcaf3b0f9f4ac4734c60093e08d6e68d615bfd7

SHA256
9e06496d3341948982a760dce80456b63e4df6c1a67d8760e414ae848a825bd8

SHA512
2babcb86f2e93c12ad1f82ad8483cab75871fbf81b4a58427e2fd73d8dffac83b25a2c930369a15b409c5da3908b05d8dbef124dcc61defdb48ab8fef258ac25

Download Submit
\Windows\SysWOW64\Cignkeql.exe

Filesize
50KB

MD5
8918dd64b6242724f8db79b87913a2b8

SHA1
446e4beb693ebc9d7a4132adf0dae5d28da09e9b

SHA256
48b3d5f1d01fd63cb5b38bc9e3c0f6533601d0e56f10e8e54afe8054f967d040

SHA512
05e0a8f6d39f0d7c44dc218053ab10536a17def545633076429340751ee968f192a88a6255e9b0a453fa9ee6005ac956cee0cd41e3b140fe32ee7979fdb08886

Download Submit
\Windows\SysWOW64\Cignkeql.exe

Filesize
50KB

MD5
8918dd64b6242724f8db79b87913a2b8

SHA1
446e4beb693ebc9d7a4132adf0dae5d28da09e9b

SHA256
48b3d5f1d01fd63cb5b38bc9e3c0f6533601d0e56f10e8e54afe8054f967d040

SHA512
05e0a8f6d39f0d7c44dc218053ab10536a17def545633076429340751ee968f192a88a6255e9b0a453fa9ee6005ac956cee0cd41e3b140fe32ee7979fdb08886

Download Submit
\Windows\SysWOW64\Ckfjehho.exe

Filesize
50KB

MD5
b71a550bc5dfd4748a2459a8554c3ec5

SHA1
0c1df7c39040292b57ca0bc5a97deb23be4f7372

SHA256
3857ac769272bc0ae564622a0b1c9a30762597fe57f2793976bbff849ad27c1d

SHA512
c60dae08619a6018c56e00f91441c8a3cb100674fb7b4326d1ecab88f5527d67b9b0278b29a4aaedb7771f9860f6929648bf70b8149a5e6949ed344e1ee616cd

Download Submit
\Windows\SysWOW64\Ckfjehho.exe

Filesize
50KB

MD5
b71a550bc5dfd4748a2459a8554c3ec5

SHA1
0c1df7c39040292b57ca0bc5a97deb23be4f7372

SHA256
3857ac769272bc0ae564622a0b1c9a30762597fe57f2793976bbff849ad27c1d

SHA512
c60dae08619a6018c56e00f91441c8a3cb100674fb7b4326d1ecab88f5527d67b9b0278b29a4aaedb7771f9860f6929648bf70b8149a5e6949ed344e1ee616cd

Download Submit
\Windows\SysWOW64\Mdndmk32.exe

Filesize
50KB

MD5
fde974f77bb9995a1ffbb004d1acd09e

SHA1
254f48b74a5ef1a77b8bef70a70101d8550d5eac

SHA256
b0b1eec43dd00bf22369fe7ff2891e74bc6b7a5a0ac9b5be17e993240e585746

SHA512
94c7da90a92fa07a76d31a3904b3715b7509a7a12cba4d2bcbb11b3951af08e66efa04d3b5d23b6ebde79185dc1a8577a1d06ee936a359d43c61afd9b6cdda5e

Download Submit
\Windows\SysWOW64\Mdndmk32.exe

Filesize
50KB

MD5
fde974f77bb9995a1ffbb004d1acd09e

SHA1
254f48b74a5ef1a77b8bef70a70101d8550d5eac

SHA256
b0b1eec43dd00bf22369fe7ff2891e74bc6b7a5a0ac9b5be17e993240e585746

SHA512
94c7da90a92fa07a76d31a3904b3715b7509a7a12cba4d2bcbb11b3951af08e66efa04d3b5d23b6ebde79185dc1a8577a1d06ee936a359d43c61afd9b6cdda5e

Download Submit
\Windows\SysWOW64\Memagnah.exe

Filesize
50KB

MD5
d733a2d33fc694b7d514bb0c252ec66a

SHA1
f0088f467ba2bf2de5e9d50ed3ac501e10eb941c

SHA256
cfd0d217a6de4aa702a3bce88356ba7d1142de7fe7c484c874f0d91cbd019a8e

SHA512
7080c75871644b86f327d659f2899312cc7ea7b3c2dece5281d19a1b7cc0932b5a63171762fbeda94db105dd785a76069fdedb80a96924499a0035a6564d5310

Download Submit
\Windows\SysWOW64\Memagnah.exe

Filesize
50KB

MD5
d733a2d33fc694b7d514bb0c252ec66a

SHA1
f0088f467ba2bf2de5e9d50ed3ac501e10eb941c

SHA256
cfd0d217a6de4aa702a3bce88356ba7d1142de7fe7c484c874f0d91cbd019a8e

SHA512
7080c75871644b86f327d659f2899312cc7ea7b3c2dece5281d19a1b7cc0932b5a63171762fbeda94db105dd785a76069fdedb80a96924499a0035a6564d5310

Download Submit
\Windows\SysWOW64\Ofpjka32.exe

Filesize
50KB

MD5
3c720cd8da388c64601a742c268906da

SHA1
c259a007ced2988906065deb74873434497aa4ed

SHA256
64cf1c05d535f39a923abec11ac585e5aedd9bfcd43c8795f53c9da36db9c9a4

SHA512
3d5a5f0c37b2e55902fcec84590ab11d0e9967686219af69cc396a500839a7c9b5592a806bc5e59ef5b75b01afe3349018b20d540a51ea90b00572e9d48e0c6f

Download Submit
\Windows\SysWOW64\Ofpjka32.exe

Filesize
50KB

MD5
3c720cd8da388c64601a742c268906da

SHA1
c259a007ced2988906065deb74873434497aa4ed

SHA256
64cf1c05d535f39a923abec11ac585e5aedd9bfcd43c8795f53c9da36db9c9a4

SHA512
3d5a5f0c37b2e55902fcec84590ab11d0e9967686219af69cc396a500839a7c9b5592a806bc5e59ef5b75b01afe3349018b20d540a51ea90b00572e9d48e0c6f

Download Submit
\Windows\SysWOW64\Ojiifqll.exe

Filesize
50KB

MD5
00c0b05a282814819c1a2c95361183ee

SHA1
93207b457039daf69c1d6a3e9f74f596d69e7795

SHA256
9845137fd13ddeb250eb8fa17c14dc7066f444312c54946449fb7a40674cba8c

SHA512
899f3c5cff165315aaa54e2478c263fd6ffdbade37b69edffc6d5415465bce6a590c88c159edda1fb79db0c17d27d3429807c36e486935d57ef098db7be0ba48

Download Submit
\Windows\SysWOW64\Ojiifqll.exe

Filesize
50KB

MD5
00c0b05a282814819c1a2c95361183ee

SHA1
93207b457039daf69c1d6a3e9f74f596d69e7795

SHA256
9845137fd13ddeb250eb8fa17c14dc7066f444312c54946449fb7a40674cba8c

SHA512
899f3c5cff165315aaa54e2478c263fd6ffdbade37b69edffc6d5415465bce6a590c88c159edda1fb79db0c17d27d3429807c36e486935d57ef098db7be0ba48

Download Submit
\Windows\SysWOW64\Okooihne.exe

Filesize
50KB

MD5
289306f4fa525da107d9d2622ab7b635

SHA1
0a687adf47897f27afc910ca29c150d78215b723

SHA256
a2b2f00d8d8a7343b5450bb6ae290a4c7d8523b867b96b5524a543fc805c784f

SHA512
cd7898aff544a928ec747680f136e942fbf83ef349b5d48e40969ee326facac94a42c5f603344afec7ae0f87d025769ade11d358c3e83e45950f3f5ced518ee2

Download Submit
\Windows\SysWOW64\Okooihne.exe

Filesize
50KB

MD5
289306f4fa525da107d9d2622ab7b635

SHA1
0a687adf47897f27afc910ca29c150d78215b723

SHA256
a2b2f00d8d8a7343b5450bb6ae290a4c7d8523b867b96b5524a543fc805c784f

SHA512
cd7898aff544a928ec747680f136e942fbf83ef349b5d48e40969ee326facac94a42c5f603344afec7ae0f87d025769ade11d358c3e83e45950f3f5ced518ee2

Download Submit
\Windows\SysWOW64\Onkopd32.exe

Filesize
50KB

MD5
6b34e0b9f401d890027c61ba22e3d9f6

SHA1
abc09b9d1e46d235fe0586aefa34199e624c67ef

SHA256
6805cb3079b19444135209563b213a7ece38751faf5324ca34cf87f05cba8bd4

SHA512
1985906628a6d8037285421889a0ba90d37a9bd3d79d2c1f5d9d1a94a84781111051a8bedc8e3d03c8e61dbb66145a695f976637bb0c5f1d174f7861a95db95a

Download Submit
\Windows\SysWOW64\Onkopd32.exe

Filesize
50KB

MD5
6b34e0b9f401d890027c61ba22e3d9f6

SHA1
abc09b9d1e46d235fe0586aefa34199e624c67ef

SHA256
6805cb3079b19444135209563b213a7ece38751faf5324ca34cf87f05cba8bd4

SHA512
1985906628a6d8037285421889a0ba90d37a9bd3d79d2c1f5d9d1a94a84781111051a8bedc8e3d03c8e61dbb66145a695f976637bb0c5f1d174f7861a95db95a

Download Submit
\Windows\SysWOW64\Onphkckf.exe

Filesize
50KB

MD5
1412ca6865bf318fbb5a8a4200eca4ef

SHA1
96c947dafab2164096ee51e15c0bad266d4c85e4

SHA256
5757cd35700a539a5d740e0bfcea880c255cad4d049e971a7442ad6cd2a8b1b6

SHA512
ba112d5368dae73285a00126e57a331ff77456324a61672c55317711f2c961e486289b9ae1484a438545aa2dae7166ba4e8a55b3517d1357971c46a0ea0a213a

Download Submit
\Windows\SysWOW64\Onphkckf.exe

Filesize
50KB

MD5
1412ca6865bf318fbb5a8a4200eca4ef

SHA1
96c947dafab2164096ee51e15c0bad266d4c85e4

SHA256
5757cd35700a539a5d740e0bfcea880c255cad4d049e971a7442ad6cd2a8b1b6

SHA512
ba112d5368dae73285a00126e57a331ff77456324a61672c55317711f2c961e486289b9ae1484a438545aa2dae7166ba4e8a55b3517d1357971c46a0ea0a213a

Download Submit
\Windows\SysWOW64\Pccgdice.exe

Filesize
50KB

MD5
21d7bff38ab59efc07e1964b05679292

SHA1
7700f84209fcfa2008c6c55e235ef8ada5262f31

SHA256
12ff632098fc8df26ae3e25c111522e7a37d15f95457004d34cdf04d6cebbe8c

SHA512
d4bfa3638d4d02c7f71220956441c7ed7244dec53c6406d1760c46e158b2e3daf04cc707997936286b013fc7542bc3e2d1848e64ee28c6f92de725470f90b2df

Download Submit
\Windows\SysWOW64\Pccgdice.exe

Filesize
50KB

MD5
21d7bff38ab59efc07e1964b05679292

SHA1
7700f84209fcfa2008c6c55e235ef8ada5262f31

SHA256
12ff632098fc8df26ae3e25c111522e7a37d15f95457004d34cdf04d6cebbe8c

SHA512
d4bfa3638d4d02c7f71220956441c7ed7244dec53c6406d1760c46e158b2e3daf04cc707997936286b013fc7542bc3e2d1848e64ee28c6f92de725470f90b2df

Download Submit
\Windows\SysWOW64\Qlceck32.exe

Filesize
50KB

MD5
b462718a2a6fe137129be6e969d9bca2

SHA1
9137b73620dc1038295373b93a831d05272ba72f

SHA256
d0c3784867d0252c88a30f1119137d168873e6dcfed0c51f1d24ea90c96fac6d

SHA512
f8158109714fb2530214a9c09836a3b751f607e5ae914cf0798eab8bc0ddf88b489acf381166928a4db66cd86c2d626d6736d8f5cb776791225b37cd23fb01c3

Download Submit
\Windows\SysWOW64\Qlceck32.exe

Filesize
50KB

MD5
b462718a2a6fe137129be6e969d9bca2

SHA1
9137b73620dc1038295373b93a831d05272ba72f

SHA256
d0c3784867d0252c88a30f1119137d168873e6dcfed0c51f1d24ea90c96fac6d

SHA512
f8158109714fb2530214a9c09836a3b751f607e5ae914cf0798eab8bc0ddf88b489acf381166928a4db66cd86c2d626d6736d8f5cb776791225b37cd23fb01c3

Download Submit
memory/240-154-0x0000000000000000-mapping.dmp

Download
memory/240-169-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/268-152-0x0000000000000000-mapping.dmp

Download
memory/268-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/288-102-0x0000000000000000-mapping.dmp

Download
memory/288-126-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/316-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/316-218-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/316-219-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/316-189-0x0000000000000000-mapping.dmp

Download
memory/524-232-0x0000000000000000-mapping.dmp

Download
memory/572-240-0x0000000000000000-mapping.dmp

Download
memory/668-233-0x0000000000000000-mapping.dmp

Download
memory/760-204-0x0000000000000000-mapping.dmp

Download
memory/768-97-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/768-78-0x0000000000000000-mapping.dmp

Download
memory/828-222-0x0000000000000000-mapping.dmp

Download
memory/832-181-0x0000000000000000-mapping.dmp

Download
memory/832-199-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/832-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/844-151-0x0000000000000000-mapping.dmp

Download
memory/844-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/848-234-0x0000000000000000-mapping.dmp

Download
memory/852-125-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/852-99-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/852-88-0x0000000000000000-mapping.dmp

Download
memory/868-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/868-195-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/868-180-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/868-171-0x0000000000000000-mapping.dmp

Download
memory/900-231-0x0000000000000000-mapping.dmp

Download
memory/932-206-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/932-205-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/932-184-0x0000000000000000-mapping.dmp

Download
memory/932-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1008-230-0x0000000000000000-mapping.dmp

Download
memory/1064-175-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1064-174-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1064-158-0x0000000000000000-mapping.dmp

Download
memory/1068-131-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1068-112-0x0000000000000000-mapping.dmp

Download
memory/1072-143-0x0000000000000000-mapping.dmp

Download
memory/1072-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1116-238-0x0000000000000000-mapping.dmp

Download
memory/1160-197-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1160-182-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1160-177-0x0000000000000000-mapping.dmp

Download
memory/1160-196-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1292-235-0x0000000000000000-mapping.dmp

Download
memory/1296-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-188-0x0000000000000000-mapping.dmp

Download
memory/1296-216-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1316-214-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1316-187-0x0000000000000000-mapping.dmp

Download
memory/1316-213-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-201-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1320-183-0x0000000000000000-mapping.dmp

Download
memory/1320-202-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1320-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1344-73-0x0000000000000000-mapping.dmp

Download
memory/1344-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1348-210-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1348-212-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1348-186-0x0000000000000000-mapping.dmp

Download
memory/1348-211-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1352-243-0x0000000000000000-mapping.dmp

Download
memory/1364-237-0x0000000000000000-mapping.dmp

Download
memory/1372-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-130-0x0000000000000000-mapping.dmp

Download
memory/1404-248-0x0000000000000000-mapping.dmp

Download
memory/1468-241-0x0000000000000000-mapping.dmp

Download
memory/1472-117-0x0000000000000000-mapping.dmp

Download
memory/1472-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1500-244-0x0000000000000000-mapping.dmp

Download
memory/1572-236-0x0000000000000000-mapping.dmp

Download
memory/1584-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1584-156-0x0000000000000000-mapping.dmp

Download
memory/1608-225-0x0000000000000000-mapping.dmp

Download
memory/1612-157-0x0000000000000000-mapping.dmp

Download
memory/1612-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-251-0x0000000000000000-mapping.dmp

Download
memory/1628-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1628-138-0x0000000000000000-mapping.dmp

Download
memory/1660-153-0x0000000000000000-mapping.dmp

Download
memory/1660-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1684-242-0x0000000000000000-mapping.dmp

Download
memory/1736-229-0x0000000000000000-mapping.dmp

Download
memory/1752-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1752-122-0x0000000000000000-mapping.dmp

Download
memory/1764-127-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1764-107-0x0000000000000000-mapping.dmp

Download
memory/1768-58-0x0000000000000000-mapping.dmp

Download
memory/1768-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1768-93-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1772-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-148-0x0000000000000000-mapping.dmp

Download
memory/1784-250-0x0000000000000000-mapping.dmp

Download
memory/1820-249-0x0000000000000000-mapping.dmp

Download
memory/1868-83-0x0000000000000000-mapping.dmp

Download
memory/1868-98-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1880-239-0x0000000000000000-mapping.dmp

Download
memory/1888-245-0x0000000000000000-mapping.dmp

Download
memory/1900-185-0x0000000000000000-mapping.dmp

Download
memory/1900-208-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1900-209-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1900-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-155-0x0000000000000000-mapping.dmp

Download
memory/1964-170-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1980-163-0x0000000000000000-mapping.dmp

Download
memory/1980-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1980-192-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1980-193-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1988-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1988-159-0x0000000000000000-mapping.dmp

Download
memory/1996-247-0x0000000000000000-mapping.dmp

Download
memory/2000-246-0x0000000000000000-mapping.dmp

Download
memory/2004-252-0x0000000000000000-mapping.dmp

Download
memory/2016-95-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2016-68-0x0000000000000000-mapping.dmp

Download
memory/2020-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-63-0x0000000000000000-mapping.dmp

Download
memory/2024-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2024-179-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2024-160-0x0000000000000000-mapping.dmp

Download
memory/2024-190-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2044-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-56-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2044-91-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download