f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c

Analysis

max time kernel
155s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe
Size

50KB
MD5

a72d1322e3f7124a691f0685b4cf4290
SHA1

18e4edaff9ec85bb1cf1b0f6c81a9f267d53a29b
SHA256

f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c
SHA512

8013ea6828bda4905ba84839d1d73c08d3768e2c5f516a7f0bca22dd76d62e64d59a8d61bcabc6e9303e1b5961890d5501cd0ab51004c6ff7ea7a351c1845d4f
SSDEEP

768:OExxg8dBqMP8D/gg2hJA7zlSpZRczQXk9Bm5y/pa99MY6yzWmjNxH5s8pw/1H5g:OE8/g9hJA7zcfRAkyq9MBOWmjNxZ9pK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Acfbadkb.exeNjhgnh32.exeAdgjecjh.exeAgffanik.exeMlnifb32.exeOaijokmf.exeLdnfep32.exeMeclhg32.exePcffba32.exeMplalaoj.exeNhaigbdj.exeOakfdjkc.exeAgoalc32.exeBqmnfh32.exeFdaeplhf.exeGpkcjm32.exeNoccqoeb.exeLkealjje.exeNmnaoiba.exeAdnhkhim.exeCobkgdlp.exeObocbolc.exeOebijj32.exeOnnnnl32.exeFmogdn32.exeKjaqdi32.exeLooagidq.exeKclabnoe.exeLjffnkim.exeCljfki32.exeMonmfl32.exeOindodjp.exeAafachmg.exeQfikilde.exeAchogdip.exeNigojifc.exeCnghhaag.exeFlfqkj32.exeIpkkfkim.exeGnjjhb32.exeJjoomhma.exeMkenkmlp.exeMigbkfcg.exeAcgeha32.exeAdenpclj.exeOkanhp32.exeOdjcqf32.exeBajojl32.exeJddgpn32.exeGcjdcn32.exeLanaef32.exeNpjafdch.exeAqjbkijl.exeCallol32.exeLgoogkmf.exeOmippc32.exePkakfcfb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfbadkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgjecjh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agffanik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlnifb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaijokmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldnfep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meclhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlnifb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcffba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhgnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplalaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhaigbdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oakfdjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoalc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqmnfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdaeplhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpkcjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noccqoeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkealjje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnaoiba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnhkhim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobkgdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obocbolc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oebijj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onnnnl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oakfdjkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmogdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjaqdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Looagidq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgjecjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kclabnoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffnkim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cljfki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Monmfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oindodjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aafachmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljfki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfikilde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achogdip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqmnfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigojifc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnghhaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flfqkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkkfkim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnjjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjoomhma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkenkmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbkfcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adenpclj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjcqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddgpn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcjdcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjafdch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqjbkijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Callol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgoogkmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omippc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkakfcfb.exe

Executes dropped EXE 64 IoCs

Processes:

Qenkcmma.exeAoilbbbo.exeAcgeha32.exeAkdfbccn.exeBneocn32.exeBachjlge.exeBcfagdkq.exeBomale32.exeBqmnfh32.exeCobkgdlp.exeCnghhaag.exeCogdbd32.exeCbgmdoek.exeDamjek32.exeDcmcffgd.exeDcpplfea.exeDpfqagke.exeDnlnbc32.exeEalgdomo.exeEblcna32.exeEocdcbie.exeEdplki32.exeEklamcmg.exeFlpjkkab.exeFmogdn32.exeFggkmc32.exeFobpbf32.exeFlfqkj32.exeFoemge32.exeFacicaib.exeFdaeplhf.exeGnjjhb32.exeGddbelfc.exeGpkcjm32.exeGjcgcb32.exeGajodp32.exeGdikpk32.exeGkbcmeij.exeGdkhfk32.exeGgidbfoo.exeGpbikl32.exeHkpcfini.exeHdhhoo32.exeHkbpli32.exeHncind32.exeIcpafk32.exeImhfoq32.exeIgnjli32.exeIqfoeode.exeIfcgmebm.exeIpkkfkim.exeIjapcdic.exeIpnhlkgk.exeIbldhffn.exeJldiqlmo.exeJddgpn32.exeJjoomhma.exeJdgdem32.exeJmohnc32.exeJpndkn32.exeKmdaibfm.exeKbqjbidd.exeKikboc32.exeKfochg32.exe

pid	process
892	Qenkcmma.exe
1604	Aoilbbbo.exe
1336	Acgeha32.exe
1588	Akdfbccn.exe
1296	Bneocn32.exe
1340	Bachjlge.exe
676	Bcfagdkq.exe
768	Bomale32.exe
1352	Bqmnfh32.exe
1776	Cobkgdlp.exe
1540	Cnghhaag.exe
1824	Cogdbd32.exe
1644	Cbgmdoek.exe
964	Damjek32.exe
804	Dcmcffgd.exe
1992	Dcpplfea.exe
1872	Dpfqagke.exe
1740	Dnlnbc32.exe
2024	Ealgdomo.exe
288	Eblcna32.exe
748	Eocdcbie.exe
1012	Edplki32.exe
1532	Eklamcmg.exe
848	Flpjkkab.exe
1512	Fmogdn32.exe
1676	Fggkmc32.exe
1284	Fobpbf32.exe
1812	Flfqkj32.exe
1708	Foemge32.exe
1272	Facicaib.exe
308	Fdaeplhf.exe
436	Gnjjhb32.exe
1984	Gddbelfc.exe
1380	Gpkcjm32.exe
1660	Gjcgcb32.exe
776	Gajodp32.exe
1536	Gdikpk32.exe
972	Gkbcmeij.exe
1592	Gdkhfk32.exe
1580	Ggidbfoo.exe
1720	Gpbikl32.exe
984	Hkpcfini.exe
1384	Hdhhoo32.exe
1320	Hkbpli32.exe
268	Hncind32.exe
864	Icpafk32.exe
1828	Imhfoq32.exe
1528	Ignjli32.exe
784	Iqfoeode.exe
968	Ifcgmebm.exe
1240	Ipkkfkim.exe
108	Ijapcdic.exe
1692	Ipnhlkgk.exe
1500	Ibldhffn.exe
1004	Jldiqlmo.exe
1612	Jddgpn32.exe
1656	Jjoomhma.exe
1844	Jdgdem32.exe
1124	Jmohnc32.exe
868	Jpndkn32.exe
1800	Kmdaibfm.exe
1944	Kbqjbidd.exe
1112	Kikboc32.exe
1868	Kfochg32.exe

Loads dropped DLL 64 IoCs

Processes:

f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exeQenkcmma.exeAoilbbbo.exeAcgeha32.exeAkdfbccn.exeBneocn32.exeBachjlge.exeBcfagdkq.exeBomale32.exeBqmnfh32.exeCobkgdlp.exeCnghhaag.exeCogdbd32.exeCbgmdoek.exeDamjek32.exeDcmcffgd.exeDcpplfea.exeDpfqagke.exeDnlnbc32.exeEalgdomo.exeEblcna32.exeEocdcbie.exeEdplki32.exeEklamcmg.exeFlpjkkab.exeFmogdn32.exeFggkmc32.exeFobpbf32.exeFlfqkj32.exeFoemge32.exeFacicaib.exeFdaeplhf.exe

pid	process
1724	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe
1724	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe
892	Qenkcmma.exe
892	Qenkcmma.exe
1604	Aoilbbbo.exe
1604	Aoilbbbo.exe
1336	Acgeha32.exe
1336	Acgeha32.exe
1588	Akdfbccn.exe
1588	Akdfbccn.exe
1296	Bneocn32.exe
1296	Bneocn32.exe
1340	Bachjlge.exe
1340	Bachjlge.exe
676	Bcfagdkq.exe
676	Bcfagdkq.exe
768	Bomale32.exe
768	Bomale32.exe
1352	Bqmnfh32.exe
1352	Bqmnfh32.exe
1776	Cobkgdlp.exe
1776	Cobkgdlp.exe
1540	Cnghhaag.exe
1540	Cnghhaag.exe
1824	Cogdbd32.exe
1824	Cogdbd32.exe
1644	Cbgmdoek.exe
1644	Cbgmdoek.exe
964	Damjek32.exe
964	Damjek32.exe
804	Dcmcffgd.exe
804	Dcmcffgd.exe
1992	Dcpplfea.exe
1992	Dcpplfea.exe
1872	Dpfqagke.exe
1872	Dpfqagke.exe
1740	Dnlnbc32.exe
1740	Dnlnbc32.exe
2024	Ealgdomo.exe
2024	Ealgdomo.exe
288	Eblcna32.exe
288	Eblcna32.exe
748	Eocdcbie.exe
748	Eocdcbie.exe
1012	Edplki32.exe
1012	Edplki32.exe
1532	Eklamcmg.exe
1532	Eklamcmg.exe
848	Flpjkkab.exe
848	Flpjkkab.exe
1512	Fmogdn32.exe
1512	Fmogdn32.exe
1676	Fggkmc32.exe
1676	Fggkmc32.exe
1284	Fobpbf32.exe
1284	Fobpbf32.exe
1812	Flfqkj32.exe
1812	Flfqkj32.exe
1708	Foemge32.exe
1708	Foemge32.exe
1272	Facicaib.exe
1272	Facicaib.exe
308	Fdaeplhf.exe
308	Fdaeplhf.exe

Drops file in System32 directory 64 IoCs

Processes:

Gpkcjm32.exeKoeomobf.exeMleogabk.exeGdkhfk32.exeNjhgnh32.exeAepqoghb.exeNholabfm.exeQoocmb32.exeCmeijl32.exeEklamcmg.exeLglbak32.exeMhgaobmm.exeLcokga32.exeAkhqgb32.exeIfbpelib.exeBachjlge.exeKlnhfngp.exeLbhpbh32.exeMceagp32.exeNfammo32.exeAjpjno32.exeChfdlfbb.exeFkfmim32.exeDpfqagke.exeOcqlfmki.exeQbohmlka.exeLmgopf32.exeMjhobn32.exeNagajh32.exeBhcgffdd.exeJddgpn32.exeLnhgce32.exeJmohnc32.exeKahdhegj.exeLgoogkmf.exeObclbj32.exeKclabnoe.exeNbkjgp32.exePhcnjhgn.exeCaqejkgp.exeEalgdomo.exeFacicaib.exeHkbpli32.exeJdgdem32.exeAdgjecjh.exeMigbkfcg.exeOlekfeeg.exeEblcna32.exeOipadd32.exeAghcgn32.exeFibcpaqg.exeOdjcqf32.exePcffba32.exeAdnhkhim.exeCdmdaghf.exeQenkcmma.exeFobpbf32.exeKkqhak32.exeQhicpc32.exeQleppa32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Khaklnln.dll	Gpkcjm32.exe
File created	C:\Windows\SysWOW64\Kbdkijaj.exe	Koeomobf.exe
File created	C:\Windows\SysWOW64\Codbhn32.dll	Mleogabk.exe
File opened for modification	C:\Windows\SysWOW64\Ggidbfoo.exe	Gdkhfk32.exe
File created	C:\Windows\SysWOW64\Mgkplj32.dll	Njhgnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ahnmkbgf.exe	Aepqoghb.exe
File created	C:\Windows\SysWOW64\Bjengaba.dll	Nholabfm.exe
File created	C:\Windows\SysWOW64\Qfikilde.exe	Qoocmb32.exe
File created	C:\Windows\SysWOW64\Kigqbpkg.dll	Cmeijl32.exe
File created	C:\Windows\SysWOW64\Adopfe32.dll	Eklamcmg.exe
File created	C:\Windows\SysWOW64\Jpjjplne.dll	Lglbak32.exe
File created	C:\Windows\SysWOW64\Allnnplj.dll	Mhgaobmm.exe
File opened for modification	C:\Windows\SysWOW64\Lfmgcl32.exe	Lcokga32.exe
File opened for modification	C:\Windows\SysWOW64\Adqephfk.exe	Akhqgb32.exe
File created	C:\Windows\SysWOW64\Iiplagif.exe	Ifbpelib.exe
File created	C:\Windows\SysWOW64\Flghghfj.dll	Bachjlge.exe
File created	C:\Windows\SysWOW64\Hgephfdd.dll	Klnhfngp.exe
File created	C:\Windows\SysWOW64\Jnjddo32.dll	Lbhpbh32.exe
File created	C:\Windows\SysWOW64\Idjiok32.dll	Mceagp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhobn32.exe	Mleogabk.exe
File opened for modification	C:\Windows\SysWOW64\Nagajh32.exe	Nfammo32.exe
File created	C:\Windows\SysWOW64\Aqjbkijl.exe	Ajpjno32.exe
File created	C:\Windows\SysWOW64\Cjdpha32.exe	Chfdlfbb.exe
File created	C:\Windows\SysWOW64\Gcjdcn32.exe	Fkfmim32.exe
File created	C:\Windows\SysWOW64\Dnlnbc32.exe	Dpfqagke.exe
File created	C:\Windows\SysWOW64\Obclbj32.exe	Ocqlfmki.exe
File opened for modification	C:\Windows\SysWOW64\Qdpddd32.exe	Qbohmlka.exe
File created	C:\Windows\SysWOW64\Fidcmofb.dll	Lmgopf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndqckdpf.exe	Mjhobn32.exe
File created	C:\Windows\SysWOW64\Ebiljn32.dll	Nagajh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnnocp32.exe	Bhcgffdd.exe
File opened for modification	C:\Windows\SysWOW64\Jjoomhma.exe	Jddgpn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpgcpp32.exe	Lnhgce32.exe
File created	C:\Windows\SysWOW64\Jpndkn32.exe	Jmohnc32.exe
File created	C:\Windows\SysWOW64\Ljibelbn.dll	Kahdhegj.exe
File created	C:\Windows\SysWOW64\Hpgiaa32.dll	Lgoogkmf.exe
File opened for modification	C:\Windows\SysWOW64\Oindodjp.exe	Obclbj32.exe
File created	C:\Windows\SysWOW64\Kghncm32.exe	Kclabnoe.exe
File opened for modification	C:\Windows\SysWOW64\Nkabim32.exe	Nbkjgp32.exe
File opened for modification	C:\Windows\SysWOW64\Pkakfcfb.exe	Phcnjhgn.exe
File opened for modification	C:\Windows\SysWOW64\Cpcefh32.exe	Caqejkgp.exe
File created	C:\Windows\SysWOW64\Eblcna32.exe	Ealgdomo.exe
File created	C:\Windows\SysWOW64\Fdaeplhf.exe	Facicaib.exe
File opened for modification	C:\Windows\SysWOW64\Hncind32.exe	Hkbpli32.exe
File opened for modification	C:\Windows\SysWOW64\Jmohnc32.exe	Jdgdem32.exe
File created	C:\Windows\SysWOW64\Agffanik.exe	Adgjecjh.exe
File created	C:\Windows\SysWOW64\Aehkmcqk.dll	Migbkfcg.exe
File opened for modification	C:\Windows\SysWOW64\Oocgbp32.exe	Olekfeeg.exe
File created	C:\Windows\SysWOW64\Oflfpcdd.dll	Eblcna32.exe
File created	C:\Windows\SysWOW64\Qfngfnlm.dll	Jdgdem32.exe
File opened for modification	C:\Windows\SysWOW64\Lefloc32.exe	Lbhpbh32.exe
File created	C:\Windows\SysWOW64\Efkblh32.dll	Oipadd32.exe
File created	C:\Windows\SysWOW64\Pojoea32.dll	Aghcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Hbfcchpf.exe	Fibcpaqg.exe
File created	C:\Windows\SysWOW64\Pheoadbp.exe	Odjcqf32.exe
File created	C:\Windows\SysWOW64\Pfdbnmhk.exe	Pcffba32.exe
File opened for modification	C:\Windows\SysWOW64\Akhqgb32.exe	Adnhkhim.exe
File created	C:\Windows\SysWOW64\Chhqae32.exe	Cdmdaghf.exe
File created	C:\Windows\SysWOW64\Aoilbbbo.exe	Qenkcmma.exe
File created	C:\Windows\SysWOW64\Kpablmli.dll	Fobpbf32.exe
File created	C:\Windows\SysWOW64\Ajjfha32.dll	Kkqhak32.exe
File created	C:\Windows\SysWOW64\Bnnggcqh.dll	Qhicpc32.exe
File created	C:\Windows\SysWOW64\Ieianddk.dll	Qleppa32.exe
File created	C:\Windows\SysWOW64\Iomiel32.dll	Aepqoghb.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 1576 WerFault.exe Iiplagif.exe

pid	pid_target	process	target process
1768	1576	WerFault.exe	Iiplagif.exe

Modifies registry class 64 IoCs

Processes:

Klkkpn32.exeBcodlomm.exeJamiihef.exePhcnjhgn.exeBneocn32.exeLdnfep32.exeAhnmkbgf.exeFibcpaqg.exePheoadbp.exeCmeijl32.exeFkfmim32.exeImhfoq32.exeNjhgnh32.exeNfammo32.exeOnnnnl32.exeAqjbkijl.exeGpbikl32.exeJpndkn32.exeLbiedi32.exeOhllkfkk.exePkakfcfb.exeCogdbd32.exeGdkhfk32.exeLpdgjq32.exeNmpneh32.exeBnnocp32.exeGpkcjm32.exeMeclhg32.exeNbaomjdf.exeOmgcjc32.exeOcqlfmki.exeLfmgcl32.exeAkdfbccn.exeIpkkfkim.exeJdgdem32.exeLkhnbjhb.exeAofhbm32.exeAdgjecjh.exeLcokga32.exeOedfoi32.exeOdjcqf32.exeGkbcmeij.exeBemphjlq.exeCallol32.exef0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exeHkpcfini.exeLndnheih.exeAepqoghb.exeNkoecmcn.exeFoemge32.exeJddgpn32.exeLgjflk32.exeMleogabk.exeNhaigbdj.exeQfgodlfh.exeAdnhkhim.exeKghncm32.exeKjifdhdo.exePcopaboo.exeBhcgffdd.exeCmbldm32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klkkpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfogae32.dll"	Bcodlomm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jamiihef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijkhcfn.dll"	Phcnjhgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kingkbgh.dll"	Bneocn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldnfep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahnmkbgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fibcpaqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pheoadbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmeijl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqlgelde.dll"	Fkfmim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aholao32.dll"	Imhfoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njhgnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfammo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomofa32.dll"	Onnnnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqjbkijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpbikl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmphmdl.dll"	Jpndkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnaal32.dll"	Lbiedi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnnlj32.dll"	Ohllkfkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkakfcfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdkhfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhamlkc.dll"	Lpdgjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokcmnja.dll"	Nmpneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnnocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpkcjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikqcic32.dll"	Meclhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbaomjdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjkaj32.dll"	Ocqlfmki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfmgcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akdfbccn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipkkfkim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdgdem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkhnbjhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aofhbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnilbjnk.dll"	Adgjecjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcokga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlpnac32.dll"	Oedfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odjcqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khaklnln.dll"	Gpkcjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkbcmeij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemphjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjdgdeh.dll"	Callol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpcfini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lndnheih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomiel32.dll"	Aepqoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkahlehf.dll"	Nkoecmcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjbeegj.dll"	Aqjbkijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Foemge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddgpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdpeg32.dll"	Lgjflk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mleogabk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhaigbdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccaegim.dll"	Qfgodlfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnhkhim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kghncm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjifdhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcopaboo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inphmcne.dll"	Bhcgffdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmeijl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1724 wrote to memory of 892	1724	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe	Qenkcmma.exe
PID 1724 wrote to memory of 892	1724	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe	Qenkcmma.exe
PID 1724 wrote to memory of 892	1724	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe	Qenkcmma.exe
PID 1724 wrote to memory of 892	1724	f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe	Qenkcmma.exe
PID 892 wrote to memory of 1604	892	Qenkcmma.exe	Aoilbbbo.exe
PID 892 wrote to memory of 1604	892	Qenkcmma.exe	Aoilbbbo.exe
PID 892 wrote to memory of 1604	892	Qenkcmma.exe	Aoilbbbo.exe
PID 892 wrote to memory of 1604	892	Qenkcmma.exe	Aoilbbbo.exe
PID 1604 wrote to memory of 1336	1604	Aoilbbbo.exe	Acgeha32.exe
PID 1604 wrote to memory of 1336	1604	Aoilbbbo.exe	Acgeha32.exe
PID 1604 wrote to memory of 1336	1604	Aoilbbbo.exe	Acgeha32.exe
PID 1604 wrote to memory of 1336	1604	Aoilbbbo.exe	Acgeha32.exe
PID 1336 wrote to memory of 1588	1336	Acgeha32.exe	Akdfbccn.exe
PID 1336 wrote to memory of 1588	1336	Acgeha32.exe	Akdfbccn.exe
PID 1336 wrote to memory of 1588	1336	Acgeha32.exe	Akdfbccn.exe
PID 1336 wrote to memory of 1588	1336	Acgeha32.exe	Akdfbccn.exe
PID 1588 wrote to memory of 1296	1588	Akdfbccn.exe	Bneocn32.exe
PID 1588 wrote to memory of 1296	1588	Akdfbccn.exe	Bneocn32.exe
PID 1588 wrote to memory of 1296	1588	Akdfbccn.exe	Bneocn32.exe
PID 1588 wrote to memory of 1296	1588	Akdfbccn.exe	Bneocn32.exe
PID 1296 wrote to memory of 1340	1296	Bneocn32.exe	Bachjlge.exe
PID 1296 wrote to memory of 1340	1296	Bneocn32.exe	Bachjlge.exe
PID 1296 wrote to memory of 1340	1296	Bneocn32.exe	Bachjlge.exe
PID 1296 wrote to memory of 1340	1296	Bneocn32.exe	Bachjlge.exe
PID 1340 wrote to memory of 676	1340	Bachjlge.exe	Bcfagdkq.exe
PID 1340 wrote to memory of 676	1340	Bachjlge.exe	Bcfagdkq.exe
PID 1340 wrote to memory of 676	1340	Bachjlge.exe	Bcfagdkq.exe
PID 1340 wrote to memory of 676	1340	Bachjlge.exe	Bcfagdkq.exe
PID 676 wrote to memory of 768	676	Bcfagdkq.exe	Bomale32.exe
PID 676 wrote to memory of 768	676	Bcfagdkq.exe	Bomale32.exe
PID 676 wrote to memory of 768	676	Bcfagdkq.exe	Bomale32.exe
PID 676 wrote to memory of 768	676	Bcfagdkq.exe	Bomale32.exe
PID 768 wrote to memory of 1352	768	Bomale32.exe	Bqmnfh32.exe
PID 768 wrote to memory of 1352	768	Bomale32.exe	Bqmnfh32.exe
PID 768 wrote to memory of 1352	768	Bomale32.exe	Bqmnfh32.exe
PID 768 wrote to memory of 1352	768	Bomale32.exe	Bqmnfh32.exe
PID 1352 wrote to memory of 1776	1352	Bqmnfh32.exe	Cobkgdlp.exe
PID 1352 wrote to memory of 1776	1352	Bqmnfh32.exe	Cobkgdlp.exe
PID 1352 wrote to memory of 1776	1352	Bqmnfh32.exe	Cobkgdlp.exe
PID 1352 wrote to memory of 1776	1352	Bqmnfh32.exe	Cobkgdlp.exe
PID 1776 wrote to memory of 1540	1776	Cobkgdlp.exe	Cnghhaag.exe
PID 1776 wrote to memory of 1540	1776	Cobkgdlp.exe	Cnghhaag.exe
PID 1776 wrote to memory of 1540	1776	Cobkgdlp.exe	Cnghhaag.exe
PID 1776 wrote to memory of 1540	1776	Cobkgdlp.exe	Cnghhaag.exe
PID 1540 wrote to memory of 1824	1540	Cnghhaag.exe	Cogdbd32.exe
PID 1540 wrote to memory of 1824	1540	Cnghhaag.exe	Cogdbd32.exe
PID 1540 wrote to memory of 1824	1540	Cnghhaag.exe	Cogdbd32.exe
PID 1540 wrote to memory of 1824	1540	Cnghhaag.exe	Cogdbd32.exe
PID 1824 wrote to memory of 1644	1824	Cogdbd32.exe	Cbgmdoek.exe
PID 1824 wrote to memory of 1644	1824	Cogdbd32.exe	Cbgmdoek.exe
PID 1824 wrote to memory of 1644	1824	Cogdbd32.exe	Cbgmdoek.exe
PID 1824 wrote to memory of 1644	1824	Cogdbd32.exe	Cbgmdoek.exe
PID 1644 wrote to memory of 964	1644	Cbgmdoek.exe	Damjek32.exe
PID 1644 wrote to memory of 964	1644	Cbgmdoek.exe	Damjek32.exe
PID 1644 wrote to memory of 964	1644	Cbgmdoek.exe	Damjek32.exe
PID 1644 wrote to memory of 964	1644	Cbgmdoek.exe	Damjek32.exe
PID 964 wrote to memory of 804	964	Damjek32.exe	Dcmcffgd.exe
PID 964 wrote to memory of 804	964	Damjek32.exe	Dcmcffgd.exe
PID 964 wrote to memory of 804	964	Damjek32.exe	Dcmcffgd.exe
PID 964 wrote to memory of 804	964	Damjek32.exe	Dcmcffgd.exe
PID 804 wrote to memory of 1992	804	Dcmcffgd.exe	Dcpplfea.exe
PID 804 wrote to memory of 1992	804	Dcmcffgd.exe	Dcpplfea.exe
PID 804 wrote to memory of 1992	804	Dcmcffgd.exe	Dcpplfea.exe
PID 804 wrote to memory of 1992	804	Dcmcffgd.exe	Dcpplfea.exe

C:\Users\Admin\AppData\Local\Temp\f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe
"C:\Users\Admin\AppData\Local\Temp\f0becaac0eefa3fd9293c8cac25c36a316f594aa88d3025a58f76c98b7ef1b6c.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\Qenkcmma.exe
  C:\Windows\system32\Qenkcmma.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\Aoilbbbo.exe
    C:\Windows\system32\Aoilbbbo.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\Acgeha32.exe
      C:\Windows\system32\Acgeha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\Akdfbccn.exe
        
        C:\Windows\system32\Akdfbccn.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\Bneocn32.exe
        
        C:\Windows\system32\Bneocn32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Bachjlge.exe
        
        C:\Windows\system32\Bachjlge.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1340

C:\Windows\SysWOW64\Bcfagdkq.exe
C:\Windows\system32\Bcfagdkq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SysWOW64\Bomale32.exe
  C:\Windows\system32\Bomale32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\Bqmnfh32.exe
    C:\Windows\system32\Bqmnfh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\Cobkgdlp.exe
      C:\Windows\system32\Cobkgdlp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\SysWOW64\Cnghhaag.exe
        
        C:\Windows\system32\Cnghhaag.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\SysWOW64\Cogdbd32.exe
        
        C:\Windows\system32\Cogdbd32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cbgmdoek.exe
        
        C:\Windows\system32\Cbgmdoek.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Damjek32.exe
        
        C:\Windows\system32\Damjek32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Dcmcffgd.exe
        
        C:\Windows\system32\Dcmcffgd.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Dcpplfea.exe
        
        C:\Windows\system32\Dcpplfea.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1992
        
        C:\Windows\SysWOW64\Dpfqagke.exe
        
        C:\Windows\system32\Dpfqagke.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Dnlnbc32.exe
        
        C:\Windows\system32\Dnlnbc32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1740
        
        C:\Windows\SysWOW64\Ealgdomo.exe
        
        C:\Windows\system32\Ealgdomo.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Eblcna32.exe
        
        C:\Windows\system32\Eblcna32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:288
        
        C:\Windows\SysWOW64\Eocdcbie.exe
        
        C:\Windows\system32\Eocdcbie.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:748
        
        C:\Windows\SysWOW64\Edplki32.exe
        
        C:\Windows\system32\Edplki32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1012
        
        C:\Windows\SysWOW64\Eklamcmg.exe
        
        C:\Windows\system32\Eklamcmg.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Flpjkkab.exe
        
        C:\Windows\system32\Flpjkkab.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:848
        
        C:\Windows\SysWOW64\Fmogdn32.exe
        
        C:\Windows\system32\Fmogdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
        
        C:\Windows\SysWOW64\Fggkmc32.exe
        
        C:\Windows\system32\Fggkmc32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\Windows\SysWOW64\Fobpbf32.exe
        
        C:\Windows\system32\Fobpbf32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Flfqkj32.exe
        
        C:\Windows\system32\Flfqkj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1812
        
        C:\Windows\SysWOW64\Foemge32.exe
        
        C:\Windows\system32\Foemge32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Facicaib.exe
        
        C:\Windows\system32\Facicaib.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Fdaeplhf.exe
        
        C:\Windows\system32\Fdaeplhf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:308
        
        C:\Windows\SysWOW64\Gnjjhb32.exe
        
        C:\Windows\system32\Gnjjhb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Gddbelfc.exe
        
        C:\Windows\system32\Gddbelfc.exe
        27⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Gpkcjm32.exe
        
        C:\Windows\system32\Gpkcjm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Gjcgcb32.exe
        
        C:\Windows\system32\Gjcgcb32.exe
        29⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Gajodp32.exe
        
        C:\Windows\system32\Gajodp32.exe
        30⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Gdikpk32.exe
        
        C:\Windows\system32\Gdikpk32.exe
        31⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Gkbcmeij.exe
        
        C:\Windows\system32\Gkbcmeij.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Gdkhfk32.exe
        
        C:\Windows\system32\Gdkhfk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Ggidbfoo.exe
        
        C:\Windows\system32\Ggidbfoo.exe
        34⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Gpbikl32.exe
        
        C:\Windows\system32\Gpbikl32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Hkpcfini.exe
        
        C:\Windows\system32\Hkpcfini.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Hdhhoo32.exe
        
        C:\Windows\system32\Hdhhoo32.exe
        37⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Hkbpli32.exe
        
        C:\Windows\system32\Hkbpli32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Hncind32.exe
        
        C:\Windows\system32\Hncind32.exe
        39⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Windows\SysWOW64\Icpafk32.exe
        
        C:\Windows\system32\Icpafk32.exe
        40⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Imhfoq32.exe
        
        C:\Windows\system32\Imhfoq32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ignjli32.exe
        
        C:\Windows\system32\Ignjli32.exe
        42⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Iqfoeode.exe
        
        C:\Windows\system32\Iqfoeode.exe
        43⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\Ifcgmebm.exe
        
        C:\Windows\system32\Ifcgmebm.exe
        44⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Ipkkfkim.exe
        
        C:\Windows\system32\Ipkkfkim.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Ijapcdic.exe
        
        C:\Windows\system32\Ijapcdic.exe
        46⤵
        Executes dropped EXE
        
        PID:108
        
        C:\Windows\SysWOW64\Ipnhlkgk.exe
        
        C:\Windows\system32\Ipnhlkgk.exe
        47⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Ibldhffn.exe
        
        C:\Windows\system32\Ibldhffn.exe
        48⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Jldiqlmo.exe
        
        C:\Windows\system32\Jldiqlmo.exe
        49⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Jddgpn32.exe
        
        C:\Windows\system32\Jddgpn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Jjoomhma.exe
        
        C:\Windows\system32\Jjoomhma.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Jdgdem32.exe
        
        C:\Windows\system32\Jdgdem32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Jmohnc32.exe
        
        C:\Windows\system32\Jmohnc32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Jpndkn32.exe
        
        C:\Windows\system32\Jpndkn32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Kmdaibfm.exe
        
        C:\Windows\system32\Kmdaibfm.exe
        55⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Kbqjbidd.exe
        
        C:\Windows\system32\Kbqjbidd.exe
        56⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Kikboc32.exe
        
        C:\Windows\system32\Kikboc32.exe
        57⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Kfochg32.exe
        
        C:\Windows\system32\Kfochg32.exe
        58⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Khpoppqi.exe
        
        C:\Windows\system32\Khpoppqi.exe
        59⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Klkkpn32.exe
        
        C:\Windows\system32\Klkkpn32.exe
        60⤵
        Modifies registry class
        
        PID:284
        
        C:\Windows\SysWOW64\Kojgljhf.exe
        
        C:\Windows\system32\Kojgljhf.exe
        61⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Kahdhegj.exe
        
        C:\Windows\system32\Kahdhegj.exe
        62⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Kioljbhl.exe
        
        C:\Windows\system32\Kioljbhl.exe
        63⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Klnhfngp.exe
        
        C:\Windows\system32\Klnhfngp.exe
        64⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Kkqhak32.exe
        
        C:\Windows\system32\Kkqhak32.exe
        65⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Lbhpbh32.exe
        
        C:\Windows\system32\Lbhpbh32.exe
        66⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\Lefloc32.exe
        
        C:\Windows\system32\Lefloc32.exe
        67⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Ldimjpdk.exe
        
        C:\Windows\system32\Ldimjpdk.exe
        68⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Llpeknem.exe
        
        C:\Windows\system32\Llpeknem.exe
        69⤵
        
        PID:360
        
        C:\Windows\SysWOW64\Looagidq.exe
        
        C:\Windows\system32\Looagidq.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1680
        
        C:\Windows\SysWOW64\Lehidckm.exe
        
        C:\Windows\system32\Lehidckm.exe
        71⤵
        
        PID:580
        
        C:\Windows\SysWOW64\Lgjflk32.exe
        
        C:\Windows\system32\Lgjflk32.exe
        72⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Lkealjje.exe
        
        C:\Windows\system32\Lkealjje.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Lndnheih.exe
        
        C:\Windows\system32\Lndnheih.exe
        74⤵
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ldnfep32.exe
        
        C:\Windows\system32\Ldnfep32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Lglbak32.exe
        
        C:\Windows\system32\Lglbak32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Lkhnbjhb.exe
        
        C:\Windows\system32\Lkhnbjhb.exe
        77⤵
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Laafodoo.exe
        
        C:\Windows\system32\Laafodoo.exe
        78⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Lpdgjq32.exe
        
        C:\Windows\system32\Lpdgjq32.exe
        79⤵
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Lcccfl32.exe
        
        C:\Windows\system32\Lcccfl32.exe
        80⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Lgoogkmf.exe
        
        C:\Windows\system32\Lgoogkmf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Lnhgce32.exe
        
        C:\Windows\system32\Lnhgce32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Lpgcpp32.exe
        
        C:\Windows\system32\Lpgcpp32.exe
        83⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Lcepll32.exe
        
        C:\Windows\system32\Lcepll32.exe
        84⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Meclhg32.exe
        
        C:\Windows\system32\Meclhg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Mpipep32.exe
        
        C:\Windows\system32\Mpipep32.exe
        86⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Mgchbj32.exe
        
        C:\Windows\system32\Mgchbj32.exe
        87⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Mlpaja32.exe
        
        C:\Windows\system32\Mlpaja32.exe
        88⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Monmfl32.exe
        
        C:\Windows\system32\Monmfl32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Mfhecfni.exe
        
        C:\Windows\system32\Mfhecfni.exe
        90⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Mhgaobmm.exe
        
        C:\Windows\system32\Mhgaobmm.exe
        91⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Mkenkmlp.exe
        
        C:\Windows\system32\Mkenkmlp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2572
        
        C:\Windows\SysWOW64\Nfjnhi32.exe
        
        C:\Windows\system32\Nfjnhi32.exe
        93⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Nqpbeb32.exe
        
        C:\Windows\system32\Nqpbeb32.exe
        94⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Noccqoeb.exe
        
        C:\Windows\system32\Noccqoeb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2640
        
        C:\Windows\SysWOW64\Nbaomjdf.exe
        
        C:\Windows\system32\Nbaomjdf.exe
        96⤵
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Njhgnh32.exe
        
        C:\Windows\system32\Njhgnh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Omgcjc32.exe
        
        C:\Windows\system32\Omgcjc32.exe
        98⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Ocqlfmki.exe
        
        C:\Windows\system32\Ocqlfmki.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Obclbj32.exe
        
        C:\Windows\system32\Obclbj32.exe
        100⤵
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Oindodjp.exe
        
        C:\Windows\system32\Oindodjp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2752
        
        C:\Windows\SysWOW64\Omippc32.exe
        
        C:\Windows\system32\Omippc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Oklpkpid.exe
        
        C:\Windows\system32\Oklpkpid.exe
        103⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Opglln32.exe
        
        C:\Windows\system32\Opglln32.exe
        104⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Obfhhj32.exe
        
        C:\Windows\system32\Obfhhj32.exe
        105⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Ofadhhhj.exe
        
        C:\Windows\system32\Ofadhhhj.exe
        106⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Oipadd32.exe
        
        C:\Windows\system32\Oipadd32.exe
        107⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Oknmqo32.exe
        
        C:\Windows\system32\Oknmqo32.exe
        108⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Qoaogmdk.exe
        
        C:\Windows\system32\Qoaogmdk.exe
        109⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Qekgcg32.exe
        
        C:\Windows\system32\Qekgcg32.exe
        110⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Qhicpc32.exe
        
        C:\Windows\system32\Qhicpc32.exe
        111⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Qleppa32.exe
        
        C:\Windows\system32\Qleppa32.exe
        112⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Qbohmlka.exe
        
        C:\Windows\system32\Qbohmlka.exe
        113⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Qdpddd32.exe
        
        C:\Windows\system32\Qdpddd32.exe
        114⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Qhlpebii.exe
        
        C:\Windows\system32\Qhlpebii.exe
        115⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\Aofhbm32.exe
        
        C:\Windows\system32\Aofhbm32.exe
        116⤵
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Aepqoghb.exe
        
        C:\Windows\system32\Aepqoghb.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ahnmkbgf.exe
        
        C:\Windows\system32\Ahnmkbgf.exe
        118⤵
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Aoheglnc.exe
        
        C:\Windows\system32\Aoheglnc.exe
        119⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Aafachmg.exe
        
        C:\Windows\system32\Aafachmg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2980
        
        C:\Windows\SysWOW64\Adenpclj.exe
        
        C:\Windows\system32\Adenpclj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2988
        
        C:\Windows\SysWOW64\Aibfhjka.exe
        
        C:\Windows\system32\Aibfhjka.exe
        122⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Adgjecjh.exe
        
        C:\Windows\system32\Adgjecjh.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Agffanik.exe
        
        C:\Windows\system32\Agffanik.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Amponhah.exe
        
        C:\Windows\system32\Amponhah.exe
        125⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Alboje32.exe
        
        C:\Windows\system32\Alboje32.exe
        126⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Aghcgn32.exe
        
        C:\Windows\system32\Aghcgn32.exe
        127⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Ambkchoe.exe
        
        C:\Windows\system32\Ambkchoe.exe
        128⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Apqhpcni.exe
        
        C:\Windows\system32\Apqhpcni.exe
        129⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Aochkp32.exe
        
        C:\Windows\system32\Aochkp32.exe
        130⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Bcodlomm.exe
        
        C:\Windows\system32\Bcodlomm.exe
        131⤵
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bemphjlq.exe
        
        C:\Windows\system32\Bemphjlq.exe
        132⤵
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Fibcpaqg.exe
        
        C:\Windows\system32\Fibcpaqg.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Hbfcchpf.exe
        
        C:\Windows\system32\Hbfcchpf.exe
        134⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Jamiihef.exe
        
        C:\Windows\system32\Jamiihef.exe
        135⤵
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Kjaqdi32.exe
        
        C:\Windows\system32\Kjaqdi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2568
        
        C:\Windows\SysWOW64\Kfhaijpk.exe
        
        C:\Windows\system32\Kfhaijpk.exe
        137⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Kclabnoe.exe
        
        C:\Windows\system32\Kclabnoe.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kghncm32.exe
        
        C:\Windows\system32\Kghncm32.exe
        139⤵
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Kocbgodi.exe
        
        C:\Windows\system32\Kocbgodi.exe
        140⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Kbaocjcm.exe
        
        C:\Windows\system32\Kbaocjcm.exe
        141⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Kjifdhdo.exe
        
        C:\Windows\system32\Kjifdhdo.exe
        142⤵
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Koeomobf.exe
        
        C:\Windows\system32\Koeomobf.exe
        143⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Kbdkijaj.exe
        
        C:\Windows\system32\Kbdkijaj.exe
        144⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Kdbgeeqn.exe
        
        C:\Windows\system32\Kdbgeeqn.exe
        145⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Lfbdohhq.exe
        
        C:\Windows\system32\Lfbdohhq.exe
        146⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Lojhhn32.exe
        
        C:\Windows\system32\Lojhhn32.exe
        147⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Lbiedi32.exe
        
        C:\Windows\system32\Lbiedi32.exe
        148⤵
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Lnoeij32.exe
        
        C:\Windows\system32\Lnoeij32.exe
        149⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Lanaef32.exe
        
        C:\Windows\system32\Lanaef32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2876
        
        C:\Windows\SysWOW64\Ljffnkim.exe
        
        C:\Windows\system32\Ljffnkim.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2212
        
        C:\Windows\SysWOW64\Lcokga32.exe
        
        C:\Windows\system32\Lcokga32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Lfmgcl32.exe
        
        C:\Windows\system32\Lfmgcl32.exe
        153⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Lndodjoc.exe
        
        C:\Windows\system32\Lndodjoc.exe
        154⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Lmgopf32.exe
        
        C:\Windows\system32\Lmgopf32.exe
        155⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Lpeklb32.exe
        
        C:\Windows\system32\Lpeklb32.exe
        156⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Lfochllo.exe
        
        C:\Windows\system32\Lfochllo.exe
        157⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Ljkpik32.exe
        
        C:\Windows\system32\Ljkpik32.exe
        158⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Mmilef32.exe
        
        C:\Windows\system32\Mmilef32.exe
        159⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Mlnifb32.exe
        
        C:\Windows\system32\Mlnifb32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2284
        
        C:\Windows\SysWOW64\Mpjegaal.exe
        
        C:\Windows\system32\Mpjegaal.exe
        161⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Mceagp32.exe
        
        C:\Windows\system32\Mceagp32.exe
        162⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Mplalaoj.exe
        
        C:\Windows\system32\Mplalaoj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2308
        
        C:\Windows\SysWOW64\Mbknhlnm.exe
        
        C:\Windows\system32\Mbknhlnm.exe
        164⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Meijdhma.exe
        
        C:\Windows\system32\Meijdhma.exe
        165⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Migbkfcg.exe
        
        C:\Windows\system32\Migbkfcg.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Mleogabk.exe
        
        C:\Windows\system32\Mleogabk.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Mjhobn32.exe
        
        C:\Windows\system32\Mjhobn32.exe
        168⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ndqckdpf.exe
        
        C:\Windows\system32\Ndqckdpf.exe
        169⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Njklhn32.exe
        
        C:\Windows\system32\Njklhn32.exe
        170⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Nholabfm.exe
        
        C:\Windows\system32\Nholabfm.exe
        171⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Nfammo32.exe
        
        C:\Windows\system32\Nfammo32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Nagajh32.exe
        
        C:\Windows\system32\Nagajh32.exe
        173⤵
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Npjafdch.exe
        
        C:\Windows\system32\Npjafdch.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2396
        
        C:\Windows\SysWOW64\Nhaigbdj.exe
        
        C:\Windows\system32\Nhaigbdj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Nkoecmcn.exe
        
        C:\Windows\system32\Nkoecmcn.exe
        176⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Nmnaoiba.exe
        
        C:\Windows\system32\Nmnaoiba.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2420
        
        C:\Windows\SysWOW64\Nplnkd32.exe
        
        C:\Windows\system32\Nplnkd32.exe
        178⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Nbkjgp32.exe
        
        C:\Windows\system32\Nbkjgp32.exe
        179⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Nkabim32.exe
        
        C:\Windows\system32\Nkabim32.exe
        180⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Nmpneh32.exe
        
        C:\Windows\system32\Nmpneh32.exe
        181⤵
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Nbmgmo32.exe
        
        C:\Windows\system32\Nbmgmo32.exe
        182⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Nekcik32.exe
        
        C:\Windows\system32\Nekcik32.exe
        183⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Nigojifc.exe
        
        C:\Windows\system32\Nigojifc.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2500
        
        C:\Windows\SysWOW64\Nmbkjh32.exe
        
        C:\Windows\system32\Nmbkjh32.exe
        185⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Olekfeeg.exe
        
        C:\Windows\system32\Olekfeeg.exe
        186⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Oocgbp32.exe
        
        C:\Windows\system32\Oocgbp32.exe
        187⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Obocbolc.exe
        
        C:\Windows\system32\Obocbolc.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1408
        
        C:\Windows\SysWOW64\Ohllkfkk.exe
        
        C:\Windows\system32\Ohllkfkk.exe
        189⤵
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Ocaphoja.exe
        
        C:\Windows\system32\Ocaphoja.exe
        190⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Oadpdk32.exe
        
        C:\Windows\system32\Oadpdk32.exe
        191⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Oilhei32.exe
        
        C:\Windows\system32\Oilhei32.exe
        192⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Ohniqehh.exe
        
        C:\Windows\system32\Ohniqehh.exe
        193⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Oljdad32.exe
        
        C:\Windows\system32\Oljdad32.exe
        194⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Ocdmnn32.exe
        
        C:\Windows\system32\Ocdmnn32.exe
        195⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Oebijj32.exe
        
        C:\Windows\system32\Oebijj32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Ollafdoo.exe
        
        C:\Windows\system32\Ollafdoo.exe
        197⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Okoabq32.exe
        
        C:\Windows\system32\Okoabq32.exe
        198⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Onnnnl32.exe
        
        C:\Windows\system32\Onnnnl32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Oaijokmf.exe
        
        C:\Windows\system32\Oaijokmf.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1796
        
        C:\Windows\SysWOW64\Oedfoi32.exe
        
        C:\Windows\system32\Oedfoi32.exe
        201⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ohcble32.exe
        
        C:\Windows\system32\Ohcble32.exe
        202⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Okanhp32.exe
        
        C:\Windows\system32\Okanhp32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1536
        
        C:\Windows\SysWOW64\Onpjdl32.exe
        
        C:\Windows\system32\Onpjdl32.exe
        204⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Oakfdjkc.exe
        
        C:\Windows\system32\Oakfdjkc.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1720
        
        C:\Windows\SysWOW64\Odjcqf32.exe
        
        C:\Windows\system32\Odjcqf32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pheoadbp.exe
        
        C:\Windows\system32\Pheoadbp.exe
        207⤵
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Pghoma32.exe
        
        C:\Windows\system32\Pghoma32.exe
        208⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Pjgkim32.exe
        
        C:\Windows\system32\Pjgkim32.exe
        209⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Pancjj32.exe
        
        C:\Windows\system32\Pancjj32.exe
        210⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Ppqcegpk.exe
        
        C:\Windows\system32\Ppqcegpk.exe
        211⤵
        
        PID:300
        
        C:\Windows\SysWOW64\Pcopaboo.exe
        
        C:\Windows\system32\Pcopaboo.exe
        212⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pgklba32.exe
        
        C:\Windows\system32\Pgklba32.exe
        213⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Pllnegaj.exe
        
        C:\Windows\system32\Pllnegaj.exe
        214⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Pcffba32.exe
        
        C:\Windows\system32\Pcffba32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pfdbnmhk.exe
        
        C:\Windows\system32\Pfdbnmhk.exe
        216⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Phcnjhgn.exe
        
        C:\Windows\system32\Phcnjhgn.exe
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Pkakfcfb.exe
        
        C:\Windows\system32\Pkakfcfb.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Qbkccn32.exe
        
        C:\Windows\system32\Qbkccn32.exe
        219⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Qfgodlfh.exe
        
        C:\Windows\system32\Qfgodlfh.exe
        220⤵
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Qhekphel.exe
        
        C:\Windows\system32\Qhekphel.exe
        221⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Qoocmb32.exe
        
        C:\Windows\system32\Qoocmb32.exe
        222⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Qfikilde.exe
        
        C:\Windows\system32\Qfikilde.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2152
        
        C:\Windows\SysWOW64\Qhgheg32.exe
        
        C:\Windows\system32\Qhgheg32.exe
        224⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Qgjhadjc.exe
        
        C:\Windows\system32\Qgjhadjc.exe
        225⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Aoapbajf.exe
        
        C:\Windows\system32\Aoapbajf.exe
        226⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Abplnmij.exe
        
        C:\Windows\system32\Abplnmij.exe
        227⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Adnhkhim.exe
        
        C:\Windows\system32\Adnhkhim.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Akhqgb32.exe
        
        C:\Windows\system32\Akhqgb32.exe
        229⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Adqephfk.exe
        
        C:\Windows\system32\Adqephfk.exe
        230⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Agoalc32.exe
        
        C:\Windows\system32\Agoalc32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2604
        
        C:\Windows\SysWOW64\Ajnnho32.exe
        
        C:\Windows\system32\Ajnnho32.exe
        232⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Aqgfeilo.exe
        
        C:\Windows\system32\Aqgfeilo.exe
        233⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Acfbadkb.exe
        
        C:\Windows\system32\Acfbadkb.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2660
        
        C:\Windows\SysWOW64\Ajpjno32.exe
        
        C:\Windows\system32\Ajpjno32.exe
        235⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Aqjbkijl.exe
        
        C:\Windows\system32\Aqjbkijl.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Achogdip.exe
        
        C:\Windows\system32\Achogdip.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Bajojl32.exe
        
        C:\Windows\system32\Bajojl32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2732
        
        C:\Windows\SysWOW64\Bdhkfg32.exe
        
        C:\Windows\system32\Bdhkfg32.exe
        239⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Bhcgffdd.exe
        
        C:\Windows\system32\Bhcgffdd.exe
        240⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bnnocp32.exe
        
        C:\Windows\system32\Bnnocp32.exe
        241⤵
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Callol32.exe
        
        C:\Windows\system32\Callol32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Chfdlfbb.exe
        
        C:\Windows\system32\Chfdlfbb.exe
        243⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Cjdpha32.exe
        
        C:\Windows\system32\Cjdpha32.exe
        244⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Cmbldm32.exe
        
        C:\Windows\system32\Cmbldm32.exe
        245⤵
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Cpahph32.exe
        
        C:\Windows\system32\Cpahph32.exe
        246⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Cdmdaghf.exe
        
        C:\Windows\system32\Cdmdaghf.exe
        247⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Chhqae32.exe
        
        C:\Windows\system32\Chhqae32.exe
        248⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Cfkqmbgj.exe
        
        C:\Windows\system32\Cfkqmbgj.exe
        249⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Cmeijl32.exe
        
        C:\Windows\system32\Cmeijl32.exe
        250⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Caqejkgp.exe
        
        C:\Windows\system32\Caqejkgp.exe
        251⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Cpcefh32.exe
        
        C:\Windows\system32\Cpcefh32.exe
        252⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Cbbabc32.exe
        
        C:\Windows\system32\Cbbabc32.exe
        253⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Ciljomdk.exe
        
        C:\Windows\system32\Ciljomdk.exe
        254⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Cljfki32.exe
        
        C:\Windows\system32\Cljfki32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2548
        
        C:\Windows\SysWOW64\Cfpjha32.exe
        
        C:\Windows\system32\Cfpjha32.exe
        256⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Dhmflhoe.exe
        
        C:\Windows\system32\Dhmflhoe.exe
        257⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Fkfmim32.exe
        
        C:\Windows\system32\Fkfmim32.exe
        258⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Gcjdcn32.exe
        
        C:\Windows\system32\Gcjdcn32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:472
        
        C:\Windows\SysWOW64\Hkolno32.exe
        
        C:\Windows\system32\Hkolno32.exe
        260⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Ifbpelib.exe
        
        C:\Windows\system32\Ifbpelib.exe
        261⤵
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Iiplagif.exe
        
        C:\Windows\system32\Iiplagif.exe
        262⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 140
        263⤵
        Program crash
        
        PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
C:\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
C:\Windows\SysWOW64\Akdfbccn.exe

Filesize
50KB

MD5
b9bd593199957430d48442cc33d89837

SHA1
056a5cd9d9d39ff87704938331900352087332fb

SHA256
26b04809975e2ba93c212906e8341bd9fb6a9cad4c24dc38f8d32a2125e5c395

SHA512
adbcafd5bc0e3e4068349ba9cd306b5c1e336d91892412276d0c12fa2944f6dbf5c23c0b3d15f8c355bc1967fb84b569f67be30af71bc9456d408c17ecef3e05

Download Submit
C:\Windows\SysWOW64\Akdfbccn.exe

Filesize
50KB

MD5
b9bd593199957430d48442cc33d89837

SHA1
056a5cd9d9d39ff87704938331900352087332fb

SHA256
26b04809975e2ba93c212906e8341bd9fb6a9cad4c24dc38f8d32a2125e5c395

SHA512
adbcafd5bc0e3e4068349ba9cd306b5c1e336d91892412276d0c12fa2944f6dbf5c23c0b3d15f8c355bc1967fb84b569f67be30af71bc9456d408c17ecef3e05

Download Submit
C:\Windows\SysWOW64\Aoilbbbo.exe

Filesize
50KB

MD5
efb742a9b6851a7b6c55614fe45d6932

SHA1
a1c77862274ccdfad68bfc6e59e9133cd13624fb

SHA256
57b31e506ed2a5640ac4a45bd4a68350ebefb9af85d617a4f06d5826eabf76b8

SHA512
3eb3d2368b639f1ff6df1290f0467e12eb30ab925f10fa7af18aefd5f53eb770fabfabb4fdca00306d3d72952ce15123678ced9a032d73eec460996dabe45b91

Download Submit
C:\Windows\SysWOW64\Aoilbbbo.exe

Filesize
50KB

MD5
efb742a9b6851a7b6c55614fe45d6932

SHA1
a1c77862274ccdfad68bfc6e59e9133cd13624fb

SHA256
57b31e506ed2a5640ac4a45bd4a68350ebefb9af85d617a4f06d5826eabf76b8

SHA512
3eb3d2368b639f1ff6df1290f0467e12eb30ab925f10fa7af18aefd5f53eb770fabfabb4fdca00306d3d72952ce15123678ced9a032d73eec460996dabe45b91

Download Submit
C:\Windows\SysWOW64\Bachjlge.exe

Filesize
50KB

MD5
4c2e8e498239ba85e9971b7a374f7706

SHA1
3e40e52f126cbd913aa955b30c2aa12bcbc667c3

SHA256
7a903cae46bc6207769d5b260f2e558d422b95ed0c834fe1b8a634c66f5bde03

SHA512
020fc3a35b9034f783ad2805886d157d8c418355a4a9044666555d24060269bf576261a4ff63efd0144d9452a7e12af2b6abcd207338b9f09251397bb1126384

Download Submit
C:\Windows\SysWOW64\Bachjlge.exe

Filesize
50KB

MD5
4c2e8e498239ba85e9971b7a374f7706

SHA1
3e40e52f126cbd913aa955b30c2aa12bcbc667c3

SHA256
7a903cae46bc6207769d5b260f2e558d422b95ed0c834fe1b8a634c66f5bde03

SHA512
020fc3a35b9034f783ad2805886d157d8c418355a4a9044666555d24060269bf576261a4ff63efd0144d9452a7e12af2b6abcd207338b9f09251397bb1126384

Download Submit
C:\Windows\SysWOW64\Bcfagdkq.exe

Filesize
50KB

MD5
fdd2500bfaeb239dc8dca851539a626e

SHA1
d420a873f5f7f06ba7f16079f7ffe8c4d5e45908

SHA256
f3e64ad01b06a751721dea39bbee95d579d239310b2c662612278cad34bf6237

SHA512
dbd1d16435329141758c0b7ceddf578bf720d648e12dddf823c3aab896ea78244fdc531f7714b2dd68caa2c439095f200965af1b6fda788449ae7510cb8795b5

Download Submit
C:\Windows\SysWOW64\Bcfagdkq.exe

Filesize
50KB

MD5
fdd2500bfaeb239dc8dca851539a626e

SHA1
d420a873f5f7f06ba7f16079f7ffe8c4d5e45908

SHA256
f3e64ad01b06a751721dea39bbee95d579d239310b2c662612278cad34bf6237

SHA512
dbd1d16435329141758c0b7ceddf578bf720d648e12dddf823c3aab896ea78244fdc531f7714b2dd68caa2c439095f200965af1b6fda788449ae7510cb8795b5

Download Submit
C:\Windows\SysWOW64\Bneocn32.exe

Filesize
50KB

MD5
9800304a4dd8810cc3a8d6169648192b

SHA1
8e315860411613da15ce304878c4f9125bb82cb7

SHA256
0e0ca57ac5cdfad17d9ee88eafc6c9d9b3774fc2953d8835da7fce39c7118590

SHA512
a07eb65a61fbcfe170e9bc1d99c04622771c0998bb27ffd570ca7f00aae57e26a33ffa906d19726d3caa5550b9fb6c1c68e15689505be24bd30b7aee541701dd

Download Submit
C:\Windows\SysWOW64\Bneocn32.exe

Filesize
50KB

MD5
9800304a4dd8810cc3a8d6169648192b

SHA1
8e315860411613da15ce304878c4f9125bb82cb7

SHA256
0e0ca57ac5cdfad17d9ee88eafc6c9d9b3774fc2953d8835da7fce39c7118590

SHA512
a07eb65a61fbcfe170e9bc1d99c04622771c0998bb27ffd570ca7f00aae57e26a33ffa906d19726d3caa5550b9fb6c1c68e15689505be24bd30b7aee541701dd

Download Submit
C:\Windows\SysWOW64\Bomale32.exe

Filesize
50KB

MD5
2a983d960653e58c754f73d663122fc2

SHA1
9830a5671ac5f21aff74012c3950e91938e0f57c

SHA256
963e5281a00b3fbf1485f9c92159b019b935cf549622a549b6a6e8c13f26253d

SHA512
15caa76982e07554bb029ff1ce79aec6eadb826d5d0cda03967550d3129cc5940fd227a4efdb2a864bdfba78f576a7ccbdcee36d96c35f5cfa39b60255d7399f

Download Submit
C:\Windows\SysWOW64\Bomale32.exe

Filesize
50KB

MD5
2a983d960653e58c754f73d663122fc2

SHA1
9830a5671ac5f21aff74012c3950e91938e0f57c

SHA256
963e5281a00b3fbf1485f9c92159b019b935cf549622a549b6a6e8c13f26253d

SHA512
15caa76982e07554bb029ff1ce79aec6eadb826d5d0cda03967550d3129cc5940fd227a4efdb2a864bdfba78f576a7ccbdcee36d96c35f5cfa39b60255d7399f

Download Submit
C:\Windows\SysWOW64\Bqmnfh32.exe

Filesize
50KB

MD5
fb40b8829b2b9fb6124d1ea159861a68

SHA1
549312a9e82e1f16a107a590bc18c95dd1891811

SHA256
ed26578ea1f9a50f3c5af6694da0d8c06a8d3926520e734d4bebae851f8dc8af

SHA512
e916d7d9c7c0db491ea9be5cdbe4d6c8077f1db331003b08bc8dbedf5efdcda242cc3631619be4e6ee62c15f13c8d84c9eafaf3e1fb0b2cf9d85e9f425109024

Download Submit
C:\Windows\SysWOW64\Bqmnfh32.exe

Filesize
50KB

MD5
fb40b8829b2b9fb6124d1ea159861a68

SHA1
549312a9e82e1f16a107a590bc18c95dd1891811

SHA256
ed26578ea1f9a50f3c5af6694da0d8c06a8d3926520e734d4bebae851f8dc8af

SHA512
e916d7d9c7c0db491ea9be5cdbe4d6c8077f1db331003b08bc8dbedf5efdcda242cc3631619be4e6ee62c15f13c8d84c9eafaf3e1fb0b2cf9d85e9f425109024

Download Submit
C:\Windows\SysWOW64\Cbgmdoek.exe

Filesize
50KB

MD5
715d727cd3fbba817cd791507ebfbb07

SHA1
d96eaa70235c731665b8662280544d5b6dbcda1f

SHA256
6814b1ef9ad1606eed91311437794659e46252d6793f1abffe012f8389d4f525

SHA512
3c03dfa23cbcdffed685fc24d3e4c65bb1fb8c6cdb0b429a26b337bbe176d05b84b612996b63c6ef6f6a68caaa1ce852318352a2426a815b5ad7915f9dba7244

Download Submit
C:\Windows\SysWOW64\Cbgmdoek.exe

Filesize
50KB

MD5
715d727cd3fbba817cd791507ebfbb07

SHA1
d96eaa70235c731665b8662280544d5b6dbcda1f

SHA256
6814b1ef9ad1606eed91311437794659e46252d6793f1abffe012f8389d4f525

SHA512
3c03dfa23cbcdffed685fc24d3e4c65bb1fb8c6cdb0b429a26b337bbe176d05b84b612996b63c6ef6f6a68caaa1ce852318352a2426a815b5ad7915f9dba7244

Download Submit
C:\Windows\SysWOW64\Cnghhaag.exe

Filesize
50KB

MD5
968d6293fbabc3a4f4b80ace2f1de33e

SHA1
54f9f3907c650c711d8cb487dc97949202312415

SHA256
f063c2ad351876a6b815681157cc8243f8da87db6015b947db96d79bdb940114

SHA512
0a349ff87062b61331395f0187713d04d39ec1fa1196384a750103581b11c733502f17a74c092a2d7e7d4662ae39a44e5c2bf7313639e50a5f27f863d26cff07

Download Submit
C:\Windows\SysWOW64\Cnghhaag.exe

Filesize
50KB

MD5
968d6293fbabc3a4f4b80ace2f1de33e

SHA1
54f9f3907c650c711d8cb487dc97949202312415

SHA256
f063c2ad351876a6b815681157cc8243f8da87db6015b947db96d79bdb940114

SHA512
0a349ff87062b61331395f0187713d04d39ec1fa1196384a750103581b11c733502f17a74c092a2d7e7d4662ae39a44e5c2bf7313639e50a5f27f863d26cff07

Download Submit
C:\Windows\SysWOW64\Cobkgdlp.exe

Filesize
50KB

MD5
e0d79935a6bbcd741b9893ff8702ba9e

SHA1
7459ddf73630ac0e3c7db854bd97a812c3b60d04

SHA256
8af6bdd66d1be34d197fb20503e17c40eb6725ce1b367c545aed182de3ece430

SHA512
13caedcd1570b2705cbabc489c836aafc54ffea09e39e429fc90348787b5d4edd398e2b3e3352c3b12839327a3c85742729012894b5a1aad244ebf2dc5395494

Download Submit
C:\Windows\SysWOW64\Cobkgdlp.exe

Filesize
50KB

MD5
e0d79935a6bbcd741b9893ff8702ba9e

SHA1
7459ddf73630ac0e3c7db854bd97a812c3b60d04

SHA256
8af6bdd66d1be34d197fb20503e17c40eb6725ce1b367c545aed182de3ece430

SHA512
13caedcd1570b2705cbabc489c836aafc54ffea09e39e429fc90348787b5d4edd398e2b3e3352c3b12839327a3c85742729012894b5a1aad244ebf2dc5395494

Download Submit
C:\Windows\SysWOW64\Cogdbd32.exe

Filesize
50KB

MD5
fa442d07de532f009e84350fa22f6478

SHA1
1183c691096e5faf39251213cf2cd1491fae8f18

SHA256
299da6145e0e314fa10a4c5dc25851539646fb3937e6a88b022094b668020450

SHA512
9c27ca26a1bb2577e79dc4a30b039eddbe41b0348103423f16b4058fb9b83436c6f2a9d46df96624245d876e70146577c61cdb964faea860677cd357d452e35a

Download Submit
C:\Windows\SysWOW64\Cogdbd32.exe

Filesize
50KB

MD5
fa442d07de532f009e84350fa22f6478

SHA1
1183c691096e5faf39251213cf2cd1491fae8f18

SHA256
299da6145e0e314fa10a4c5dc25851539646fb3937e6a88b022094b668020450

SHA512
9c27ca26a1bb2577e79dc4a30b039eddbe41b0348103423f16b4058fb9b83436c6f2a9d46df96624245d876e70146577c61cdb964faea860677cd357d452e35a

Download Submit
C:\Windows\SysWOW64\Damjek32.exe

Filesize
50KB

MD5
35ab509248a39015931dff30cdcb5678

SHA1
336abc9591786935781f36be4e38e5af7d29e212

SHA256
fd96d26cc4ae11c68ef0363292a7ec4609ef4ef4a428cf0eb976dcdad45f8aa4

SHA512
d2a79a68b04878eaa53ab9495283e36b220f25c1a4859c11ebe7fbdb21b5521b0094031d48989c042a90fe835f859acd2af1ff4e6be83dcc3b6f723ec381e437

Download Submit
C:\Windows\SysWOW64\Damjek32.exe

Filesize
50KB

MD5
35ab509248a39015931dff30cdcb5678

SHA1
336abc9591786935781f36be4e38e5af7d29e212

SHA256
fd96d26cc4ae11c68ef0363292a7ec4609ef4ef4a428cf0eb976dcdad45f8aa4

SHA512
d2a79a68b04878eaa53ab9495283e36b220f25c1a4859c11ebe7fbdb21b5521b0094031d48989c042a90fe835f859acd2af1ff4e6be83dcc3b6f723ec381e437

Download Submit
C:\Windows\SysWOW64\Dcmcffgd.exe

Filesize
50KB

MD5
c20e018e05d379729083db80f2b17d7f

SHA1
40a49157025458f11f7a67b56037e952268490ca

SHA256
fa4c423c2b75583afb4740fbaa7fba368e7a738d49c6e89de37945dca4439c61

SHA512
b73575e504967f4f8c84ad65d7e1d3b81624b62d77e0f87198a4009effc494ff8a9628a49116036f50c854c2100836477278cc4f7c317af6fb00243436e0e6d6

Download Submit
C:\Windows\SysWOW64\Dcmcffgd.exe

Filesize
50KB

MD5
c20e018e05d379729083db80f2b17d7f

SHA1
40a49157025458f11f7a67b56037e952268490ca

SHA256
fa4c423c2b75583afb4740fbaa7fba368e7a738d49c6e89de37945dca4439c61

SHA512
b73575e504967f4f8c84ad65d7e1d3b81624b62d77e0f87198a4009effc494ff8a9628a49116036f50c854c2100836477278cc4f7c317af6fb00243436e0e6d6

Download Submit
C:\Windows\SysWOW64\Dcpplfea.exe

Filesize
50KB

MD5
b2657259cda2edeabca41b215251e15b

SHA1
9167eade7fd3c7bd5e8cb8bda3583b1e5cc6f88e

SHA256
4b92d7f703af6edcfb38bc441e68ea8618d3af4fef7b409347213fa28bd08bba

SHA512
a7ab7d904a66f7df9c59ec4423a2104079907d2425a5d9a1e69658b4c459d825461e395644a3ba45eb985fb9242df181c0be29095ba587d07778e4f80477fb8d

Download Submit
C:\Windows\SysWOW64\Dcpplfea.exe

Filesize
50KB

MD5
b2657259cda2edeabca41b215251e15b

SHA1
9167eade7fd3c7bd5e8cb8bda3583b1e5cc6f88e

SHA256
4b92d7f703af6edcfb38bc441e68ea8618d3af4fef7b409347213fa28bd08bba

SHA512
a7ab7d904a66f7df9c59ec4423a2104079907d2425a5d9a1e69658b4c459d825461e395644a3ba45eb985fb9242df181c0be29095ba587d07778e4f80477fb8d

Download Submit
C:\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
c11e149fd1f6f99051159e72173f99d7

SHA1
9f68eeafd4179aefab73a6e761e3289a09e94b52

SHA256
f1d9ee2c71e5d09e0cf3173eed6e474f6dd9a2153941fda065797357c9d3e709

SHA512
c6a3be5e29538be374b41c256e7fb67be2279ffc44465f39ed2e4e97069c88538d5fe300244966f672fa8dbcffd05f81687c25866275e18f01278ea7de2db170

Download Submit
C:\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
c11e149fd1f6f99051159e72173f99d7

SHA1
9f68eeafd4179aefab73a6e761e3289a09e94b52

SHA256
f1d9ee2c71e5d09e0cf3173eed6e474f6dd9a2153941fda065797357c9d3e709

SHA512
c6a3be5e29538be374b41c256e7fb67be2279ffc44465f39ed2e4e97069c88538d5fe300244966f672fa8dbcffd05f81687c25866275e18f01278ea7de2db170

Download Submit
\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
\Windows\SysWOW64\Akdfbccn.exe

Filesize
50KB

MD5
b9bd593199957430d48442cc33d89837

SHA1
056a5cd9d9d39ff87704938331900352087332fb

SHA256
26b04809975e2ba93c212906e8341bd9fb6a9cad4c24dc38f8d32a2125e5c395

SHA512
adbcafd5bc0e3e4068349ba9cd306b5c1e336d91892412276d0c12fa2944f6dbf5c23c0b3d15f8c355bc1967fb84b569f67be30af71bc9456d408c17ecef3e05

Download Submit
\Windows\SysWOW64\Akdfbccn.exe

Filesize
50KB

MD5
b9bd593199957430d48442cc33d89837

SHA1
056a5cd9d9d39ff87704938331900352087332fb

SHA256
26b04809975e2ba93c212906e8341bd9fb6a9cad4c24dc38f8d32a2125e5c395

SHA512
adbcafd5bc0e3e4068349ba9cd306b5c1e336d91892412276d0c12fa2944f6dbf5c23c0b3d15f8c355bc1967fb84b569f67be30af71bc9456d408c17ecef3e05

Download Submit
\Windows\SysWOW64\Aoilbbbo.exe

Filesize
50KB

MD5
efb742a9b6851a7b6c55614fe45d6932

SHA1
a1c77862274ccdfad68bfc6e59e9133cd13624fb

SHA256
57b31e506ed2a5640ac4a45bd4a68350ebefb9af85d617a4f06d5826eabf76b8

SHA512
3eb3d2368b639f1ff6df1290f0467e12eb30ab925f10fa7af18aefd5f53eb770fabfabb4fdca00306d3d72952ce15123678ced9a032d73eec460996dabe45b91

Download Submit
\Windows\SysWOW64\Aoilbbbo.exe

Filesize
50KB

MD5
efb742a9b6851a7b6c55614fe45d6932

SHA1
a1c77862274ccdfad68bfc6e59e9133cd13624fb

SHA256
57b31e506ed2a5640ac4a45bd4a68350ebefb9af85d617a4f06d5826eabf76b8

SHA512
3eb3d2368b639f1ff6df1290f0467e12eb30ab925f10fa7af18aefd5f53eb770fabfabb4fdca00306d3d72952ce15123678ced9a032d73eec460996dabe45b91

Download Submit
\Windows\SysWOW64\Bachjlge.exe

Filesize
50KB

MD5
4c2e8e498239ba85e9971b7a374f7706

SHA1
3e40e52f126cbd913aa955b30c2aa12bcbc667c3

SHA256
7a903cae46bc6207769d5b260f2e558d422b95ed0c834fe1b8a634c66f5bde03

SHA512
020fc3a35b9034f783ad2805886d157d8c418355a4a9044666555d24060269bf576261a4ff63efd0144d9452a7e12af2b6abcd207338b9f09251397bb1126384

Download Submit
\Windows\SysWOW64\Bachjlge.exe

Filesize
50KB

MD5
4c2e8e498239ba85e9971b7a374f7706

SHA1
3e40e52f126cbd913aa955b30c2aa12bcbc667c3

SHA256
7a903cae46bc6207769d5b260f2e558d422b95ed0c834fe1b8a634c66f5bde03

SHA512
020fc3a35b9034f783ad2805886d157d8c418355a4a9044666555d24060269bf576261a4ff63efd0144d9452a7e12af2b6abcd207338b9f09251397bb1126384

Download Submit
\Windows\SysWOW64\Bcfagdkq.exe

Filesize
50KB

MD5
fdd2500bfaeb239dc8dca851539a626e

SHA1
d420a873f5f7f06ba7f16079f7ffe8c4d5e45908

SHA256
f3e64ad01b06a751721dea39bbee95d579d239310b2c662612278cad34bf6237

SHA512
dbd1d16435329141758c0b7ceddf578bf720d648e12dddf823c3aab896ea78244fdc531f7714b2dd68caa2c439095f200965af1b6fda788449ae7510cb8795b5

Download Submit
\Windows\SysWOW64\Bcfagdkq.exe

Filesize
50KB

MD5
fdd2500bfaeb239dc8dca851539a626e

SHA1
d420a873f5f7f06ba7f16079f7ffe8c4d5e45908

SHA256
f3e64ad01b06a751721dea39bbee95d579d239310b2c662612278cad34bf6237

SHA512
dbd1d16435329141758c0b7ceddf578bf720d648e12dddf823c3aab896ea78244fdc531f7714b2dd68caa2c439095f200965af1b6fda788449ae7510cb8795b5

Download Submit
\Windows\SysWOW64\Bneocn32.exe

Filesize
50KB

MD5
9800304a4dd8810cc3a8d6169648192b

SHA1
8e315860411613da15ce304878c4f9125bb82cb7

SHA256
0e0ca57ac5cdfad17d9ee88eafc6c9d9b3774fc2953d8835da7fce39c7118590

SHA512
a07eb65a61fbcfe170e9bc1d99c04622771c0998bb27ffd570ca7f00aae57e26a33ffa906d19726d3caa5550b9fb6c1c68e15689505be24bd30b7aee541701dd

Download Submit
\Windows\SysWOW64\Bneocn32.exe

Filesize
50KB

MD5
9800304a4dd8810cc3a8d6169648192b

SHA1
8e315860411613da15ce304878c4f9125bb82cb7

SHA256
0e0ca57ac5cdfad17d9ee88eafc6c9d9b3774fc2953d8835da7fce39c7118590

SHA512
a07eb65a61fbcfe170e9bc1d99c04622771c0998bb27ffd570ca7f00aae57e26a33ffa906d19726d3caa5550b9fb6c1c68e15689505be24bd30b7aee541701dd

Download Submit
\Windows\SysWOW64\Bomale32.exe

Filesize
50KB

MD5
2a983d960653e58c754f73d663122fc2

SHA1
9830a5671ac5f21aff74012c3950e91938e0f57c

SHA256
963e5281a00b3fbf1485f9c92159b019b935cf549622a549b6a6e8c13f26253d

SHA512
15caa76982e07554bb029ff1ce79aec6eadb826d5d0cda03967550d3129cc5940fd227a4efdb2a864bdfba78f576a7ccbdcee36d96c35f5cfa39b60255d7399f

Download Submit
\Windows\SysWOW64\Bomale32.exe

Filesize
50KB

MD5
2a983d960653e58c754f73d663122fc2

SHA1
9830a5671ac5f21aff74012c3950e91938e0f57c

SHA256
963e5281a00b3fbf1485f9c92159b019b935cf549622a549b6a6e8c13f26253d

SHA512
15caa76982e07554bb029ff1ce79aec6eadb826d5d0cda03967550d3129cc5940fd227a4efdb2a864bdfba78f576a7ccbdcee36d96c35f5cfa39b60255d7399f

Download Submit
\Windows\SysWOW64\Bqmnfh32.exe

Filesize
50KB

MD5
fb40b8829b2b9fb6124d1ea159861a68

SHA1
549312a9e82e1f16a107a590bc18c95dd1891811

SHA256
ed26578ea1f9a50f3c5af6694da0d8c06a8d3926520e734d4bebae851f8dc8af

SHA512
e916d7d9c7c0db491ea9be5cdbe4d6c8077f1db331003b08bc8dbedf5efdcda242cc3631619be4e6ee62c15f13c8d84c9eafaf3e1fb0b2cf9d85e9f425109024

Download Submit
\Windows\SysWOW64\Bqmnfh32.exe

Filesize
50KB

MD5
fb40b8829b2b9fb6124d1ea159861a68

SHA1
549312a9e82e1f16a107a590bc18c95dd1891811

SHA256
ed26578ea1f9a50f3c5af6694da0d8c06a8d3926520e734d4bebae851f8dc8af

SHA512
e916d7d9c7c0db491ea9be5cdbe4d6c8077f1db331003b08bc8dbedf5efdcda242cc3631619be4e6ee62c15f13c8d84c9eafaf3e1fb0b2cf9d85e9f425109024

Download Submit
\Windows\SysWOW64\Cbgmdoek.exe

Filesize
50KB

MD5
715d727cd3fbba817cd791507ebfbb07

SHA1
d96eaa70235c731665b8662280544d5b6dbcda1f

SHA256
6814b1ef9ad1606eed91311437794659e46252d6793f1abffe012f8389d4f525

SHA512
3c03dfa23cbcdffed685fc24d3e4c65bb1fb8c6cdb0b429a26b337bbe176d05b84b612996b63c6ef6f6a68caaa1ce852318352a2426a815b5ad7915f9dba7244

Download Submit
\Windows\SysWOW64\Cbgmdoek.exe

Filesize
50KB

MD5
715d727cd3fbba817cd791507ebfbb07

SHA1
d96eaa70235c731665b8662280544d5b6dbcda1f

SHA256
6814b1ef9ad1606eed91311437794659e46252d6793f1abffe012f8389d4f525

SHA512
3c03dfa23cbcdffed685fc24d3e4c65bb1fb8c6cdb0b429a26b337bbe176d05b84b612996b63c6ef6f6a68caaa1ce852318352a2426a815b5ad7915f9dba7244

Download Submit
\Windows\SysWOW64\Cnghhaag.exe

Filesize
50KB

MD5
968d6293fbabc3a4f4b80ace2f1de33e

SHA1
54f9f3907c650c711d8cb487dc97949202312415

SHA256
f063c2ad351876a6b815681157cc8243f8da87db6015b947db96d79bdb940114

SHA512
0a349ff87062b61331395f0187713d04d39ec1fa1196384a750103581b11c733502f17a74c092a2d7e7d4662ae39a44e5c2bf7313639e50a5f27f863d26cff07

Download Submit
\Windows\SysWOW64\Cnghhaag.exe

Filesize
50KB

MD5
968d6293fbabc3a4f4b80ace2f1de33e

SHA1
54f9f3907c650c711d8cb487dc97949202312415

SHA256
f063c2ad351876a6b815681157cc8243f8da87db6015b947db96d79bdb940114

SHA512
0a349ff87062b61331395f0187713d04d39ec1fa1196384a750103581b11c733502f17a74c092a2d7e7d4662ae39a44e5c2bf7313639e50a5f27f863d26cff07

Download Submit
\Windows\SysWOW64\Cobkgdlp.exe

Filesize
50KB

MD5
e0d79935a6bbcd741b9893ff8702ba9e

SHA1
7459ddf73630ac0e3c7db854bd97a812c3b60d04

SHA256
8af6bdd66d1be34d197fb20503e17c40eb6725ce1b367c545aed182de3ece430

SHA512
13caedcd1570b2705cbabc489c836aafc54ffea09e39e429fc90348787b5d4edd398e2b3e3352c3b12839327a3c85742729012894b5a1aad244ebf2dc5395494

Download Submit
\Windows\SysWOW64\Cobkgdlp.exe

Filesize
50KB

MD5
e0d79935a6bbcd741b9893ff8702ba9e

SHA1
7459ddf73630ac0e3c7db854bd97a812c3b60d04

SHA256
8af6bdd66d1be34d197fb20503e17c40eb6725ce1b367c545aed182de3ece430

SHA512
13caedcd1570b2705cbabc489c836aafc54ffea09e39e429fc90348787b5d4edd398e2b3e3352c3b12839327a3c85742729012894b5a1aad244ebf2dc5395494

Download Submit
\Windows\SysWOW64\Cogdbd32.exe

Filesize
50KB

MD5
fa442d07de532f009e84350fa22f6478

SHA1
1183c691096e5faf39251213cf2cd1491fae8f18

SHA256
299da6145e0e314fa10a4c5dc25851539646fb3937e6a88b022094b668020450

SHA512
9c27ca26a1bb2577e79dc4a30b039eddbe41b0348103423f16b4058fb9b83436c6f2a9d46df96624245d876e70146577c61cdb964faea860677cd357d452e35a

Download Submit
\Windows\SysWOW64\Cogdbd32.exe

Filesize
50KB

MD5
fa442d07de532f009e84350fa22f6478

SHA1
1183c691096e5faf39251213cf2cd1491fae8f18

SHA256
299da6145e0e314fa10a4c5dc25851539646fb3937e6a88b022094b668020450

SHA512
9c27ca26a1bb2577e79dc4a30b039eddbe41b0348103423f16b4058fb9b83436c6f2a9d46df96624245d876e70146577c61cdb964faea860677cd357d452e35a

Download Submit
\Windows\SysWOW64\Damjek32.exe

Filesize
50KB

MD5
35ab509248a39015931dff30cdcb5678

SHA1
336abc9591786935781f36be4e38e5af7d29e212

SHA256
fd96d26cc4ae11c68ef0363292a7ec4609ef4ef4a428cf0eb976dcdad45f8aa4

SHA512
d2a79a68b04878eaa53ab9495283e36b220f25c1a4859c11ebe7fbdb21b5521b0094031d48989c042a90fe835f859acd2af1ff4e6be83dcc3b6f723ec381e437

Download Submit
\Windows\SysWOW64\Damjek32.exe

Filesize
50KB

MD5
35ab509248a39015931dff30cdcb5678

SHA1
336abc9591786935781f36be4e38e5af7d29e212

SHA256
fd96d26cc4ae11c68ef0363292a7ec4609ef4ef4a428cf0eb976dcdad45f8aa4

SHA512
d2a79a68b04878eaa53ab9495283e36b220f25c1a4859c11ebe7fbdb21b5521b0094031d48989c042a90fe835f859acd2af1ff4e6be83dcc3b6f723ec381e437

Download Submit
\Windows\SysWOW64\Dcmcffgd.exe

Filesize
50KB

MD5
c20e018e05d379729083db80f2b17d7f

SHA1
40a49157025458f11f7a67b56037e952268490ca

SHA256
fa4c423c2b75583afb4740fbaa7fba368e7a738d49c6e89de37945dca4439c61

SHA512
b73575e504967f4f8c84ad65d7e1d3b81624b62d77e0f87198a4009effc494ff8a9628a49116036f50c854c2100836477278cc4f7c317af6fb00243436e0e6d6

Download Submit
\Windows\SysWOW64\Dcmcffgd.exe

Filesize
50KB

MD5
c20e018e05d379729083db80f2b17d7f

SHA1
40a49157025458f11f7a67b56037e952268490ca

SHA256
fa4c423c2b75583afb4740fbaa7fba368e7a738d49c6e89de37945dca4439c61

SHA512
b73575e504967f4f8c84ad65d7e1d3b81624b62d77e0f87198a4009effc494ff8a9628a49116036f50c854c2100836477278cc4f7c317af6fb00243436e0e6d6

Download Submit
\Windows\SysWOW64\Dcpplfea.exe

Filesize
50KB

MD5
b2657259cda2edeabca41b215251e15b

SHA1
9167eade7fd3c7bd5e8cb8bda3583b1e5cc6f88e

SHA256
4b92d7f703af6edcfb38bc441e68ea8618d3af4fef7b409347213fa28bd08bba

SHA512
a7ab7d904a66f7df9c59ec4423a2104079907d2425a5d9a1e69658b4c459d825461e395644a3ba45eb985fb9242df181c0be29095ba587d07778e4f80477fb8d

Download Submit
\Windows\SysWOW64\Dcpplfea.exe

Filesize
50KB

MD5
b2657259cda2edeabca41b215251e15b

SHA1
9167eade7fd3c7bd5e8cb8bda3583b1e5cc6f88e

SHA256
4b92d7f703af6edcfb38bc441e68ea8618d3af4fef7b409347213fa28bd08bba

SHA512
a7ab7d904a66f7df9c59ec4423a2104079907d2425a5d9a1e69658b4c459d825461e395644a3ba45eb985fb9242df181c0be29095ba587d07778e4f80477fb8d

Download Submit
\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
c11e149fd1f6f99051159e72173f99d7

SHA1
9f68eeafd4179aefab73a6e761e3289a09e94b52

SHA256
f1d9ee2c71e5d09e0cf3173eed6e474f6dd9a2153941fda065797357c9d3e709

SHA512
c6a3be5e29538be374b41c256e7fb67be2279ffc44465f39ed2e4e97069c88538d5fe300244966f672fa8dbcffd05f81687c25866275e18f01278ea7de2db170

Download Submit
\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
c11e149fd1f6f99051159e72173f99d7

SHA1
9f68eeafd4179aefab73a6e761e3289a09e94b52

SHA256
f1d9ee2c71e5d09e0cf3173eed6e474f6dd9a2153941fda065797357c9d3e709

SHA512
c6a3be5e29538be374b41c256e7fb67be2279ffc44465f39ed2e4e97069c88538d5fe300244966f672fa8dbcffd05f81687c25866275e18f01278ea7de2db170

Download Submit
memory/108-210-0x0000000000000000-mapping.dmp

Download
memory/268-186-0x0000000000000000-mapping.dmp

Download
memory/288-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/288-145-0x0000000000000000-mapping.dmp

Download
memory/308-172-0x0000000000000000-mapping.dmp

Download
memory/308-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/308-213-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/308-211-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/436-173-0x0000000000000000-mapping.dmp

Download
memory/436-216-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/436-214-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/676-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/676-93-0x0000000000000000-mapping.dmp

Download
memory/748-146-0x0000000000000000-mapping.dmp

Download
memory/748-188-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/748-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/768-99-0x0000000000000000-mapping.dmp

Download
memory/768-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/776-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/776-177-0x0000000000000000-mapping.dmp

Download
memory/784-196-0x0000000000000000-mapping.dmp

Download
memory/804-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/804-134-0x0000000000000000-mapping.dmp

Download
memory/848-165-0x0000000000000000-mapping.dmp

Download
memory/848-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/848-194-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/864-187-0x0000000000000000-mapping.dmp

Download
memory/868-262-0x0000000000000000-mapping.dmp

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/964-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/964-129-0x0000000000000000-mapping.dmp

Download
memory/968-201-0x0000000000000000-mapping.dmp

Download
memory/972-179-0x0000000000000000-mapping.dmp

Download
memory/972-230-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/972-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/984-183-0x0000000000000000-mapping.dmp

Download
memory/1004-233-0x0000000000000000-mapping.dmp

Download
memory/1012-150-0x0000000000000000-mapping.dmp

Download
memory/1012-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1112-268-0x0000000000000000-mapping.dmp

Download
memory/1124-257-0x0000000000000000-mapping.dmp

Download
memory/1240-206-0x0000000000000000-mapping.dmp

Download
memory/1272-208-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1272-171-0x0000000000000000-mapping.dmp

Download
memory/1272-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-207-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1284-168-0x0000000000000000-mapping.dmp

Download
memory/1284-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-147-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1296-90-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-76-0x0000000000000000-mapping.dmp

Download
memory/1320-185-0x0000000000000000-mapping.dmp

Download
memory/1336-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1336-66-0x0000000000000000-mapping.dmp

Download
memory/1340-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1340-84-0x0000000000000000-mapping.dmp

Download
memory/1352-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1352-104-0x0000000000000000-mapping.dmp

Download
memory/1380-175-0x0000000000000000-mapping.dmp

Download
memory/1380-221-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1380-222-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1380-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1384-184-0x0000000000000000-mapping.dmp

Download
memory/1500-215-0x0000000000000000-mapping.dmp

Download
memory/1512-166-0x0000000000000000-mapping.dmp

Download
memory/1512-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1528-193-0x0000000000000000-mapping.dmp

Download
memory/1532-161-0x0000000000000000-mapping.dmp

Download
memory/1532-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-227-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-178-0x0000000000000000-mapping.dmp

Download
memory/1536-228-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1540-114-0x0000000000000000-mapping.dmp

Download
memory/1540-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1580-181-0x0000000000000000-mapping.dmp

Download
memory/1580-236-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1580-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1580-235-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1588-89-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1588-71-0x0000000000000000-mapping.dmp

Download
memory/1592-232-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1592-180-0x0000000000000000-mapping.dmp

Download
memory/1592-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1604-61-0x0000000000000000-mapping.dmp

Download
memory/1604-86-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1612-239-0x0000000000000000-mapping.dmp

Download
memory/1644-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-124-0x0000000000000000-mapping.dmp

Download
memory/1656-245-0x0000000000000000-mapping.dmp

Download
memory/1660-225-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/1660-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1660-224-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/1660-176-0x0000000000000000-mapping.dmp

Download
memory/1676-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-198-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1676-167-0x0000000000000000-mapping.dmp

Download
memory/1692-212-0x0000000000000000-mapping.dmp

Download
memory/1708-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-170-0x0000000000000000-mapping.dmp

Download
memory/1708-204-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1720-182-0x0000000000000000-mapping.dmp

Download
memory/1724-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1724-80-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1740-143-0x0000000000000000-mapping.dmp

Download
memory/1740-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-109-0x0000000000000000-mapping.dmp

Download
memory/1776-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1800-266-0x0000000000000000-mapping.dmp

Download
memory/1812-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1812-169-0x0000000000000000-mapping.dmp

Download
memory/1812-202-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1824-119-0x0000000000000000-mapping.dmp

Download
memory/1824-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1828-189-0x0000000000000000-mapping.dmp

Download
memory/1844-252-0x0000000000000000-mapping.dmp

Download
memory/1868-269-0x0000000000000000-mapping.dmp

Download
memory/1872-142-0x0000000000000000-mapping.dmp

Download
memory/1872-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1944-267-0x0000000000000000-mapping.dmp

Download
memory/1984-218-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1984-219-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1984-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1984-174-0x0000000000000000-mapping.dmp

Download
memory/1992-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1992-139-0x0000000000000000-mapping.dmp

Download
memory/2024-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2024-144-0x0000000000000000-mapping.dmp

Download