f93be4cb6093221e107b571f8d92bb251ebc2e1fd92a880e8903b2a818276c58

Analysis

max time kernel
43s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe
Size

226KB
MD5

506d3156525f240158e81d83f274ceb0
SHA1

5ea6d0ec251cf87d1e29c1e27250dde280518ddb
SHA256

f93be4cb6093221e107b571f8d92bb251ebc2e1fd92a880e8903b2a818276c58
SHA512

d83c6c983f05c82b78a03abcebff4ed6312afd2c8b68b26ab6c6e90d02ad80498362811833b8a39d9db282800f5b4d56288a98a84907ab3f5be3acd9302e18e6
SSDEEP

6144:KUSiZTK40lUHTisQt9Nd1Kid908edttRURLwO:KUvRK4ZusQHNd1KidKjttRYLwO

Score

10^/10

backdoor dropper trojan upx

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0009000000023257-6.dat	family_berbew
behavioral2/files/0x0008000000023256-41.dat	family_berbew
behavioral2/files/0x0007000000023259-71.dat	family_berbew
behavioral2/files/0x000700000002325b-107.dat	family_berbew
behavioral2/files/0x000700000002325c-143.dat	family_berbew
behavioral2/files/0x000700000002325d-179.dat	family_berbew
behavioral2/files/0x000700000002325e-216.dat	family_berbew
behavioral2/files/0x000700000002325f-253.dat	family_berbew
behavioral2/files/0x0007000000023260-290.dat	family_berbew
behavioral2/files/0x000200000001e32b-328.dat	family_berbew
behavioral2/files/0x0007000000023262-363.dat	family_berbew
behavioral2/files/0x0007000000023263-398.dat	family_berbew
behavioral2/files/0x0007000000023264-434.dat	family_berbew
behavioral2/files/0x0007000000023265-470.dat	family_berbew
behavioral2/files/0x0007000000023266-510.dat	family_berbew
behavioral2/files/0x0007000000023267-546.dat	family_berbew
behavioral2/files/0x0007000000023269-583.dat	family_berbew
behavioral2/files/0x000700000002326a-619.dat	family_berbew
behavioral2/files/0x000700000002326b-654.dat	family_berbew

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemchiuh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemsudtn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemanmrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemuialw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqembyjnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemgmsra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemkobha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemkidej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemsnppg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemxhhic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempsxyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemhxaje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempqbhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemsnjwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemfctyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempxoyt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemchfzm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemubhdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemiqgss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempqouo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemzggdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemosgce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemphemh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemfthpg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemppcml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemeypky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemsqbfz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemuiedi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemoalmc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemqmsbq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemxcztk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemkioal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemwfmyj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemoijow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemycfpi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempvcia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemhxmkk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemjtxsf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemrxili.exe

Executes dropped EXE 39 IoCs

pid	Process
4576	Sysqemkobha.exe
3636	Sysqemfctyx.exe
1444	Sysqemqmsbq.exe
4188	Sysqemycfpi.exe
5080	Sysqemiqgss.exe
4060	Sysqemchiuh.exe
4180	Sysqempvcia.exe
4136	Sysqemxcztk.exe
3536	Sysqemsudtn.exe
4992	Sysqemkidej.exe
2116	Sysqemanmrh.exe
812	Sysqemsnppg.exe
2384	Sysqemfthpg.exe
3904	Sysqemxhhic.exe
3680	Sysqempsxyp.exe
1440	Sysqemuiedi.exe
2456	Sysqemppcml.exe
5116	Sysqemeypky.exe
1556	Sysqempqouo.exe
2224	Sysqempxoyt.exe
1752	Sysqemhxaje.exe
2816	Sysqempqbhy.exe
2724	Sysqemchfzm.exe
1212	Sysqemsqbfz.exe
2804	Sysqemkioal.exe
3732	Sysqemuialw.exe
3372	Sysqemzggdd.exe
3888	Sysqemsnjwm.exe
1840	Sysqemosgce.exe
3816	Sysqemphemh.exe
4868	Sysqembyjnd.exe
780	Sysqemubhdr.exe
2248	Sysqemwfmyj.exe
212	Sysqemoijow.exe
2844	Sysqemoalmc.exe
2172	Sysqemhxmkk.exe
1292	Sysqemjtxsf.exe
3980	Sysqemrxili.exe
4792	Sysqemgmsra.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2332-0-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0009000000023257-6.dat	upx
behavioral2/files/0x0008000000023256-41.dat	upx
behavioral2/files/0x0007000000023259-71.dat	upx
behavioral2/files/0x000700000002325b-107.dat	upx
behavioral2/memory/2332-137-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x000700000002325c-143.dat	upx
behavioral2/files/0x000700000002325d-179.dat	upx
behavioral2/memory/4576-186-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3636-214-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x000700000002325e-216.dat	upx
behavioral2/memory/1444-246-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4188-252-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x000700000002325f-253.dat	upx
behavioral2/memory/5080-284-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023260-290.dat	upx
behavioral2/memory/4060-327-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x000200000001e32b-328.dat	upx
behavioral2/files/0x0007000000023262-363.dat	upx
behavioral2/files/0x0007000000023263-398.dat	upx
behavioral2/memory/4180-428-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023264-434.dat	upx
behavioral2/memory/4136-464-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023265-470.dat	upx
behavioral2/memory/3536-501-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023266-510.dat	upx
behavioral2/memory/4992-509-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2116-539-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/812-540-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023267-546.dat	upx
behavioral2/memory/2384-577-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x0007000000023269-583.dat	upx
behavioral2/memory/3904-613-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/files/0x000700000002326a-619.dat	upx
behavioral2/files/0x000700000002326b-654.dat	upx
behavioral2/memory/5116-656-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3680-658-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1440-694-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2456-719-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/5116-752-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1556-785-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2224-822-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1752-851-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2816-884-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2724-926-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1212-983-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3888-989-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2804-1018-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1840-1024-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3732-1050-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3372-1063-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3888-1093-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1840-1122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/780-1128-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3816-1156-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4868-1197-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/780-1231-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2248-1261-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/212-1298-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2844-1349-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2172-1365-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1292-1398-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3980-1431-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4792-1462-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwfmyj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempvcia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxcztk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkidej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempsxyp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfthpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemosgce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemubhdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemgmsra.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemchiuh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsqbfz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsnjwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemoijow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemchfzm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuialw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemphemh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemycfpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemeypky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempqouo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempxoyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxhhic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuiedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhxaje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemoalmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfctyx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemiqgss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsnppg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjtxsf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqmsbq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsudtn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemppcml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkioal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemrxili.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempqbhy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzggdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembyjnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhxmkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemkobha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemanmrh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4576	2332	506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe	91
PID 2332 wrote to memory of 4576	2332	506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe	91
PID 2332 wrote to memory of 4576	2332	506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe	91
PID 4576 wrote to memory of 3636	4576	Sysqemkobha.exe	92
PID 4576 wrote to memory of 3636	4576	Sysqemkobha.exe	92
PID 4576 wrote to memory of 3636	4576	Sysqemkobha.exe	92
PID 3636 wrote to memory of 1444	3636	Sysqemfctyx.exe	93
PID 3636 wrote to memory of 1444	3636	Sysqemfctyx.exe	93
PID 3636 wrote to memory of 1444	3636	Sysqemfctyx.exe	93
PID 1444 wrote to memory of 4188	1444	Sysqemqmsbq.exe	94
PID 1444 wrote to memory of 4188	1444	Sysqemqmsbq.exe	94
PID 1444 wrote to memory of 4188	1444	Sysqemqmsbq.exe	94
PID 4188 wrote to memory of 5080	4188	Sysqemycfpi.exe	95
PID 4188 wrote to memory of 5080	4188	Sysqemycfpi.exe	95
PID 4188 wrote to memory of 5080	4188	Sysqemycfpi.exe	95
PID 5080 wrote to memory of 4060	5080	Sysqemiqgss.exe	96
PID 5080 wrote to memory of 4060	5080	Sysqemiqgss.exe	96
PID 5080 wrote to memory of 4060	5080	Sysqemiqgss.exe	96
PID 4060 wrote to memory of 4180	4060	Sysqemchiuh.exe	97
PID 4060 wrote to memory of 4180	4060	Sysqemchiuh.exe	97
PID 4060 wrote to memory of 4180	4060	Sysqemchiuh.exe	97
PID 4180 wrote to memory of 4136	4180	Sysqempvcia.exe	98
PID 4180 wrote to memory of 4136	4180	Sysqempvcia.exe	98
PID 4180 wrote to memory of 4136	4180	Sysqempvcia.exe	98
PID 4136 wrote to memory of 3536	4136	Sysqemxcztk.exe	99
PID 4136 wrote to memory of 3536	4136	Sysqemxcztk.exe	99
PID 4136 wrote to memory of 3536	4136	Sysqemxcztk.exe	99
PID 3536 wrote to memory of 4992	3536	Sysqemsudtn.exe	100
PID 3536 wrote to memory of 4992	3536	Sysqemsudtn.exe	100
PID 3536 wrote to memory of 4992	3536	Sysqemsudtn.exe	100
PID 4992 wrote to memory of 2116	4992	Sysqemkidej.exe	101
PID 4992 wrote to memory of 2116	4992	Sysqemkidej.exe	101
PID 4992 wrote to memory of 2116	4992	Sysqemkidej.exe	101
PID 2116 wrote to memory of 812	2116	Sysqemanmrh.exe	102
PID 2116 wrote to memory of 812	2116	Sysqemanmrh.exe	102
PID 2116 wrote to memory of 812	2116	Sysqemanmrh.exe	102
PID 812 wrote to memory of 2384	812	Sysqemsnppg.exe	103
PID 812 wrote to memory of 2384	812	Sysqemsnppg.exe	103
PID 812 wrote to memory of 2384	812	Sysqemsnppg.exe	103
PID 2384 wrote to memory of 3904	2384	Sysqemfthpg.exe	104
PID 2384 wrote to memory of 3904	2384	Sysqemfthpg.exe	104
PID 2384 wrote to memory of 3904	2384	Sysqemfthpg.exe	104
PID 3904 wrote to memory of 3680	3904	Sysqemxhhic.exe	105
PID 3904 wrote to memory of 3680	3904	Sysqemxhhic.exe	105
PID 3904 wrote to memory of 3680	3904	Sysqemxhhic.exe	105
PID 3680 wrote to memory of 1440	3680	Sysqempsxyp.exe	106
PID 3680 wrote to memory of 1440	3680	Sysqempsxyp.exe	106
PID 3680 wrote to memory of 1440	3680	Sysqempsxyp.exe	106
PID 1440 wrote to memory of 2456	1440	Sysqemuiedi.exe	121
PID 1440 wrote to memory of 2456	1440	Sysqemuiedi.exe	121
PID 1440 wrote to memory of 2456	1440	Sysqemuiedi.exe	121
PID 2456 wrote to memory of 5116	2456	Sysqemppcml.exe	110
PID 2456 wrote to memory of 5116	2456	Sysqemppcml.exe	110
PID 2456 wrote to memory of 5116	2456	Sysqemppcml.exe	110
PID 5116 wrote to memory of 1556	5116	Sysqemeypky.exe	112
PID 5116 wrote to memory of 1556	5116	Sysqemeypky.exe	112
PID 5116 wrote to memory of 1556	5116	Sysqemeypky.exe	112
PID 1556 wrote to memory of 2224	1556	Sysqempqouo.exe	114
PID 1556 wrote to memory of 2224	1556	Sysqempqouo.exe	114
PID 1556 wrote to memory of 2224	1556	Sysqempqouo.exe	114
PID 2224 wrote to memory of 1752	2224	Sysqempxoyt.exe	115
PID 2224 wrote to memory of 1752	2224	Sysqempxoyt.exe	115
PID 2224 wrote to memory of 1752	2224	Sysqempxoyt.exe	115
PID 1752 wrote to memory of 2816	1752	Sysqemhxaje.exe	116

C:\Users\Admin\AppData\Local\Temp\506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\506d3156525f240158e81d83f274ceb0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\Sysqemkobha.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqemkobha.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\Sysqemfctyx.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqemfctyx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemqmsbq.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemqmsbq.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemycfpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemycfpi.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Users\Admin\AppData\Local\Temp\Sysqemiqgss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiqgss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemchiuh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemchiuh.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempvcia.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempvcia.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxcztk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxcztk.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsudtn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsudtn.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkidej.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkidej.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemanmrh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemanmrh.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnppg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnppg.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfthpg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfthpg.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxhhic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxhhic.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempsxyp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempsxyp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuiedi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuiedi.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemppcml.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemppcml.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeypky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeypky.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempqouo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempqouo.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempxoyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempxoyt.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhxaje.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhxaje.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempqbhy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempqbhy.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemchfzm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemchfzm.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsqbfz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsqbfz.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkioal.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkioal.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuialw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuialw.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzggdd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzggdd.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnjwm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnjwm.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemosgce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemosgce.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemphemh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemphemh.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembyjnd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembyjnd.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemubhdr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemubhdr.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwfmyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwfmyj.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoijow.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoijow.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoalmc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoalmc.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhxmkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhxmkk.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjtxsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjtxsf.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrxili.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrxili.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgmsra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgmsra.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcakmg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcakmg.exe"
        41⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtpkpw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtpkpw.exe"
        42⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmpwsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmpwsh.exe"
        43⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzcqfs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzcqfs.exe"
        44⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtpfty.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtpfty.exe"
        45⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdeszz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdeszz.exe"
        46⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoewkj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoewkj.exe"
        47⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgawug.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgawug.exe"
        48⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemywvfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemywvfc.exe"
        49⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoxifd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoxifd.exe"
        50⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlrnye.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlrnye.exe"
        51⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrdizd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrdizd.exe"
        52⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdyymu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdyymu.exe"
        53⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyeqmi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyeqmi.exe"
        54⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtvkvr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtvkvr.exe"
        55⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtwwgi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtwwgi.exe"
        56⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlohob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlohob.exe"
        57⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemouxec.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemouxec.exe"
        58⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdlhmy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdlhmy.exe"
        59⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqrauy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqrauy.exe"
        60⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgkyut.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgkyut.exe"
        61⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemykkxd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemykkxd.exe"
        62⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnhuvv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnhuvv.exe"
        63⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdeeof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdeeof.exe"
        64⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemljzeo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemljzeo.exe"
        65⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemavgpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemavgpl.exe"
        66⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemysocp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemysocp.exe"
        67⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvbiaq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvbiaq.exe"
        68⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemahcoc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemahcoc.exe"
        69⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemahemq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemahemq.exe"
        70⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvcshb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvcshb.exe"
        71⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkzdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkzdsf.exe"
        72⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvngaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvngaa.exe"
        73⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemchpyu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemchpyu.exe"
        74⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdenjx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdenjx.exe"
        75⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqgwrg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqgwrg.exe"
        76⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfvopg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfvopg.exe"
        77⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhceqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhceqb.exe"
        78⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdfibz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdfibz.exe"
        79⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfexwi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfexwi.exe"
        80⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxaxgf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxaxgf.exe"
        81⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsgpuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsgpuf.exe"
        82⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkjfks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkjfks.exe"
        83⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuqsvo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuqsvo.exe"
        84⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempiuyl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempiuyl.exe"
        85⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnqeyz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnqeyz.exe"
        86⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemihybw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemihybw.exe"
        87⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfuuom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfuuom.exe"
        88⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxtfll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxtfll.exe"
        89⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnndmg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnndmg.exe"
        90⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeqrwi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeqrwi.exe"
        91⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcvyrb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcvyrb.exe"
        92⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxbomv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxbomv.exe"
        93⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhatxz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhatxz.exe"
        94⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemusvap.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemusvap.exe"
        95⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemragak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemragak.exe"
        96⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempubna.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempubna.exe"
        97⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemctfdu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemctfdu.exe"
        98⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcwswj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcwswj.exe"
        99⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempcker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempcker.exe"
        100⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmkuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmkuee.exe"
        101⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuarkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuarkk.exe"
        102⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemprlmz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemprlmz.exe"
        103⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembxnkn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembxnkn.exe"
        104⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrgaqz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrgaqz.exe"
        105⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrkxgb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrkxgb.exe"
        106⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzvgev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzvgev.exe"
        107⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeqqhn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeqqhn.exe"
        108⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempebpi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempebpi.exe"
        109⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmyiox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmyiox.exe"
        110⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemefjjn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemefjjn.exe"
        111⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjhbjk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjhbjk.exe"
        112⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjwbay.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjwbay.exe"
        113⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlkfah.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlkfah.exe"
        114⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemmkqly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemmkqly.exe"
        115⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhctth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhctth.exe"
        116⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrcgpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrcgpl.exe"
        117⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdhzpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdhzpl.exe"
        118⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemetmvt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemetmvt.exe"
        119⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyrcqo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyrcqo.exe"
        120⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgscdo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgscdo.exe"
        121⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemrzqgk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemrzqgk.exe"
        122⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeeios.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeeios.exe"
        123⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeejtd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeejtd.exe"
        124⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjrehi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjrehi.exe"
        125⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeujxa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeujxa.exe"
        126⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyllzy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyllzy.exe"
        127⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtrtps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtrtps.exe"
        128⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemotyxk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemotyxk.exe"
        129⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgljvj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgljvj.exe"
        130⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzhktr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzhktr.exe"
        131⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembenjm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembenjm.exe"
        132⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtsnui.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtsnui.exe"
        133⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemomsba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemomsba.exe"
        134⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlhnxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlhnxy.exe"
        135⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlhock.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlhock.exe"
        136⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiihpg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiihpg.exe"
        137⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgrbnh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgrbnh.exe"
        138⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjjddw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjjddw.exe"
        139⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyyohi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyyohi.exe"
        140⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgolsr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgolsr.exe"
        141⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwwhxm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwwhxm.exe"
        142⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemywwyn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemywwyn.exe"
        143⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvxolr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvxolr.exe"
        144⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvibdg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvibdg.exe"
        145⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvicrr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvicrr.exe"
        146⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsgjrs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsgjrs.exe"
        147⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvxacc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvxacc.exe"
        148⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvqbmw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvqbmw.exe"
        149⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvboek.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvboek.exe"
        150⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemywrcx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemywrcx.exe"
        151⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvuycq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvuycq.exe"
        152⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvuzqc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvuzqc.exe"
        153⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvjovb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvjovb.exe"
        154⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvynge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvynge.exe"
        155⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvnllv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvnllv.exe"
        156⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvciqm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvciqm.exe"
        157⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyfdgz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyfdgz.exe"
        158⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxxmzb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxxmzb.exe"
        159⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemaoejc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemaoejc.exe"
        160⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemadcpc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemadcpc.exe"
        161⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemppazr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemppazr.exe"
        162⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempbnsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempbnsf.exe"
        163⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfninw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfninw.exe"
        164⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiqlki.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiqlki.exe"
        165⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfkhyg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfkhyg.exe"
        166⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfkids.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfkids.exe"
        167⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxzjgi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxzjgi.exe"
        168⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsqmor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsqmor.exe"
        169⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuankp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuankp.exe"
        170⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnemfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnemfo.exe"
        171⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuiyql.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuiyql.exe"
        172⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemikgrb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemikgrb.exe"
        173⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcxveh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcxveh.exe"
        174⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvqkcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvqkcs.exe"
        175⤵
        
        PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
226KB

MD5
5fe11ef3266c6f4a97f67ab9f6556c9e

SHA1
c355968f09714ec82d38bdfccdb15518afb20c55

SHA256
fe22c1615f1c91da1e104a154db95477117ac20bb9fe66567584659c8a0186a5

SHA512
8bef7cf476f9455c5d757acb81ef8382735ad2103987f4f5818a4259c573f262cccb4ee4c41ca15c3ef14bdf02de349be86b9164e5b39ea700c875af977528c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemanmrh.exe

Filesize
226KB

MD5
7a048339fdfd348ce80149709ffe7017

SHA1
2475108efec1a6f5319e989bca66be0bf81c8f60

SHA256
a9bc72146978656b9dc2c82ccfe3d185f449c31aece7622539762b8799530e3d

SHA512
1b4f3d99756a0b0ddfce7c41ccbc04c9881b28247dd0212fc01b51d6eaa0ba1d5c4df952b38cc560e25ee5f801c02e941118c82a29146c19d7197d0d2fae87ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemchiuh.exe

Filesize
226KB

MD5
415af410692948b132bfaf68a1abd5a6

SHA1
e0db2c64f495e54537ca71f0771d5bd9a07bcf20

SHA256
7a9caeb6f2c6e362049658c17e6a7359c6f9948c603e8af870fb9c14484857d3

SHA512
0acfce784558ebc89a548c7fe487fdb2fa65be79fd4ea618365635c9fb2460a24a8cdd068b2d77a8cfadf3a43e624d60d8d577a37f5d40a2a79e603ff0577dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemeypky.exe

Filesize
226KB

MD5
d83ef60952299fddec2cff20980991b8

SHA1
06ac6b263c41e40df4b8b882ba45f38fea644f64

SHA256
0c792c05cc86689c2686aab94e55f668d5cc3cbb907223db873fb6f3e10c2516

SHA512
14e0cfd350320caf15b3dbf8ab01feacac9a7845970d32c605e380fc44e47913392c6c2423c89fb07dc9fddc92879a7c7735636cf9457a34d057fac21b29ca8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemfctyx.exe

Filesize
226KB

MD5
eb0cb00c92094780acbc0be251215b73

SHA1
1ead9e142a418b0dfc0b428102710a64225e2590

SHA256
2671a91177caf2aaf07d361c81d07d1ecb471dc564450a211059aefc0232ab79

SHA512
240ca6d318bc6b6231afaddc80714d1f8b6bcc44a754fc95dee791575a861d3a608fa7cde9c91820d1f2ba584ac1cd8fbd59672fae865d13a9134b64b2718fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemfthpg.exe

Filesize
226KB

MD5
1fbd468c3a6cdcc4efbc1795da0349d6

SHA1
83d1e3c43420a8d7e11826c013be9a40b2f470fc

SHA256
1c5767a57c383fc8ee727fc7664e81469a0e3c7833dbba41fe8f0b6a1558fc05

SHA512
d5403608dadb0d413b99d932dd3702f4d8e94190d5a718c4b429318eb885c56aa2250d0d502af850e7e10ead787aaa79355c05106facc14b6f30495e34e6c558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemiqgss.exe

Filesize
226KB

MD5
468134e5903432608f3b46e1b3bd963d

SHA1
870cdb3e4e64db8a4fb6bdddd12b08845eab6af8

SHA256
4661aa187fd6c248b8718ba2dd5cb926923876de5bc77317ad07b43eba1433d9

SHA512
80eb7246ef05b8d152baa689d2108c5b8f1112286361f566d38b816bafdf464997eea02fec23b8ac9b98cfece22ebd1237cb3f0607330c8dca93d8927c026357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemkidej.exe

Filesize
226KB

MD5
0d5b831c8602562f9ac5e72b30162036

SHA1
c02d79167537238745583850f15b041218e5cf4e

SHA256
d0c1811f0729ac61d095c96ad07beafcf602bafdbbe596fcedd94b043b7cd371

SHA512
2168e0a9358e024023f41279b549c05b17e068ace516d345d067667c528016b39c80af87a53d9563568b9042691b474ab2c11caa0bb7a19333a5ea85fdd02dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemkobha.exe

Filesize
226KB

MD5
20b6a59f2fed273c0cf7343070e03e02

SHA1
3c042c2c9ba75adf6fb21848f31909b0b7fae4ac

SHA256
9a969de90650c82f441b0694c560473004b908410985dfaac9f9d6a5cd35f68d

SHA512
771265a2fa1e6cd0cf215ddb26d3f99ca8531c248b22607c92bb27a38e11ca8e365974a2b8ca8bf24402b7299602a527a7e1dbab2fcc7800dedb305b394412a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemppcml.exe

Filesize
226KB

MD5
12ad8786ab8d563f0970ef3f3b70046f

SHA1
5bed2a79faf63e42b5569d99ef8ea99ca9d753a5

SHA256
d9dcbcca80271cab321d61d55523e41a8515f9845e22aa3400cad0f38c58283d

SHA512
d05826f2d98e8c0e6ee6650393ece228d4db5f05bb50c8f3237095fff598ef353c7314acca372becdc2785d632a8731ec58c247f62c45220b1d267300d304a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqempsxyp.exe

Filesize
226KB

MD5
51f94349a77038669256682b9b73435c

SHA1
773280b2d2206670562f02321395761e61253a25

SHA256
104832561f9e38016d8f1f7972eb898f0b175328a1f614e959b4643f8e89f8a1

SHA512
f37b7510df488d7d531d2e493258a9c938ca8baddd8734d14ec81e370c00705109ed3f392bc10b3d35641f55b390b837977716575e665b2909705cadaf1fdd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqempvcia.exe

Filesize
226KB

MD5
3fcbcd388934bff0ce1451e32f95d3b4

SHA1
e51d06696d50d94d305b4fad9d8bd245af946a86

SHA256
909ef88fc0150714f99dce66d6dbf5958fe0a4db0f4bc39c3bc98f44b575a376

SHA512
daf761cac7a63f3c0fa7aaea3e2108f378be42d0bb763296e78964d9a4684efe034ff28db3df5f730eab453d46b09df98d11f65adc2e8c52f14e517d709d4947

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqmsbq.exe

Filesize
226KB

MD5
23a54d7a557c7a5643d4dd2098df3a06

SHA1
86e4f95f13d0245533d6092ee69ffd0c47fcfaf3

SHA256
381de9e521adaa0e87ce73705d207a3f838e4a8cb584be16a6e3a2c6c7797e23

SHA512
921efcb3e1bcf7bd4d9858851f9c7b3466b91306d45bd14e4bc7f38003c5e7be546ec1520315aaa4aefa74cf45693e70662256ba9c0859b76880995a46a804c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemsnppg.exe

Filesize
226KB

MD5
d69e463e60baf15bf54b152a5c6b2c42

SHA1
7db8ee09911e5a171fe35b5f70e576b6a03192d1

SHA256
c949f75858885ec51fe236f80d45506bbef7c593ac94f232f5548747a2ec9644

SHA512
65c8e9d2c85937ea812334d0840d1573484bc322e23b72d9f2779a8fa50e2b6176417f61f505db0eff80305f2d6042251a6dd083fe10c611ca538aff8a1f2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemsudtn.exe

Filesize
226KB

MD5
6b3b75b83770a1d2905ad6282bf356e4

SHA1
0c9a95dfbf7f40429db39dd75541ba5364d87eb9

SHA256
2c3aa09593e4644bef20be3ecb7c268190efcaecf8df839855b25d1d5dd5b277

SHA512
3b656c82e97e0ac9d59879a1f44c8859128f033a42ac8fec741b2e0f2763a34ae344909c8ea40572a9f8bce30ab1746891d6ba3d21551d26991c662e6e1675b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemuiedi.exe

Filesize
226KB

MD5
06d483472e3df2422ae386d750cfc88a

SHA1
369f97d7dbf7630e36a091caaaf533f8c527d6ad

SHA256
eb9b5fa19c6c5564676e3f074a86dd95985f451f863bb9278984e22e211b8cff

SHA512
164fd1ff96d19853c97afcdf19646a211cbfc6c6bb36b59652a9e77135eb22748942873b866df76de915e1bffd519f891fb64d06f23b1c1d81a62c225a9add44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemxcztk.exe

Filesize
226KB

MD5
3a2e727b834c53cee4748b8cb67e9faa

SHA1
4ec070e4ac774c92a9dc307a786f0ea09bf5ca2b

SHA256
ab73f393469836a0c5708225345400cb0b7b39c879f988dfe69faaf31591ef12

SHA512
4ee1f0a079a1ae5eb83d0cef8f7ab75a6925b319183e75df0fd6c21e981f65887759d8db986dd1d9d47894a40403c402ce62de4895cece7aa5fef5c45f8332c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemxhhic.exe

Filesize
226KB

MD5
f38ca0d4c2d21929ace7f172a1062118

SHA1
fdb543d879b382bbda06fe7a2c51d1314ca7553a

SHA256
bbf24a684e7873ec6d1a131d1159b463949cc4bb77b37a1ee2275c52dcc32cc1

SHA512
e136bb309aa7ab989423ff5d30f09706aa82704ac3b3f1c98231715397aec0450d52e9231c6bb5206ca4d15cad8231b6d08ce1f8031806fcdf68851c4c642f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemycfpi.exe

Filesize
226KB

MD5
6756b9f34e049eba540ab32e2ef8d669

SHA1
0c43b9e0ed88cb84edb3e5d4ef26946403ca14da

SHA256
09c412166011f72d768aa5f978762f0ca0c2280937f7435a302940d714c74689

SHA512
47e25c75252db29b948d5ede4a6736c55c5093ab10cb1f9ac704f7286fca3201d8255f404d997ce30d66039ad836ab7a478abd2d2a11ac97e7b623bd74e619b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
9f876d82494171c6f9c9ae0348733eef

SHA1
9d6764e3507b175b69939719cdcb065a9ed2784b

SHA256
a18dc8597caaaee21f65e429594c0cb958675c4a304c130727072d88a274ee3a

SHA512
bd1ac35fe203aafd0fc5fcec68cd64dd120b9bceb757c39745585a1f1cbd74fb423e47c48aadfefa773b8075df42dbea496c74edf0f8efc96255527c7bc80fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
31b86c7c870791121918b6342b5c4cab

SHA1
82aed7a852dbc2a63161d142300927e86ba06457

SHA256
331d24dd58b015bdefa19304c58c79f238a3cec22bb94afa705f9360fda1951d

SHA512
db942ef2ef91863902cf86924f94266f1986493c0757a20fac29d679ea43f5afd505ebcc5a6d4025c45738a679b5dfff8d0a9004a65810cdb13a534fc76c8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
aa4a65d8ceb7f18e585207d8c449a592

SHA1
5b43565a44e043cee85c48a97cca6c22a71bddb9

SHA256
52f4d6118a60d2b9d9a563c27dc856c06d9287b584ede93ecb5b6fa1ad8bb994

SHA512
729e1569de8f59dfbf10124b61c7eaf21f2a81e6ed6bb3aa0ef786e00923dd9ebcca82b2b9d37a05c048b5974a57e9c0f84c7c97fc787e9320a996ee8af1cc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
fc818924f3d7597facdf186f1dfd9c59

SHA1
c72b30da1f39c3ef109caf94b3d87a3bf1656ec1

SHA256
5de35bcbebcd12862198724ba96bec5d58fd393ff328d2fc8d514cc98b1cd7c4

SHA512
63752e305525f874093314ac826b1191f0c3c8fb2cb60d0a4df139ddd12035c44f01bf6f4a2d6140882c59c746b4da5222e4709bc5c34e4e7d81069f08110d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
1372d5ba97aab2bf73547c01af3b43af

SHA1
b385889d8aacc7c8d784e10cc7418ec7194dea6d

SHA256
91e2d420d51e6c0e27d5d229612cb7667e062df9ad53a7ff825198af69d7cc94

SHA512
798277808fe3ad6359fb8571caadbef2806971d3c543386d4289269d31dcfc5df278ff6fd2aa57568c0822f6c9d8f186482bb3911cc3c055befd8c9f1ac8b4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f0cbddf8e870186d002ddd335a338069

SHA1
220702a8a634929cc1372e2819d37fbda446cafd

SHA256
f1ebd465c571b7f3a61edc26ffc4611b24f35c8d8d0d993ba1fa7064adab65f5

SHA512
4bc5ccaaea43e5dfd0e802321a721f024cb0f52a18298d87366bfef91b1cb3b6e33a21be9a7ebcf46c4d85ca984b27687a713350209d2e3d39012a652c2662eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
1b4cc6f966c2349da748fc0213457a56

SHA1
80c80d3074a5bdb0283eba684fa1978544c4478c

SHA256
6ebf52c21a9bf36ae539b10a2ee364a73f6f364551ae76c99109268e488e677d

SHA512
6a5493f23ffaa0a5160009f9ff3ee10b7b28c9ff7a25b29344dd6d1564ae9dad080beabc3c8b9606566c5ec7fe0ecbebb4fc0c3ebf382f425df26859ddc3ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
9bea04fe3254e9683037f4236e7460aa

SHA1
f76ea5e06722cf9ed2b06e3650ba0ebd921dcbc4

SHA256
b1b465d729de91c2c9f7ecbdfead39cb22a84d72c64df96c22dbdf6e8370bcee

SHA512
d3089869dbfccdc6dea390f771421654fceebfda486b7111c56955b4372169f8c7a2e322466f7242861af739b3eab371085dc8ef2d4f7be5f0b5d08c5d6a3e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
80b92ad6761296d1208d2f1b0242e116

SHA1
ad961427994b12cdd2891cd21d41c1472eef8d47

SHA256
35a63dd61d09f4faebe36305dee74772761b659be9db35272a02d7b394242410

SHA512
0c2017fdfc5adababdb3b4e6bdb7a666861de7b03405c5cf4c7ed5d05deb2f5104f399f176b69d60bf65ca2c33ce0aefd869d201e4b4c79b74b54ecb434321bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
67189e0b9a92cc286c57db5bf10819bf

SHA1
4ca4e4439482bd69cf84efccae66f98354ee513a

SHA256
7259461bbc42b348cf928226f85cc8ca6d09d60c3a0ff142b00919c1a82b73d6

SHA512
1c45f9315cba376658596368e00822add1d18159ce3265e4df7668b8254b39453194a4f0457eecbe39d49bdc7bf27d8b616d580e2c39d390e3fd6374ee2bb3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f9364d74e2b3ecf978e8de4fd9a70a6b

SHA1
a785c5cde6bf2bb20169d4b59cde328249480271

SHA256
84532d6ad1547c934a98582e2bf244435e8e3a5b7e67c0cd96c69f32b201ec95

SHA512
d4a5e3c6cfffb91752d861712c45eb7fd27d32bb9b8d8e85c8594f2210891e047744938e34f4210323594987702f437f94cf51225c002c2e02c3250577ffa2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
9759ee3a15078106dfa502a3bd29910f

SHA1
e05e57950625458cc1cdfb375c9aa59afd3bbf46

SHA256
46985b815d48d9a0d6db4218e4ce41b1580e02f988bacfe4face1955f2220dc0

SHA512
420b7fd34ad45d2fa78275046c49c0925294120cc2f65618e0f763da566c281bfd34aadffa0f28d8cf453ad04be7d11eb08650d37bed77b2d027416c85477544

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
0a1914a005d471a711fa962cb8956b03

SHA1
30f6ef04b4a9e47dcac44ba99d29f0f37c65ebeb

SHA256
c178386889a05bb10396c11ed259b7bbbd3e9065d42c96d619b1f170896f191f

SHA512
e2e43c2746cb5d9d1b02969b5296c74b845279b334d6a48703fc718c5a53d9888c17496acb712a42d350ad453921e0c549894b4e88f06c5e417540e1eeb91eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
9a2cbb0e1708d50a201233df584c07bc

SHA1
8e8af52313d33a1065896533d9105d47ca38f7fc

SHA256
caaa83754023b24539ce6f6dbb75cd598b7600d8f9f5942205aa11bf9ea05081

SHA512
d516836ae1d109f90f3b4b376baa1e878471840a84d0d6c964a94b7d54c026e25a353b5b0ec160584da0f4da8b5bc6c0017e3f8b3208275f733e2fdd469eb26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f444c06f0e40a85af7708e9c334852d0

SHA1
239eb3859243c92667d24d9e4f652c00882631f7

SHA256
24c30350b59b60c775c6b1349e1dc312aeb4ad2206bc962cfdde2718acd7eb73

SHA512
6ff759448a255084843ebd23b97c5106c9d8503131fff935bb65854ee62681618b476a2da0edeb5ca8c4fb0fc6f89177f2da019bbc79d347ed22c5b307d13b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
bcadd557a64c2b5ae4a1fb65c7578e06

SHA1
588870ae7998c9ecc4fce00389dd0458b77132a9

SHA256
5014c276878dfb6f878cbef7aa4429ceb8d0ab5813f1a2cff8ee96e115f3fde2

SHA512
921069b3c15a8cf5ed8416bda95d458ca0a1885c8fcfcd5ec9de0502e5e4bdcfa73fc7f800ec3c095177499f373e8b692fe01ae6797c0f6c6617891ab3cdbdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
816a8a75479b620a9a086680b45e058a

SHA1
2451e0942ebfcc8a389a577c17517b66db891a24

SHA256
966f6dad5c7e1d478f74ac1ce437d4df32e4b332eaad8220de7916dbedc3b06c

SHA512
a6fb435aebb70311c4241eeca524f4172d2af16fcb010309e4e00e960c1f4476ad9f9d2d345f4e7b1d30eb884b41cc4ce1757523b32f8254a8da1a25ec492d4c

Download Submit
memory/180-3627-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/180-4399-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/180-3522-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/212-1298-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/404-2729-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/404-2603-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/416-2537-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/416-3858-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/464-4103-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/708-4034-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/720-3070-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/780-1128-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/780-1231-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/780-3715-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/812-540-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/836-1755-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/928-1721-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1100-2052-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1124-2333-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1144-4263-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1148-2637-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1196-3006-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1212-983-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1220-3585-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1220-2976-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1292-1398-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1440-3664-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1440-694-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1444-246-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1556-785-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1568-4339-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1692-4066-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1692-4229-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1724-1500-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1752-851-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1752-4297-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1772-4064-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1788-1888-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1840-1122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1840-1024-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1968-3376-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1968-3662-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1980-3240-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1980-2900-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2060-1622-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2092-2190-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2116-539-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2172-1365-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2224-3342-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2224-822-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2248-1261-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2300-3551-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2308-3516-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2332-137-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2332-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2376-2698-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2384-577-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2384-3790-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2400-2768-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2432-4373-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2456-719-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2500-1490-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2636-3892-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2724-926-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2724-4134-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2752-2128-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2804-1018-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2816-884-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-1349-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2856-2742-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2876-3206-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2900-2461-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3148-1827-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3208-4406-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3284-3138-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3308-2054-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3368-2257-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3372-1063-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3400-2291-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3536-1693-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3536-501-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3576-3410-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3628-3760-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3636-3172-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3636-214-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3664-4172-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3668-2157-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3680-658-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3732-1050-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3800-3275-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3812-3926-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3816-1156-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3880-3105-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3888-1093-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3888-989-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3904-613-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3924-2232-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3924-3477-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3980-1431-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3992-3455-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4060-327-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4076-1953-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4136-464-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4140-3965-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4180-428-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4188-252-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4216-2098-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4280-3316-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4308-2368-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4316-1796-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4356-2567-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4384-3444-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4396-2393-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4408-3727-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4408-3824-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4416-2597-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4424-1726-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4464-2942-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4488-2427-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4512-3490-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4576-186-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4604-1687-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4652-3036-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4792-1462-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4840-1530-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4852-2503-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4868-1197-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4936-1854-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4992-509-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4992-2088-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5056-2834-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5072-4435-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5080-284-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5088-1860-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5088-1994-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5116-656-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5116-752-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download