1bb2b3cde3f143d943aaf7d325c758d336cddc782ce803f3fe720cce99af8833

Analysis

max time kernel
80s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe
Size

89KB
MD5

70d5c960257e0c8944597b996a54cdf0
SHA1

3139b5c2a3326849fdb023572330fedab601d4c9
SHA256

1bb2b3cde3f143d943aaf7d325c758d336cddc782ce803f3fe720cce99af8833
SHA512

59427372ef69b2d417f1e7334bda92599e2b31b288c1eb6e8b6d4a796f89c3e674a32d91cb976792eeb9bc179fa5f6261c8e71e957320ac87d41dba3323c78b1
SSDEEP

1536:gzfMMkPZE1J7S6/PMj42VJEY4ujMepJtANuOAl0QQsIEySYndfcc:mfMNE1JG6XMk27EbpOthl0ZUed0c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqematbsa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemsopxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemhwfhx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemzzktf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemunznl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemczlfo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemlqine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemxplrm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemcugyq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemchiap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemuaggl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemntrug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemvlkae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemfavkq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemjtowu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemplkzm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemzgsxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqembzeee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemhbycl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemyiyfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqeminklq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemluatl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemqenzo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemcypau.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemzqcgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemfnjkm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemngcgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemprgan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemhkznx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemtgvgj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempkvkn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemzrlyi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemjhhll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqembbgov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemvqxvo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemvzdeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemsmjpj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemswadf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqempqeeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Sysqemwqyhb.exe

Executes dropped EXE 41 IoCs

pid	Process
1748	Sysqembbgov.exe
4636	Sysqeminklq.exe
1132	Sysqemluatl.exe
2220	Sysqemntrug.exe
1088	Sysqemlqine.exe
4964	Sysqemvqxvo.exe
4224	Sysqemxplrm.exe
3620	Sysqemqenzo.exe
4408	Sysqemfnjkm.exe
4356	Sysqematbsa.exe
3808	Sysqemngcgl.exe
3616	Sysqemvzdeg.exe
4948	Sysqemsmjpj.exe
960	Sysqemprgan.exe
1116	Sysqemvlkae.exe
1028	Sysqemcugyq.exe
2632	Sysqemplkzm.exe
1424	Sysqemfavkq.exe
4556	Sysqemsopxb.exe
1108	Sysqemcypau.exe
1576	Sysqemswadf.exe
836	Sysqempqeeh.exe
1420	Sysqemhwfhx.exe
4748	Sysqemchiap.exe
4060	Sysqemzqcgi.exe
2212	Sysqemuaggl.exe
3916	Sysqemjtowu.exe
4964	Sysqempkvkn.exe
4948	Sysqemhkznx.exe
2556	Sysqemzrlyi.exe
5080	Sysqemzzktf.exe
1900	Sysqemzgsxk.exe
4864	Sysqemunznl.exe
4312	Sysqemczlfo.exe
1864	Sysqemjhhll.exe
2688	Sysqemtgvgj.exe
4032	Sysqembzeee.exe
2632	Sysqemwqyhb.exe
4428	Sysqemhbycl.exe
1900	Sysqemyiyfc.exe
3912	Sysqemwfgso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzqcgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembzeee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhbycl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfnjkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemngcgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqeminklq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemluatl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcypau.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemswadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhwfhx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemplkzm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemqenzo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqematbsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvzdeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsopxb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempqeeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemunznl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqembbgov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemntrug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemhkznx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzgsxk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemwqyhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemlqine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemuaggl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemchiap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemczlfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemtgvgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemyiyfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemxplrm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemcugyq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvlkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzzktf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjhhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemsmjpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemprgan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemjtowu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqempkvkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemzrlyi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemvqxvo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sysqemfavkq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1748	4664	70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe	93
PID 4664 wrote to memory of 1748	4664	70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe	93
PID 4664 wrote to memory of 1748	4664	70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe	93
PID 1748 wrote to memory of 4636	1748	Sysqembbgov.exe	94
PID 1748 wrote to memory of 4636	1748	Sysqembbgov.exe	94
PID 1748 wrote to memory of 4636	1748	Sysqembbgov.exe	94
PID 4636 wrote to memory of 1132	4636	Sysqeminklq.exe	95
PID 4636 wrote to memory of 1132	4636	Sysqeminklq.exe	95
PID 4636 wrote to memory of 1132	4636	Sysqeminklq.exe	95
PID 1132 wrote to memory of 2220	1132	Sysqemluatl.exe	96
PID 1132 wrote to memory of 2220	1132	Sysqemluatl.exe	96
PID 1132 wrote to memory of 2220	1132	Sysqemluatl.exe	96
PID 2220 wrote to memory of 1088	2220	Sysqemntrug.exe	99
PID 2220 wrote to memory of 1088	2220	Sysqemntrug.exe	99
PID 2220 wrote to memory of 1088	2220	Sysqemntrug.exe	99
PID 1088 wrote to memory of 4964	1088	Sysqemlqine.exe	101
PID 1088 wrote to memory of 4964	1088	Sysqemlqine.exe	101
PID 1088 wrote to memory of 4964	1088	Sysqemlqine.exe	101
PID 4964 wrote to memory of 4224	4964	Sysqemvqxvo.exe	102
PID 4964 wrote to memory of 4224	4964	Sysqemvqxvo.exe	102
PID 4964 wrote to memory of 4224	4964	Sysqemvqxvo.exe	102
PID 4224 wrote to memory of 3620	4224	Sysqemxplrm.exe	103
PID 4224 wrote to memory of 3620	4224	Sysqemxplrm.exe	103
PID 4224 wrote to memory of 3620	4224	Sysqemxplrm.exe	103
PID 3620 wrote to memory of 4408	3620	Sysqemqenzo.exe	105
PID 3620 wrote to memory of 4408	3620	Sysqemqenzo.exe	105
PID 3620 wrote to memory of 4408	3620	Sysqemqenzo.exe	105
PID 4408 wrote to memory of 4356	4408	Sysqemfnjkm.exe	107
PID 4408 wrote to memory of 4356	4408	Sysqemfnjkm.exe	107
PID 4408 wrote to memory of 4356	4408	Sysqemfnjkm.exe	107
PID 4356 wrote to memory of 3808	4356	Sysqematbsa.exe	108
PID 4356 wrote to memory of 3808	4356	Sysqematbsa.exe	108
PID 4356 wrote to memory of 3808	4356	Sysqematbsa.exe	108
PID 3808 wrote to memory of 3616	3808	Sysqemngcgl.exe	109
PID 3808 wrote to memory of 3616	3808	Sysqemngcgl.exe	109
PID 3808 wrote to memory of 3616	3808	Sysqemngcgl.exe	109
PID 3616 wrote to memory of 4948	3616	Sysqemvzdeg.exe	128
PID 3616 wrote to memory of 4948	3616	Sysqemvzdeg.exe	128
PID 3616 wrote to memory of 4948	3616	Sysqemvzdeg.exe	128
PID 4948 wrote to memory of 960	4948	Sysqemsmjpj.exe	113
PID 4948 wrote to memory of 960	4948	Sysqemsmjpj.exe	113
PID 4948 wrote to memory of 960	4948	Sysqemsmjpj.exe	113
PID 960 wrote to memory of 1116	960	Sysqemprgan.exe	114
PID 960 wrote to memory of 1116	960	Sysqemprgan.exe	114
PID 960 wrote to memory of 1116	960	Sysqemprgan.exe	114
PID 1116 wrote to memory of 1028	1116	Sysqemvlkae.exe	115
PID 1116 wrote to memory of 1028	1116	Sysqemvlkae.exe	115
PID 1116 wrote to memory of 1028	1116	Sysqemvlkae.exe	115
PID 1028 wrote to memory of 2632	1028	Sysqemcugyq.exe	137
PID 1028 wrote to memory of 2632	1028	Sysqemcugyq.exe	137
PID 1028 wrote to memory of 2632	1028	Sysqemcugyq.exe	137
PID 2632 wrote to memory of 1424	2632	Sysqemplkzm.exe	117
PID 2632 wrote to memory of 1424	2632	Sysqemplkzm.exe	117
PID 2632 wrote to memory of 1424	2632	Sysqemplkzm.exe	117
PID 1424 wrote to memory of 4556	1424	Sysqemfavkq.exe	118
PID 1424 wrote to memory of 4556	1424	Sysqemfavkq.exe	118
PID 1424 wrote to memory of 4556	1424	Sysqemfavkq.exe	118
PID 4556 wrote to memory of 1108	4556	Sysqemsopxb.exe	119
PID 4556 wrote to memory of 1108	4556	Sysqemsopxb.exe	119
PID 4556 wrote to memory of 1108	4556	Sysqemsopxb.exe	119
PID 1108 wrote to memory of 1576	1108	Sysqemcypau.exe	120
PID 1108 wrote to memory of 1576	1108	Sysqemcypau.exe	120
PID 1108 wrote to memory of 1576	1108	Sysqemcypau.exe	120
PID 1576 wrote to memory of 836	1576	Sysqemswadf.exe	121

C:\Users\Admin\AppData\Local\Temp\70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70d5c960257e0c8944597b996a54cdf0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\Sysqembbgov.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysqembbgov.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\Sysqeminklq.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysqeminklq.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\Sysqemluatl.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysqemluatl.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\Sysqemntrug.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemntrug.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\Sysqemlqine.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlqine.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvqxvo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvqxvo.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxplrm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxplrm.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqenzo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqenzo.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfnjkm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfnjkm.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Sysqematbsa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqematbsa.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemngcgl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemngcgl.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvzdeg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvzdeg.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsmjpj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsmjpj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemprgan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemprgan.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemvlkae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemvlkae.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcugyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcugyq.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemplkzm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemplkzm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfavkq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfavkq.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsopxb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsopxb.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemcypau.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemcypau.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemswadf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemswadf.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempqeeh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempqeeh.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhwfhx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhwfhx.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemchiap.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemchiap.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzqcgi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzqcgi.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuaggl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuaggl.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjtowu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjtowu.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempkvkn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempkvkn.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhkznx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhkznx.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzrlyi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzrlyi.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzzktf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzzktf.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzgsxk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzgsxk.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemunznl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemunznl.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemczlfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemczlfo.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjhhll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjhhll.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtgvgj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtgvgj.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembzeee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembzeee.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwqyhb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwqyhb.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhbycl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhbycl.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyiyfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyiyfc.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwfgso.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwfgso.exe"
        42⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemwjdji.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemwjdji.exe"
        43⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemteybz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemteybz.exe"
        44⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjqgzh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjqgzh.exe"
        45⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoddls.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoddls.exe"
        46⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemycqvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemycqvw.exe"
        47⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemowowr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemowowr.exe"
        48⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzsree.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzsree.exe"
        49⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemohjce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemohjce.exe"
        50⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyoxsm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyoxsm.exe"
        51⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemtysfd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemtysfd.exe"
        52⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjdcyn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjdcyn.exe"
        53⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdnmze.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdnmze.exe"
        54⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyufme.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyufme.exe"
        55⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembsvnz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembsvnz.exe"
        56⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgrcas.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgrcas.exe"
        57⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemliszg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemliszg.exe"
        58⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdhwcq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdhwcq.exe"
        59⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlbfzl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlbfzl.exe"
        60⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemygyne.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemygyne.exe"
        61⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkbnbk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkbnbk.exe"
        62⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemagytt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemagytt.exe"
        63⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemidkwq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemidkwq.exe"
        64⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfmecj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfmecj.exe"
        65⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemyafsr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemyafsr.exe"
        66⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqpovh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqpovh.exe"
        67⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemlgidq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemlgidq.exe"
        68⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnfien.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnfien.exe"
        69⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemswpkg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemswpkg.exe"
        70⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhfjqh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhfjqh.exe"
        71⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Sysqempvhbr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqempvhbr.exe"
        72⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemiuleb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemiuleb.exe"
        73⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsuzzz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsuzzz.exe"
        74⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemfwpiq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemfwpiq.exe"
        75⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemsnuae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemsnuae.exe"
        76⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemknglp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemknglp.exe"
        77⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemizewt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemizewt.exe"
        78⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemuiiwh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemuiiwh.exe"
        79⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemppzfk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemppzfk.exe"
        80⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemursds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemursds.exe"
        81⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemeqgyq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemeqgyq.exe"
        82⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhiihf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhiihf.exe"
        83⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemkencx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemkencx.exe"
        84⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemklvfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemklvfc.exe"
        85⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemegbli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemegbli.exe"
        86⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxgpbe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxgpbe.exe"
        87⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemozard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemozard.exe"
        88⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemelhhm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemelhhm.exe"
        89⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemxtvyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemxtvyj.exe"
        90⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemoptgq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemoptgq.exe"
        91⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemzoiha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemzoiha.exe"
        92⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemhegar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemhegar.exe"
        93⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemglfvo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemglfvo.exe"
        94⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemjsuld.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemjsuld.exe"
        95⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemqtrjd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemqtrjd.exe"
        96⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgjoub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgjoub.exe"
        97⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemogixy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemogixy.exe"
        98⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemdoddl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemdoddl.exe"
        99⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemgntdo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemgntdo.exe"
        100⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembmoup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembmoup.exe"
        101⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembqlkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembqlkr.exe"
        102⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Sysqememqxj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqememqxj.exe"
        103⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Sysqemnhogy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqemnhogy.exe"
        104⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Sysqembyuly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sysqembyuly.exe"
        105⤵
        
        PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysqamqqvaqqd.exe

Filesize
89KB

MD5
85e8320f7c690a0be1536d1dfbbdfbe9

SHA1
dafa0224112e3a69df25c41d74bf5f20a57e95a9

SHA256
718c2168357a83d74884ac51cfc0bb7ea9d24bb0d68961e4b7d9e50082f9de7c

SHA512
133310758cad4cb631a29b47ab16c5252b7e9945d03d919eb6448410bc33216cd6ddf60ce8d96636514c642db09acab862309d6ee36d56039b14a41151714a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqematbsa.exe

Filesize
89KB

MD5
fea21ed1e1ae76c9ca312a441d9fba94

SHA1
d8f21a34481c55e690f2a0ddf243779cc2bacf23

SHA256
a5d8a96a37020a796c404958ba470a0bfc1888edc7ffc0535dbaf9bd1d0a40e7

SHA512
a493e93bc839c4d8009a1f808b5c0b0737cabc1a6eb48da06bb3ead63c483e43b629d33ff34902fa005877a4aa096672b3da3cd1a6ea97af2f6644c3fd5197d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqembbgov.exe

Filesize
89KB

MD5
cbd2a771de9b68e6505d6d266c78fc3d

SHA1
bd53f1fab8b7e556c22889f589876c2f079ad7d5

SHA256
6cf03cf065c4b15a307a8e5a2ac4a5a71a710f2b4dd70352b36730e62ddc09d0

SHA512
f6fa54ece2f811ce2fe24fe07370c1bcb3198253cb4ba8ca332c0dbaf8025f777d7161b1e97f5f80a8cec4d9c4080cf27c9edf0a503ec6a2c470d0b2eaf8c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemcugyq.exe

Filesize
89KB

MD5
b1805f1577aa0ea6b89cef70c68878f8

SHA1
87599bb1cf0543263462e6147f39734f550ae4da

SHA256
bca25615b8afbf68169bf9b6acc7d22716751b41022f44c2a89a78a225fd7566

SHA512
7428ed53128520544e768305a685b62e3bbe5066abc0c698a3779db881a7a5f546855fee7504158650d3078568c03f8dd006d12f8b812ee3a35583802003c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemfavkq.exe

Filesize
89KB

MD5
4518c35e17dc7d0aa41c7f12edf49c66

SHA1
4eed304a5593e661e8313e0d73efa574f861f789

SHA256
b8924065e52e919886ea6b4535ec213a0331099ea7980e1a61bcd87c94c6cb44

SHA512
9aa76676406fd18d32c914f5f983c0461ad1b4ef247e612e65577a9c4a49864302f65f8736d0340ac55f9dc38ca4b95a617c4d4bc6cf9fa5649c92090e44fb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemfnjkm.exe

Filesize
89KB

MD5
c072bf1f9cd506d7af33aad9cbd3fbee

SHA1
9365edc076767b5101d553db7f6c26dab5a2412e

SHA256
ce03de45890ac4e267f3876270ce5641c883d2e9e3df2c1e8d5b104c9e9d0c4d

SHA512
99608856b723ab87891e5460dd9b0f376427eb4d9871830d1ae51e2f1132caaff9db7ea2995f764df1063333449c6df4dd7d7c42fce50b650b81ee18baf90128

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqeminklq.exe

Filesize
89KB

MD5
0a8ded5ed89b66905b702743f4d378de

SHA1
ed65c4c512cefa9a5bc6ddd97b9d43d9006831b3

SHA256
aa1965efe2519b25eed5e45162927477b82d77d63308b8d1a5c6aec6e2c73955

SHA512
451f8fbaa49661bc1901f280285773ebaea5771f37bcd1a8ed364e3f0829809eaa83f4de7c74290f1ec89deacbf3eab9250fa73179d0c3c1477fe63932057e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemlqine.exe

Filesize
89KB

MD5
caf3ba07a02c490a1a6920459b00419e

SHA1
f5d6fd486a39206688063a72f2b7eaf82cc6503e

SHA256
f13b79f20c0a6bd0f56b6a8035b681b124c3478dded11a03be253c21c48823f4

SHA512
e327850a1be2a1c266243c824f7adf136a5b1491f8797c4f31921b4b98b6fbb642a9169ce6d5fd2dc2f7ffda9e6b6606a7434ed1b2c35579dc5945b65c90fe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemluatl.exe

Filesize
89KB

MD5
f1e40e1024abbd034a4cbd33f1c21017

SHA1
ca9addbc667e38632363d8fad88551bf0c24690a

SHA256
a2cafb33b94754f3c930e619b84ac2dd965cde48e41f9a952d6fd75b2ddd81b1

SHA512
21874b0342c64fdaba7654840c56a94530beb113782937fb82e8bd93991f648601b9e8202e321070733a0bf6e50501e0cc06bec5ba0c938e90fc9b12af75c672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemngcgl.exe

Filesize
89KB

MD5
b50959c73e3a3db44245e0c1e214b573

SHA1
139abbb5a5b18ee87e2442c29771152da5a0dae6

SHA256
10a883c263b06c49b58d29c485bc0d1b4f7039e11019249ff447e46ac74a5145

SHA512
66518540abf1929b316b0270ced55d5dbed43a4088416c34fe14942ef8324fb42ac8cf3ef73e703802fd571b82e06c4cfb01b979fe4e0b1cf217656317ce54e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemntrug.exe

Filesize
89KB

MD5
07c7fac2ef0217ea745c6be801a1623e

SHA1
7d0ce0fce8da23024d131d48674715eb4929ade1

SHA256
61c6aff24e72e27a5718d130260a1903bd7f415add1f08490dbc2a01775506e5

SHA512
4681e0bcf09e8c53f96aa370a5b9b793b45f979e7ad1f4b77fe2ba028097b178af297e66551811a3d4b0c3c042ccf1adae4b8f89f31f815a0cf38ff81cfed1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemplkzm.exe

Filesize
89KB

MD5
0a478c4d48031310a3c304bc77c859ae

SHA1
5cf14640e9a7b50fe5f163cc370458be86e373ac

SHA256
0658cc9568a2ffa9787031733c676faa26794c363ceb9e650450ae462b58640d

SHA512
d205811fe04ea54741de9cf8aa3e7a137839c242a0bf675ca8e9d49a5e51da3d20e00e854d42428b10b2edc972c0491ea89c2d514b7e70c17a7ba48bc7d7ca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemprgan.exe

Filesize
89KB

MD5
b541bbbbfade6b1c53a34a3877fc6976

SHA1
9f4f434c91476b50bbf083c6e775d125db31e58d

SHA256
118d90a663610d78bec4286e14bdbe49c7df5fc5539061ecea4b9e00e4951719

SHA512
4dd23cf403121396e16a4dd0571a6955d01249d5b0293afd35672a4f67bd313538c00770955372762cbc78e12c0d503cd8d26ccc196ddd15448e89c701a7e7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemqenzo.exe

Filesize
89KB

MD5
48ee6ee31bf27e8de558ef1f31aae01b

SHA1
8bfc7ebd9067f2b0a83253af6f7a8440b77bea05

SHA256
1f1975bddfad9829d74dcfde25bf83e4d15e70b0b0af4565cdb39b251b784d65

SHA512
bcbf524291ad57eeb79648000d0036d0b2482c29c455fbceca8089f5f815b0912ea27f9ed37f80ef5eb75be7fbff15373af79e6a25e4660b59240334a87cbd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemsmjpj.exe

Filesize
89KB

MD5
e2c74972274c7f2ba268d45d1fabbd13

SHA1
a8932766a0f5384ff4f7e6a64817f793c6e33911

SHA256
26c4ef4611bd960850dc826741890f8af3d3916d8657c288d7c0c1c2d74028fd

SHA512
f20330190463c2211a03a6e2c14a1b8d1a480451d71328c3addd1d4565f6cfca53a690b96d9ea24d035bee6ba66ca9142c3e646a22832516acaa66bc2261d0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvlkae.exe

Filesize
89KB

MD5
ee2b1ac926cdc0c53d073d1059165316

SHA1
6635158250472e0c88625582863875335024d707

SHA256
afb73b3ebd7b3fa9d21b08c1c1378194fdeadab36247957875f050fd59f9c978

SHA512
9ddd24978fccc570c506bb6c58d88cf1dbb58fa408f36caddccc77a9d8ba9a2d971305861116bc2b23cd1c3db9c358155164d3586a54262adecb9ca8cbcde782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvqxvo.exe

Filesize
89KB

MD5
74e1e3cb48d9cc8169677e54cf4df45e

SHA1
95ae35ec9040225729d445df9c2a8494dd218484

SHA256
12f4f4ea9564c1b7606e49880e1d58af149ed4008932205d4d31f10fa6b16e06

SHA512
da9e8f0e532f36fd0f12bef4dfd7223f50190f15a07f7e4c5e078dd99ec4b4459d2cd7dff9da9c24403b329fd7278b95df61d578cae572daaf765bcbded50519

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemvzdeg.exe

Filesize
89KB

MD5
d2c9a266859e6fdf0957f9a777cab369

SHA1
4d055c1ac72ba618245510d70542fb4315771e4c

SHA256
9a5b2707d3cabc9e87d85f06ffd934f9e59019ff04b5f61f33e93ed4fec5ef58

SHA512
36918d54f65c840eb8498c67f1c02a27cf5c8d64f6a0232e9efe3e33e3aaefb61730f6b29d4b9b7402aae3ae2260f0db1012e2049f11a1d4f7beb511c7c6b177

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysqemxplrm.exe

Filesize
89KB

MD5
41a6f82c366bff364e9cb394c4182443

SHA1
2f49a6c0c53c6b94ea85aa695d22c8641cf3f76f

SHA256
1cc266c9cef8fb7e07cf148c460db49854945cefaa0b7f40c119ccdc51634a64

SHA512
93d72b4356b35a08437e9755491b22fcc5f507104c6bc7147a2567ebcc055cc9c5d40bb878493c0c143463fb861f5b0e328d5963c17f5d1c19e0b80d7b785d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
54a0a0d203a0c42caba7dbd6a053115f

SHA1
4578be692436164e195bc46ae5aef7386cbbe1e8

SHA256
4f7295cfabdefb148ec90d33d684d1629d92ae1a73563edc8296678210225be5

SHA512
8fd51ab97a70836a3452be5c70d68addd392725becd2825c136097e2d5f751186ceccd2ce36c8a011b322e4a327e551af34981ccea69050b67517f4c1e6fd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f8c552aea827482fb779122ce7824f86

SHA1
73ce9c5e8033bd5dbce0c8b5ddf14c450f9a5e59

SHA256
6d35b7543872ecaab59d285b4baa99bfb3bd70beaa35f172b50ad76d3df9e60d

SHA512
198208878b1c3999a3c7082f4e531577b06e62aec25edd2b064cc83323b4ae3622e1fe2570f86db08dbe82cbf6f7b19922bdde239ea8c2ebcc2363bdb6b3add5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
48d3e6972d96930632b586c20362e1df

SHA1
2b9acdf44dd70a245c34939f5a76c5e0645bd36e

SHA256
1eceb772562bc1e720775dfb730f1fa1b03f1b868c332c07ddf95db706b29f2c

SHA512
43082ee28b2b524fb8c53ae24cfd1b3589f894bcb22822ab053119c1c8cf29a3c9e594e1b060325000851b2fe46ae2ab9f4d9c415c921e31b31335a34de40d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
ca8976b544ea11d44f67f2a6e9253833

SHA1
479c713a76f7086de8889c482abb46a398e09aea

SHA256
861214c8ff5f19385efb5e2ff03a551db705ce2f63e6714860b9a9644b0c51b6

SHA512
d254d3a3feee5e1c004d73d08bfbab255738896cda019b2dea0b12e50ba714afb21f62c598fa1cceadc4f935207fd1a69f936e163496b344874f9dacf98a6c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
b2890f9a5eab9180b2a972a91dc14283

SHA1
92fd9fcb3178fb1623304955d731340b9e31d83e

SHA256
70dc0f3ba32201d2e813dbfdd7eb749bef5f4b5b1560555f0c1b0e3466559004

SHA512
3819d151c5a5a94a23e23bb7e92cfe997c93ead71278740ab20cb174da528843e2950065446c8a48d7b030b2a3e19acb6c2657f9ffd29e7d3553a1bca1fc9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
927d1b33a0238feeaffaeefb5cbd3f9c

SHA1
3952fede0c1f0d4766b177639bd80edcb386f767

SHA256
6694a039ba77fa88a4709eff9b5c7695f821ec82a17b8924094644e8adbec18b

SHA512
7c2bcddd7053736fc98ca6b682256e0457c49889a8dabcd34be9b2f53886d2f4f7144f0922d3be5619f5844026907300291e7c44c955d29b8a3b11d586507d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
941a6530b1459efb33269dc6900d0f08

SHA1
1d7940173a169d231cf5e51fe262cfdbe22ed992

SHA256
da33530008c4fcd1a1764de5094c2252fa864e8fd322e35e612838a877dbd46b

SHA512
a4ed43ac673af3d4f87e0e95c1494725e6ca626d1e1e299f0d1e43393209c8dacbd35672e3278ddb8e21bb248693c37531a733eb6cca939e4fcf075a4601e603

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
50d0cfb0679a410f53e706ddf86efd79

SHA1
385d91a408fadf0b022c0ea104e271f35699146f

SHA256
5b2b876d5f36fc3335a38db0ba47f017cc7860cadb79959741f47a21bcd07ef2

SHA512
a0df2f77fef355a7bf84636fe8703489b6ba256cba5d3c9c6204ed1a7c03c869c083ec8cb2396cada89032981552a99715ee133227afdcb722c3a3af8e977f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
82074c8905e5a7d34e412ffe824bd4a2

SHA1
8f39fcb41db09c342a5045d2a3250049ca8b0fbb

SHA256
c9dd70a94af699d95be62683253124b3946d6f7563f4b36b33b70e8d0184c3a2

SHA512
f1141cfd4e6e0fce370332d96ca6aed89790b179ae0d4de925feee85297adb007532959619948ee54a3bc3f3366d82fc7124607a4a73afeaf7937e5e1afc85b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
0a6436aaaa6beab5778a302e3bb11340

SHA1
2ebc60c3970a40de3e379401109968226c6f7b78

SHA256
a3a0d63b579d51f972c11c0f8606ddc63ef1d7d81ba3e890980c3cfacb53d9c5

SHA512
6d3ea7a2b4b3c549583f38781c14d60d069dcc89ad06c55060afd99c726b7cea7e872023202e3ec7ffc7b412fa5ae7c0e4af86c2a7f5eb475d861b8e6909d11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
fd4c8601fd5684447ad55dbdf2009318

SHA1
c02b5692d5f0d9bec31acdf4e18e7c80e009fc0f

SHA256
b18a5f98c48635c5d05c725adbc6afe17dbf570d7c5e3eb191c973a91af662c4

SHA512
8a52ad9eb01195eb60fb76f0f97b709b7e90955cf0970d071e1729fa92ed4094c9895757390105684e05eba0d0b53019047587f76349f015c1d674130e39f8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
1d46bf03068098d34365bc31723188c6

SHA1
740e112ecc1fff1c8e4d5e5f9ced98cb67d1cb6b

SHA256
8fb64d36ab0af4da18b8625f671b7a75c9861918fa65ddbd7762fc1858af011b

SHA512
382cec7701a053751a316b217f5c8fce209e6b62b57e643aa107e75ad801e30a6f1a0362f541e7ae0d163ab53c06014c717def8d3f73687c01f59d0e79028285

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
437e442406c378524fc7505952ef702d

SHA1
33f82222051c8915ca66bffce636b045c5dda4b5

SHA256
820c5efffe5feb86cec0d49dac3857a0dbce06dcc8e902e2dbd5aaf38097ccf4

SHA512
970aafbe2e32d91ee8ebf7ddac76a887482ecbea54c558e498d80fec13336a916720a0b25d8dc29287f527a3bb6b72c40912e551b13e330ab918f5c3bcb2dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
c2241b8c1e89971d486fcb1521c7cdc3

SHA1
75abdd01fa3ea06e8f136228b2e4dbc8f53515fb

SHA256
6b5573af03e1dcba2064772d52ff77109da80f7f2422e486231c40aebf31064a

SHA512
6ff9df22f5a9cffeb944943f76978069cbeb08e028b81d8ecee13e00652b87c8f05f334207817875024eebc7be2274ff2acc7c9a62573faac88df437a45c9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
620b0a712d083e60b89bd8f115290920

SHA1
f3f088a083fd2114ec70b4718bc59d510f423fef

SHA256
d93c6b1c79aeb5bee2e179bc1a749698e7f0073f7808f7ebfcade8e5dd00a29a

SHA512
d1b31da8d8c0898b26033e9b68c78e4e38411548d1cf7fbec43f23554ef2f73aebf624ec35a3fbf6c04319bc4f3e709fd71befcf6845511bee889f3f1609a4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
f73580a8d63ed2fdc8bbdafaba24fb47

SHA1
9fdd3161a862a35e06d2112dc3dc32be6c6dbe7a

SHA256
1d9e12fbff3ee05c25973c6b2f84197362f55fa9c9884b9db1011e4e97f25676

SHA512
f46afde1e8190af3fe704d3751ee77e6c46fc35dc41b478c40ea99d74f0886601d2cafdda0d2f0e91028714914fffbd7bf07821c19a0314ccadfe24b90ea2e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpath.ini

Filesize
49B

MD5
14a8554671041c0ca983e0a2f2b00fe7

SHA1
c88f4d2885d6c0a74275b9c296aadd1e4693e18e

SHA256
1b2542c09a7238757ec97ac34c8a23476597e775f2c15ce8315e5684aabfc119

SHA512
fb60959e659ee2a6e61dedaea8746f8b7807a12e8273e2805d4f5b4bc180334264c656f3c4f28fd3650a8d3d60791521289f39c16e2c32ebde999221fa75596e

Download Submit
memory/380-2735-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/396-2701-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/672-2939-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/836-889-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/912-2871-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/912-1659-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/940-2570-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/960-619-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1028-590-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1028-690-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1088-264-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1108-823-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1116-656-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1132-214-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1164-3551-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1164-2023-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1192-2468-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1236-1553-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1328-2599-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1376-1799-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1416-3007-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1420-922-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1424-2769-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1424-756-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1508-2267-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1576-833-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1580-2361-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1580-3313-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1616-2633-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1748-142-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1748-41-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1860-3279-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1864-1352-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1900-1487-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1900-1228-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2148-3381-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2212-1030-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2220-251-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2224-2899-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2376-2497-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2556-1186-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2556-1619-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2556-2191-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2632-1420-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2632-723-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2688-1358-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2688-2090-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2788-3449-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2988-1855-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2988-1759-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3140-2230-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3200-1726-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3420-2837-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3488-2123-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3616-1990-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3616-544-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3620-397-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3628-3143-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3808-507-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3912-1497-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3916-1055-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3948-2157-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3964-1764-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3972-3517-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3976-1789-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3992-1956-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4004-1889-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4032-1395-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4060-988-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4084-1652-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4124-2803-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4172-3245-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4224-372-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4228-3211-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4248-3051-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4312-1295-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4316-2973-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4316-2056-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4320-2395-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4356-3347-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4356-447-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4408-433-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4428-1453-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4484-1923-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4556-798-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4608-2531-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4636-155-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4660-2667-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4664-1-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4664-8-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4664-2-0x000000000048E000-0x000000000048F000-memory.dmp

Filesize
4KB

Download
memory/4664-0-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4732-3483-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4744-3038-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4748-932-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4768-2433-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4768-3109-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4792-2293-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4864-1253-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4892-3177-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4948-1121-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4948-586-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4964-1088-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4964-324-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4964-222-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5012-1691-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5016-3416-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5080-1219-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5112-2304-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download