b4eee0f94f11fd7cad080068f5c4c45007c973de84d4fe78665ccb6e88609d8a

Analysis

max time kernel
147s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe
Size

109KB
MD5

2d7f151c673993cf9a726a47c3445990
SHA1

9c43d3609a4162e5701289bc224735bef1fc8fcc
SHA256

b4eee0f94f11fd7cad080068f5c4c45007c973de84d4fe78665ccb6e88609d8a
SHA512

2eb7130df29acf622963a2fb627ef5ae1a62ac7d524409840093004e8b6fdc1c99ce22368111b9523cd9559e03f01eafc69c8ffa260c37c8dfdf358398f158f4
SSDEEP

3072:nFYAVLE+TXRBu0n9TJ9upLCqwzBu1DjHLMVDqqkSpR:eAXX60n1J9Cwtu1DjrFqhz

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lmdnbn32.exeAhaceo32.exeFfqhcq32.exeHmmfmhll.exeIbcaknbi.exeLjnlecmp.exeJgkmgk32.exeLqhdbm32.exeMjaabq32.exeOcjoadei.exeFiodpl32.exeHlnjbedi.exeHidgai32.exeIpjoja32.exeQfmmplad.exeAkkffkhk.exeBacjdbch.exeBpfkpp32.exeMqafhl32.exeQdaniq32.exeLgibpf32.exeMfnoqc32.exeNnafno32.exeHolfoqcm.exeHoclopne.exeJphkkpbp.exeKncaec32.exeCaojpaij.exePmpolgoi.exeAoioli32.exeBnlhncgi.exeBoldhf32.exeGehbjm32.exeJniood32.exeCkbemgcp.exeCpbjkn32.exeIidphgcn.exeMnegbp32.exeNqbpojnp.exeAmqhbe32.exeMcelpggq.exeQmeigg32.exeBdfpkm32.exeCaageq32.exeOnmfimga.exeCglbhhga.exeFnnjmbpm.exeGpelhd32.exeIepaaico.exeMcgiefen.exeGnqfcbnj.exeIipfmggc.exeMqfpckhm.exePjbcplpe.exe2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exeFefedmil.exeIomoenej.exeKngkqbgl.exePdenmbkk.exeIbaeen32.exeKcidmkpq.exeLncjlq32.exeMqimikfj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffqhcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnlecmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hidgai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoclopne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnnjmbpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iipfmggc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iomoenej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibaeen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqimikfj.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ffnknafg.exe	family_berbew
behavioral2/memory/3584-10-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Fmhdkknd.exe	family_berbew
behavioral2/memory/2708-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ffqhcq32.exe	family_berbew
behavioral2/memory/4048-24-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Fiodpl32.exe	family_berbew
behavioral2/memory/736-36-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/636-40-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Flmqlg32.exe	family_berbew
C:\Windows\SysWOW64\Fefedmil.exe	family_berbew
behavioral2/memory/2232-48-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Flpmagqi.exe	family_berbew
behavioral2/memory/1512-56-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Fnnjmbpm.exe	family_berbew
behavioral2/memory/4512-63-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gehbjm32.exe	family_berbew
behavioral2/memory/4932-71-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Glbjggof.exe	family_berbew
behavioral2/memory/4036-80-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gnqfcbnj.exe	family_berbew
behavioral2/memory/964-87-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gifkpknp.exe	family_berbew
behavioral2/memory/5056-96-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gppcmeem.exe	family_berbew
behavioral2/memory/1160-104-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gfjkjo32.exe	family_berbew
behavioral2/memory/3008-113-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gihgfk32.exe	family_berbew
behavioral2/memory/4056-119-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Glgcbf32.exe	family_berbew
behavioral2/memory/4604-128-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gbalopbn.exe	family_berbew
behavioral2/memory/2332-136-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gikdkj32.exe	family_berbew
C:\Windows\SysWOW64\Gpelhd32.exe	family_berbew
behavioral2/memory/4996-148-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3992-152-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gbchdp32.exe	family_berbew
behavioral2/memory/5060-165-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4576-168-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Geaepk32.exe	family_berbew
C:\Windows\SysWOW64\Gojiiafp.exe	family_berbew
behavioral2/memory/1316-176-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hedafk32.exe	family_berbew
behavioral2/memory/832-183-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hlnjbedi.exe	family_berbew
behavioral2/memory/4392-192-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Holfoqcm.exe	family_berbew
behavioral2/memory/3048-200-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hfcnpn32.exe	family_berbew
behavioral2/memory/2292-208-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hmmfmhll.exe	family_berbew
behavioral2/memory/740-216-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hoobdp32.exe	family_berbew
behavioral2/memory/4836-224-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hbjoeojc.exe	family_berbew
behavioral2/memory/2924-236-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hidgai32.exe	family_berbew
behavioral2/memory/5016-240-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hmpcbhji.exe	family_berbew
behavioral2/memory/3244-248-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hblkjo32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Ffnknafg.exeFmhdkknd.exeFfqhcq32.exeFiodpl32.exeFlmqlg32.exeFefedmil.exeFlpmagqi.exeFnnjmbpm.exeGehbjm32.exeGlbjggof.exeGnqfcbnj.exeGifkpknp.exeGppcmeem.exeGfjkjo32.exeGihgfk32.exeGlgcbf32.exeGbalopbn.exeGikdkj32.exeGpelhd32.exeGbchdp32.exeGeaepk32.exeGojiiafp.exeHedafk32.exeHlnjbedi.exeHolfoqcm.exeHfcnpn32.exeHmmfmhll.exeHoobdp32.exeHbjoeojc.exeHidgai32.exeHmpcbhji.exeHblkjo32.exeHifcgion.exeHoclopne.exeHfjdqmng.exeHemdlj32.exeHpchib32.exeIbaeen32.exeIepaaico.exeIliinc32.exeIbcaknbi.exeIfomll32.exeIpgbdbqb.exeIgajal32.exeIipfmggc.exeIpjoja32.exeIomoenej.exeIgdgglfl.exeIlqoobdd.exeIoolkncg.exeIgfclkdj.exeIidphgcn.exeIpoheakj.exeJcmdaljn.exeJiglnf32.exeJleijb32.exeJocefm32.exeJgkmgk32.exeJiiicf32.exeJpcapp32.exeJofalmmp.exeJepjhg32.exeJilfifme.exeJljbeali.exe

pid	process
3584	Ffnknafg.exe
2708	Fmhdkknd.exe
4048	Ffqhcq32.exe
736	Fiodpl32.exe
636	Flmqlg32.exe
2232	Fefedmil.exe
1512	Flpmagqi.exe
4512	Fnnjmbpm.exe
4932	Gehbjm32.exe
4036	Glbjggof.exe
964	Gnqfcbnj.exe
5056	Gifkpknp.exe
1160	Gppcmeem.exe
3008	Gfjkjo32.exe
4056	Gihgfk32.exe
4604	Glgcbf32.exe
2332	Gbalopbn.exe
4996	Gikdkj32.exe
3992	Gpelhd32.exe
5060	Gbchdp32.exe
4576	Geaepk32.exe
1316	Gojiiafp.exe
832	Hedafk32.exe
4392	Hlnjbedi.exe
3048	Holfoqcm.exe
2292	Hfcnpn32.exe
740	Hmmfmhll.exe
4836	Hoobdp32.exe
2924	Hbjoeojc.exe
5016	Hidgai32.exe
3244	Hmpcbhji.exe
4956	Hblkjo32.exe
1912	Hifcgion.exe
4600	Hoclopne.exe
676	Hfjdqmng.exe
2900	Hemdlj32.exe
1840	Hpchib32.exe
2352	Ibaeen32.exe
4168	Iepaaico.exe
5088	Iliinc32.exe
2160	Ibcaknbi.exe
2824	Ifomll32.exe
4848	Ipgbdbqb.exe
956	Igajal32.exe
4688	Iipfmggc.exe
4360	Ipjoja32.exe
3744	Iomoenej.exe
3236	Igdgglfl.exe
1548	Ilqoobdd.exe
3248	Ioolkncg.exe
2800	Igfclkdj.exe
2196	Iidphgcn.exe
1924	Ipoheakj.exe
320	Jcmdaljn.exe
4388	Jiglnf32.exe
3380	Jleijb32.exe
1136	Jocefm32.exe
2524	Jgkmgk32.exe
2440	Jiiicf32.exe
1536	Jpcapp32.exe
2844	Jofalmmp.exe
5144	Jepjhg32.exe
5180	Jilfifme.exe
5228	Jljbeali.exe

Drops file in System32 directory 64 IoCs

Processes:

Ngqagcag.exeChkobkod.exeJniood32.exePmpolgoi.exeLjnlecmp.exeAaenbd32.exeIbcaknbi.exeJiiicf32.exeKgkfnh32.exeOnmfimga.exeDafppp32.exeHblkjo32.exeLcnfohmi.exeQhhpop32.exeChfegk32.exeCpbjkn32.exeHoclopne.exeNjhgbp32.exeNnhmnn32.exeOcgbld32.exeAagkhd32.exeAajhndkb.exeKcidmkpq.exeKjjbjd32.exeLlmhaold.exeHedafk32.exeOnkidm32.exeBdmmeo32.exeDojqjdbl.exeMcpcdg32.exeOcjoadei.exeIgajal32.exeJepjhg32.exeAfbgkl32.exeAhfmpnql.exe2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exeLcimdh32.exeLqojclne.exeChnlgjlb.exeHlnjbedi.exeJilfifme.exeMjaabq32.exeDhbebj32.exeHmmfmhll.exeLgibpf32.exeMnjqmpgg.exeConanfli.exeCammjakm.exeFlpmagqi.exePjbcplpe.exeQmeigg32.exeFnnjmbpm.exeHbjoeojc.exeNjmqnobn.exeHfcnpn32.exeIepaaico.exeIidphgcn.exePffgom32.exeAoioli32.exeGlbjggof.exeJljbeali.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Chkobkod.exe
File opened for modification	C:\Windows\SysWOW64\Jphkkpbp.exe	Jniood32.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Hmkqgckn.dll	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Aaenbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ifomll32.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Pnjbcghk.dll	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Kjjbjd32.exe	Kgkfnh32.exe
File opened for modification	C:\Windows\SysWOW64\Oakbehfe.exe	Onmfimga.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Hifcgion.exe	Hblkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgibpf32.exe	Lcnfohmi.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Hfjdqmng.exe	Hoclopne.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Nmkmjjaa.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Fmggcl32.dll	Kcidmkpq.exe
File opened for modification	C:\Windows\SysWOW64\Klhnfo32.exe	Kjjbjd32.exe
File created	C:\Windows\SysWOW64\Lqhdbm32.exe	Llmhaold.exe
File created	C:\Windows\SysWOW64\Ldldehjm.dll	Hedafk32.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ebcmfjll.dll	Mcpcdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ogekbb32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Ikgbdnie.dll	Igajal32.exe
File created	C:\Windows\SysWOW64\Jilfifme.exe	Jepjhg32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Ffnknafg.exe	2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lfgipd32.exe	Lcimdh32.exe
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Lqojclne.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Holfoqcm.exe	Hlnjbedi.exe
File opened for modification	C:\Windows\SysWOW64\Jljbeali.exe	Jilfifme.exe
File created	C:\Windows\SysWOW64\Leilnmkp.dll	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Hoobdp32.exe	Hmmfmhll.exe
File created	C:\Windows\SysWOW64\Clahmb32.dll	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Pdbeojmh.dll	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Flpmagqi.exe
File created	C:\Windows\SysWOW64\Pmpolgoi.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Qpcecb32.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Gehbjm32.exe	Fnnjmbpm.exe
File created	C:\Windows\SysWOW64\Hidgai32.exe	Hbjoeojc.exe
File created	C:\Windows\SysWOW64\Nnhmnn32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Dpaagldf.dll	2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hmmfmhll.exe	Hfcnpn32.exe
File created	C:\Windows\SysWOW64\Iliinc32.exe	Iepaaico.exe
File created	C:\Windows\SysWOW64\Bcghdkpf.dll	Iidphgcn.exe
File created	C:\Windows\SysWOW64\Ppcbba32.dll	Pffgom32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Gnqfcbnj.exe	Glbjggof.exe
File created	C:\Windows\SysWOW64\Johnamkm.exe	Jljbeali.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8596 9196 WerFault.exe Dkqaoe32.exe

pid	pid_target	process	target process
8596	9196	WerFault.exe	Dkqaoe32.exe

Modifies registry class 64 IoCs

Processes:

Mnjqmpgg.exeHoobdp32.exeLopmii32.exeLgpoihnl.exeOpqofe32.exeChfegk32.exeCacckp32.exeHpchib32.exeOhlqcagj.exeChnlgjlb.exeHmmfmhll.exeNjhgbp32.exeMqafhl32.exeHolfoqcm.exeLfgipd32.exeOcohmc32.exePdenmbkk.exeAgimkk32.exeBdfpkm32.exeHoclopne.exeIfomll32.exeAajhndkb.exeDahmfpap.exeBajqda32.exeChkobkod.exeHidgai32.exeMmpmnl32.exeAfbgkl32.exeGlbjggof.exeOnkidm32.exeOjdgnn32.exeQpcecb32.exeFnnjmbpm.exeGeaepk32.exeMfnoqc32.exeBgnffj32.exeJilfifme.exeIbaeen32.exeBpfkpp32.exeCkbemgcp.exeQobhkjdi.exeNadleilm.exePdhkcb32.exeNgjkfd32.exeNqbpojnp.exeOpclldhj.exeChiblk32.exeMnhdgpii.exeOfmdio32.exeDpkmal32.exeIpgbdbqb.exeOaifpi32.exeIgfclkdj.exePmblagmf.exeQdoacabq.exeJgbchj32.exeLjqhkckn.exeOffnhpfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll"	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll"	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoclopne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll"	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpnmg32.dll"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdadm32.dll"	Onkidm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geaepk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibaeen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll"	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdgna32.dll"	Ipgbdbqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igfclkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Offnhpfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exeFfnknafg.exeFmhdkknd.exeFfqhcq32.exeFiodpl32.exeFlmqlg32.exeFefedmil.exeFlpmagqi.exeFnnjmbpm.exeGehbjm32.exeGlbjggof.exeGnqfcbnj.exeGifkpknp.exeGppcmeem.exeGfjkjo32.exeGihgfk32.exeGlgcbf32.exeGbalopbn.exeGikdkj32.exeGpelhd32.exeGbchdp32.exeGeaepk32.exe

description	pid	process	target process
PID 4180 wrote to memory of 3584	4180	2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe	Ffnknafg.exe
PID 4180 wrote to memory of 3584	4180	2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe	Ffnknafg.exe
PID 4180 wrote to memory of 3584	4180	2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe	Ffnknafg.exe
PID 3584 wrote to memory of 2708	3584	Ffnknafg.exe	Fmhdkknd.exe
PID 3584 wrote to memory of 2708	3584	Ffnknafg.exe	Fmhdkknd.exe
PID 3584 wrote to memory of 2708	3584	Ffnknafg.exe	Fmhdkknd.exe
PID 2708 wrote to memory of 4048	2708	Fmhdkknd.exe	Ffqhcq32.exe
PID 2708 wrote to memory of 4048	2708	Fmhdkknd.exe	Ffqhcq32.exe
PID 2708 wrote to memory of 4048	2708	Fmhdkknd.exe	Ffqhcq32.exe
PID 4048 wrote to memory of 736	4048	Ffqhcq32.exe	Fiodpl32.exe
PID 4048 wrote to memory of 736	4048	Ffqhcq32.exe	Fiodpl32.exe
PID 4048 wrote to memory of 736	4048	Ffqhcq32.exe	Fiodpl32.exe
PID 736 wrote to memory of 636	736	Fiodpl32.exe	Flmqlg32.exe
PID 736 wrote to memory of 636	736	Fiodpl32.exe	Flmqlg32.exe
PID 736 wrote to memory of 636	736	Fiodpl32.exe	Flmqlg32.exe
PID 636 wrote to memory of 2232	636	Flmqlg32.exe	Fefedmil.exe
PID 636 wrote to memory of 2232	636	Flmqlg32.exe	Fefedmil.exe
PID 636 wrote to memory of 2232	636	Flmqlg32.exe	Fefedmil.exe
PID 2232 wrote to memory of 1512	2232	Fefedmil.exe	Flpmagqi.exe
PID 2232 wrote to memory of 1512	2232	Fefedmil.exe	Flpmagqi.exe
PID 2232 wrote to memory of 1512	2232	Fefedmil.exe	Flpmagqi.exe
PID 1512 wrote to memory of 4512	1512	Flpmagqi.exe	Fnnjmbpm.exe
PID 1512 wrote to memory of 4512	1512	Flpmagqi.exe	Fnnjmbpm.exe
PID 1512 wrote to memory of 4512	1512	Flpmagqi.exe	Fnnjmbpm.exe
PID 4512 wrote to memory of 4932	4512	Fnnjmbpm.exe	Gehbjm32.exe
PID 4512 wrote to memory of 4932	4512	Fnnjmbpm.exe	Gehbjm32.exe
PID 4512 wrote to memory of 4932	4512	Fnnjmbpm.exe	Gehbjm32.exe
PID 4932 wrote to memory of 4036	4932	Gehbjm32.exe	Glbjggof.exe
PID 4932 wrote to memory of 4036	4932	Gehbjm32.exe	Glbjggof.exe
PID 4932 wrote to memory of 4036	4932	Gehbjm32.exe	Glbjggof.exe
PID 4036 wrote to memory of 964	4036	Glbjggof.exe	Gnqfcbnj.exe
PID 4036 wrote to memory of 964	4036	Glbjggof.exe	Gnqfcbnj.exe
PID 4036 wrote to memory of 964	4036	Glbjggof.exe	Gnqfcbnj.exe
PID 964 wrote to memory of 5056	964	Gnqfcbnj.exe	Gifkpknp.exe
PID 964 wrote to memory of 5056	964	Gnqfcbnj.exe	Gifkpknp.exe
PID 964 wrote to memory of 5056	964	Gnqfcbnj.exe	Gifkpknp.exe
PID 5056 wrote to memory of 1160	5056	Gifkpknp.exe	Gppcmeem.exe
PID 5056 wrote to memory of 1160	5056	Gifkpknp.exe	Gppcmeem.exe
PID 5056 wrote to memory of 1160	5056	Gifkpknp.exe	Gppcmeem.exe
PID 1160 wrote to memory of 3008	1160	Gppcmeem.exe	Gfjkjo32.exe
PID 1160 wrote to memory of 3008	1160	Gppcmeem.exe	Gfjkjo32.exe
PID 1160 wrote to memory of 3008	1160	Gppcmeem.exe	Gfjkjo32.exe
PID 3008 wrote to memory of 4056	3008	Gfjkjo32.exe	Gihgfk32.exe
PID 3008 wrote to memory of 4056	3008	Gfjkjo32.exe	Gihgfk32.exe
PID 3008 wrote to memory of 4056	3008	Gfjkjo32.exe	Gihgfk32.exe
PID 4056 wrote to memory of 4604	4056	Gihgfk32.exe	Glgcbf32.exe
PID 4056 wrote to memory of 4604	4056	Gihgfk32.exe	Glgcbf32.exe
PID 4056 wrote to memory of 4604	4056	Gihgfk32.exe	Glgcbf32.exe
PID 4604 wrote to memory of 2332	4604	Glgcbf32.exe	Gbalopbn.exe
PID 4604 wrote to memory of 2332	4604	Glgcbf32.exe	Gbalopbn.exe
PID 4604 wrote to memory of 2332	4604	Glgcbf32.exe	Gbalopbn.exe
PID 2332 wrote to memory of 4996	2332	Gbalopbn.exe	Gikdkj32.exe
PID 2332 wrote to memory of 4996	2332	Gbalopbn.exe	Gikdkj32.exe
PID 2332 wrote to memory of 4996	2332	Gbalopbn.exe	Gikdkj32.exe
PID 4996 wrote to memory of 3992	4996	Gikdkj32.exe	Gpelhd32.exe
PID 4996 wrote to memory of 3992	4996	Gikdkj32.exe	Gpelhd32.exe
PID 4996 wrote to memory of 3992	4996	Gikdkj32.exe	Gpelhd32.exe
PID 3992 wrote to memory of 5060	3992	Gpelhd32.exe	Gbchdp32.exe
PID 3992 wrote to memory of 5060	3992	Gpelhd32.exe	Gbchdp32.exe
PID 3992 wrote to memory of 5060	3992	Gpelhd32.exe	Gbchdp32.exe
PID 5060 wrote to memory of 4576	5060	Gbchdp32.exe	Geaepk32.exe
PID 5060 wrote to memory of 4576	5060	Gbchdp32.exe	Geaepk32.exe
PID 5060 wrote to memory of 4576	5060	Gbchdp32.exe	Geaepk32.exe
PID 4576 wrote to memory of 1316	4576	Geaepk32.exe	Gojiiafp.exe

C:\Users\Admin\AppData\Local\Temp\2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2d7f151c673993cf9a726a47c3445990_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\Ffnknafg.exe
C:\Windows\system32\Ffnknafg.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\Fmhdkknd.exe
C:\Windows\system32\Fmhdkknd.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Ffqhcq32.exe
C:\Windows\system32\Ffqhcq32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\Fiodpl32.exe
C:\Windows\system32\Fiodpl32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\Flmqlg32.exe
C:\Windows\system32\Flmqlg32.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\Flpmagqi.exe
C:\Windows\system32\Flpmagqi.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\Fnnjmbpm.exe
C:\Windows\system32\Fnnjmbpm.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\Gehbjm32.exe
C:\Windows\system32\Gehbjm32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\Glbjggof.exe
C:\Windows\system32\Glbjggof.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\Gifkpknp.exe
C:\Windows\system32\Gifkpknp.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\Gppcmeem.exe
C:\Windows\system32\Gppcmeem.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\Gfjkjo32.exe
C:\Windows\system32\Gfjkjo32.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Gihgfk32.exe
C:\Windows\system32\Gihgfk32.exe
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\Glgcbf32.exe
C:\Windows\system32\Glgcbf32.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\Gikdkj32.exe
C:\Windows\system32\Gikdkj32.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\Gbchdp32.exe
C:\Windows\system32\Gbchdp32.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\Geaepk32.exe
C:\Windows\system32\Geaepk32.exe
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\Gojiiafp.exe
C:\Windows\system32\Gojiiafp.exe
23⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\Hedafk32.exe
C:\Windows\system32\Hedafk32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832

C:\Windows\SysWOW64\Hlnjbedi.exe
C:\Windows\system32\Hlnjbedi.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4392

C:\Windows\SysWOW64\Holfoqcm.exe
C:\Windows\system32\Holfoqcm.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3048

C:\Windows\SysWOW64\Hfcnpn32.exe
C:\Windows\system32\Hfcnpn32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292

C:\Windows\SysWOW64\Hmmfmhll.exe
C:\Windows\system32\Hmmfmhll.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:740

C:\Windows\SysWOW64\Hoobdp32.exe
C:\Windows\system32\Hoobdp32.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:4836

C:\Windows\SysWOW64\Hbjoeojc.exe
C:\Windows\system32\Hbjoeojc.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924

C:\Windows\SysWOW64\Hidgai32.exe
C:\Windows\system32\Hidgai32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5016

C:\Windows\SysWOW64\Hmpcbhji.exe
C:\Windows\system32\Hmpcbhji.exe
32⤵
- Executes dropped EXE
PID:3244

C:\Windows\SysWOW64\Hblkjo32.exe
C:\Windows\system32\Hblkjo32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4956

C:\Windows\SysWOW64\Hifcgion.exe
C:\Windows\system32\Hifcgion.exe
34⤵
- Executes dropped EXE
PID:1912

C:\Windows\SysWOW64\Hoclopne.exe
C:\Windows\system32\Hoclopne.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\Hfjdqmng.exe
C:\Windows\system32\Hfjdqmng.exe
36⤵
- Executes dropped EXE
PID:676

C:\Windows\SysWOW64\Hemdlj32.exe
C:\Windows\system32\Hemdlj32.exe
37⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWOW64\Hpchib32.exe
C:\Windows\system32\Hpchib32.exe
38⤵
- Executes dropped EXE
- Modifies registry class
PID:1840

C:\Windows\SysWOW64\Ibaeen32.exe
C:\Windows\system32\Ibaeen32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2352

C:\Windows\SysWOW64\Iepaaico.exe
C:\Windows\system32\Iepaaico.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4168

C:\Windows\SysWOW64\Iliinc32.exe
C:\Windows\system32\Iliinc32.exe
41⤵
- Executes dropped EXE
PID:5088

C:\Windows\SysWOW64\Ibcaknbi.exe
C:\Windows\system32\Ibcaknbi.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2160

C:\Windows\SysWOW64\Ifomll32.exe
C:\Windows\system32\Ifomll32.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:2824

C:\Windows\SysWOW64\Ipgbdbqb.exe
C:\Windows\system32\Ipgbdbqb.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:4848

C:\Windows\SysWOW64\Igajal32.exe
C:\Windows\system32\Igajal32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956

C:\Windows\SysWOW64\Iipfmggc.exe
C:\Windows\system32\Iipfmggc.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\Ipjoja32.exe
C:\Windows\system32\Ipjoja32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4360

C:\Windows\SysWOW64\Iomoenej.exe
C:\Windows\system32\Iomoenej.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\Igdgglfl.exe
C:\Windows\system32\Igdgglfl.exe
49⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWOW64\Ilqoobdd.exe
C:\Windows\system32\Ilqoobdd.exe
50⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\Ioolkncg.exe
C:\Windows\system32\Ioolkncg.exe
51⤵
- Executes dropped EXE
PID:3248

C:\Windows\SysWOW64\Igfclkdj.exe
C:\Windows\system32\Igfclkdj.exe
52⤵
- Executes dropped EXE
- Modifies registry class
PID:2800

C:\Windows\SysWOW64\Iidphgcn.exe
C:\Windows\system32\Iidphgcn.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2196

C:\Windows\SysWOW64\Ipoheakj.exe
C:\Windows\system32\Ipoheakj.exe
54⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\Jcmdaljn.exe
C:\Windows\system32\Jcmdaljn.exe
55⤵
- Executes dropped EXE
PID:320

C:\Windows\SysWOW64\Jiglnf32.exe
C:\Windows\system32\Jiglnf32.exe
56⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWOW64\Jleijb32.exe
C:\Windows\system32\Jleijb32.exe
57⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWOW64\Jocefm32.exe
C:\Windows\system32\Jocefm32.exe
58⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\Jgkmgk32.exe
C:\Windows\system32\Jgkmgk32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524

C:\Windows\SysWOW64\Jiiicf32.exe
C:\Windows\system32\Jiiicf32.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440

C:\Windows\SysWOW64\Jpcapp32.exe
C:\Windows\system32\Jpcapp32.exe
61⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\Jofalmmp.exe
C:\Windows\system32\Jofalmmp.exe
62⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWOW64\Jepjhg32.exe
C:\Windows\system32\Jepjhg32.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5144

C:\Windows\SysWOW64\Jilfifme.exe
C:\Windows\system32\Jilfifme.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5180

C:\Windows\SysWOW64\Jljbeali.exe
C:\Windows\system32\Jljbeali.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5228

C:\Windows\SysWOW64\Johnamkm.exe
C:\Windows\system32\Johnamkm.exe
66⤵
PID:5272

C:\Windows\SysWOW64\Jebfng32.exe
C:\Windows\system32\Jebfng32.exe
67⤵
PID:5316

C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5364

C:\Windows\SysWOW64\Jphkkpbp.exe
C:\Windows\system32\Jphkkpbp.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404

C:\Windows\SysWOW64\Jgbchj32.exe
C:\Windows\system32\Jgbchj32.exe
70⤵
- Modifies registry class
PID:5440

C:\Windows\SysWOW64\Jjpode32.exe
C:\Windows\system32\Jjpode32.exe
71⤵
PID:5484

C:\Windows\SysWOW64\Jlolpq32.exe
C:\Windows\system32\Jlolpq32.exe
72⤵
PID:5528

C:\Windows\SysWOW64\Kcidmkpq.exe
C:\Windows\system32\Kcidmkpq.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5568

C:\Windows\SysWOW64\Kegpifod.exe
C:\Windows\system32\Kegpifod.exe
74⤵
PID:5616

C:\Windows\SysWOW64\Knnhjcog.exe
C:\Windows\system32\Knnhjcog.exe
75⤵
PID:5656

C:\Windows\SysWOW64\Kpmdfonj.exe
C:\Windows\system32\Kpmdfonj.exe
76⤵
PID:5692

C:\Windows\SysWOW64\Kckqbj32.exe
C:\Windows\system32\Kckqbj32.exe
77⤵
PID:5736

C:\Windows\SysWOW64\Keimof32.exe
C:\Windows\system32\Keimof32.exe
78⤵
PID:5784

C:\Windows\SysWOW64\Knqepc32.exe
C:\Windows\system32\Knqepc32.exe
79⤵
PID:5828

C:\Windows\SysWOW64\Koaagkcb.exe
C:\Windows\system32\Koaagkcb.exe
80⤵
PID:5876

C:\Windows\SysWOW64\Kgiiiidd.exe
C:\Windows\system32\Kgiiiidd.exe
81⤵
PID:5924

C:\Windows\SysWOW64\Kncaec32.exe
C:\Windows\system32\Kncaec32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976

C:\Windows\SysWOW64\Kgkfnh32.exe
C:\Windows\system32\Kgkfnh32.exe
83⤵
- Drops file in System32 directory
PID:6048

C:\Windows\SysWOW64\Kjjbjd32.exe
C:\Windows\system32\Kjjbjd32.exe
84⤵
- Drops file in System32 directory
PID:6112

C:\Windows\SysWOW64\Klhnfo32.exe
C:\Windows\system32\Klhnfo32.exe
85⤵
PID:5132

C:\Windows\SysWOW64\Kcbfcigf.exe
C:\Windows\system32\Kcbfcigf.exe
86⤵
PID:5192

C:\Windows\SysWOW64\Kgnbdh32.exe
C:\Windows\system32\Kgnbdh32.exe
87⤵
PID:5292

C:\Windows\SysWOW64\Kngkqbgl.exe
C:\Windows\system32\Kngkqbgl.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388

C:\Windows\SysWOW64\Lgpoihnl.exe
C:\Windows\system32\Lgpoihnl.exe
89⤵
- Modifies registry class
PID:5552

C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
90⤵
PID:5680

C:\Windows\SysWOW64\Ljnlecmp.exe
C:\Windows\system32\Ljnlecmp.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5768

C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
92⤵
- Drops file in System32 directory
PID:5852

C:\Windows\SysWOW64\Lqhdbm32.exe
C:\Windows\system32\Lqhdbm32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912

C:\Windows\SysWOW64\Lcgpni32.exe
C:\Windows\system32\Lcgpni32.exe
94⤵
PID:6032

C:\Windows\SysWOW64\Lgbloglj.exe
C:\Windows\system32\Lgbloglj.exe
95⤵
PID:5136

C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
96⤵
- Modifies registry class
PID:5304

C:\Windows\SysWOW64\Llodgnja.exe
C:\Windows\system32\Llodgnja.exe
97⤵
PID:5372

C:\Windows\SysWOW64\Lqkqhm32.exe
C:\Windows\system32\Lqkqhm32.exe
98⤵
PID:5676

C:\Windows\SysWOW64\Lcimdh32.exe
C:\Windows\system32\Lcimdh32.exe
99⤵
- Drops file in System32 directory
PID:5816

C:\Windows\SysWOW64\Lfgipd32.exe
C:\Windows\system32\Lfgipd32.exe
100⤵
- Modifies registry class
PID:5964

C:\Windows\SysWOW64\Lnoaaaad.exe
C:\Windows\system32\Lnoaaaad.exe
101⤵
PID:6084

C:\Windows\SysWOW64\Lqmmmmph.exe
C:\Windows\system32\Lqmmmmph.exe
102⤵
PID:5220

C:\Windows\SysWOW64\Lopmii32.exe
C:\Windows\system32\Lopmii32.exe
103⤵
- Modifies registry class
PID:5644

C:\Windows\SysWOW64\Ljeafb32.exe
C:\Windows\system32\Ljeafb32.exe
104⤵
PID:5804

C:\Windows\SysWOW64\Lmdnbn32.exe
C:\Windows\system32\Lmdnbn32.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5992

C:\Windows\SysWOW64\Lqojclne.exe
C:\Windows\system32\Lqojclne.exe
106⤵
- Drops file in System32 directory
PID:5268

C:\Windows\SysWOW64\Lcnfohmi.exe
C:\Windows\system32\Lcnfohmi.exe
107⤵
- Drops file in System32 directory
PID:5712

C:\Windows\SysWOW64\Lgibpf32.exe
C:\Windows\system32\Lgibpf32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5260

C:\Windows\SysWOW64\Lncjlq32.exe
C:\Windows\system32\Lncjlq32.exe
109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896

C:\Windows\SysWOW64\Mqafhl32.exe
C:\Windows\system32\Mqafhl32.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5812

C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
111⤵
- Drops file in System32 directory
PID:5744

C:\Windows\SysWOW64\Mfnoqc32.exe
C:\Windows\system32\Mfnoqc32.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6164

C:\Windows\SysWOW64\Mnegbp32.exe
C:\Windows\system32\Mnegbp32.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6208

C:\Windows\SysWOW64\Mmhgmmbf.exe
C:\Windows\system32\Mmhgmmbf.exe
114⤵
PID:6252

C:\Windows\SysWOW64\Mogcihaj.exe
C:\Windows\system32\Mogcihaj.exe
115⤵
PID:6296

C:\Windows\SysWOW64\Mfqlfb32.exe
C:\Windows\system32\Mfqlfb32.exe
116⤵
PID:6340

C:\Windows\SysWOW64\Mjlhgaqp.exe
C:\Windows\system32\Mjlhgaqp.exe
117⤵
PID:6376

C:\Windows\SysWOW64\Mnhdgpii.exe
C:\Windows\system32\Mnhdgpii.exe
118⤵
- Modifies registry class
PID:6424

C:\Windows\SysWOW64\Mqfpckhm.exe
C:\Windows\system32\Mqfpckhm.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6464

C:\Windows\SysWOW64\Mcelpggq.exe
C:\Windows\system32\Mcelpggq.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6512

C:\Windows\SysWOW64\Mfchlbfd.exe
C:\Windows\system32\Mfchlbfd.exe
121⤵
PID:6556

C:\Windows\SysWOW64\Mnjqmpgg.exe
C:\Windows\system32\Mnjqmpgg.exe
122⤵
- Drops file in System32 directory
- Modifies registry class
PID:6596

C:\Windows\SysWOW64\Mqimikfj.exe
C:\Windows\system32\Mqimikfj.exe
123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6644

C:\Windows\SysWOW64\Mcgiefen.exe
C:\Windows\system32\Mcgiefen.exe
124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6688

C:\Windows\SysWOW64\Mjaabq32.exe
C:\Windows\system32\Mjaabq32.exe
125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6728

C:\Windows\SysWOW64\Mmpmnl32.exe
C:\Windows\system32\Mmpmnl32.exe
126⤵
- Modifies registry class
PID:6772

C:\Windows\SysWOW64\Mcifkf32.exe
C:\Windows\system32\Mcifkf32.exe
127⤵
PID:6820

C:\Windows\SysWOW64\Mfhbga32.exe
C:\Windows\system32\Mfhbga32.exe
128⤵
PID:6864

C:\Windows\SysWOW64\Nmbjcljl.exe
C:\Windows\system32\Nmbjcljl.exe
129⤵
PID:6916

C:\Windows\SysWOW64\Nfjola32.exe
C:\Windows\system32\Nfjola32.exe
130⤵
PID:6960

C:\Windows\SysWOW64\Nnafno32.exe
C:\Windows\system32\Nnafno32.exe
131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7004

C:\Windows\SysWOW64\Ncnofeof.exe
C:\Windows\system32\Ncnofeof.exe
132⤵
PID:7044

C:\Windows\SysWOW64\Ngjkfd32.exe
C:\Windows\system32\Ngjkfd32.exe
133⤵
- Modifies registry class
PID:7088

C:\Windows\SysWOW64\Njhgbp32.exe
C:\Windows\system32\Njhgbp32.exe
134⤵
- Drops file in System32 directory
- Modifies registry class
PID:7128

C:\Windows\SysWOW64\Nncccnol.exe
C:\Windows\system32\Nncccnol.exe
135⤵
PID:5168

C:\Windows\SysWOW64\Nqbpojnp.exe
C:\Windows\system32\Nqbpojnp.exe
136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6200

C:\Windows\SysWOW64\Nglhld32.exe
C:\Windows\system32\Nglhld32.exe
137⤵
PID:6288

C:\Windows\SysWOW64\Njjdho32.exe
C:\Windows\system32\Njjdho32.exe
138⤵
PID:6348

C:\Windows\SysWOW64\Nnfpinmi.exe
C:\Windows\system32\Nnfpinmi.exe
139⤵
PID:6412

C:\Windows\SysWOW64\Nadleilm.exe
C:\Windows\system32\Nadleilm.exe
140⤵
- Modifies registry class
PID:6476

C:\Windows\SysWOW64\Ncchae32.exe
C:\Windows\system32\Ncchae32.exe
141⤵
PID:6548

C:\Windows\SysWOW64\Ngndaccj.exe
C:\Windows\system32\Ngndaccj.exe
142⤵
PID:6612

C:\Windows\SysWOW64\Njmqnobn.exe
C:\Windows\system32\Njmqnobn.exe
143⤵
- Drops file in System32 directory
PID:6672

C:\Windows\SysWOW64\Nnhmnn32.exe
C:\Windows\system32\Nnhmnn32.exe
144⤵
- Drops file in System32 directory
PID:6768

C:\Windows\SysWOW64\Nmkmjjaa.exe
C:\Windows\system32\Nmkmjjaa.exe
145⤵
PID:6816

C:\Windows\SysWOW64\Npiiffqe.exe
C:\Windows\system32\Npiiffqe.exe
146⤵
PID:6900

C:\Windows\SysWOW64\Ngqagcag.exe
C:\Windows\system32\Ngqagcag.exe
147⤵
- Drops file in System32 directory
PID:6952

C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
148⤵
PID:7040

C:\Windows\SysWOW64\Onkidm32.exe
C:\Windows\system32\Onkidm32.exe
149⤵
- Drops file in System32 directory
- Modifies registry class
PID:7136

C:\Windows\SysWOW64\Oaifpi32.exe
C:\Windows\system32\Oaifpi32.exe
150⤵
- Modifies registry class
PID:7152

C:\Windows\SysWOW64\Ocgbld32.exe
C:\Windows\system32\Ocgbld32.exe
151⤵
- Drops file in System32 directory
PID:6240

C:\Windows\SysWOW64\Offnhpfo.exe
C:\Windows\system32\Offnhpfo.exe
152⤵
- Modifies registry class
PID:6356

C:\Windows\SysWOW64\Onmfimga.exe
C:\Windows\system32\Onmfimga.exe
153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6456

C:\Windows\SysWOW64\Oakbehfe.exe
C:\Windows\system32\Oakbehfe.exe
154⤵
PID:6664

C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6784

C:\Windows\SysWOW64\Ogekbb32.exe
C:\Windows\system32\Ogekbb32.exe
156⤵
PID:6872

C:\Windows\SysWOW64\Ojdgnn32.exe
C:\Windows\system32\Ojdgnn32.exe
157⤵
- Modifies registry class
PID:6980

C:\Windows\SysWOW64\Onocomdo.exe
C:\Windows\system32\Onocomdo.exe
158⤵
PID:7096

C:\Windows\SysWOW64\Oanokhdb.exe
C:\Windows\system32\Oanokhdb.exe
159⤵
PID:6152

C:\Windows\SysWOW64\Opqofe32.exe
C:\Windows\system32\Opqofe32.exe
160⤵
- Modifies registry class
PID:6336

C:\Windows\SysWOW64\Oghghb32.exe
C:\Windows\system32\Oghghb32.exe
161⤵
PID:6640

C:\Windows\SysWOW64\Ofkgcobj.exe
C:\Windows\system32\Ofkgcobj.exe
162⤵
PID:3304

C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
163⤵
PID:6944

C:\Windows\SysWOW64\Omdppiif.exe
C:\Windows\system32\Omdppiif.exe
164⤵
PID:7120

C:\Windows\SysWOW64\Opclldhj.exe
C:\Windows\system32\Opclldhj.exe
165⤵
- Modifies registry class
PID:6500

C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
166⤵
- Modifies registry class
PID:6804

C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
167⤵
- Modifies registry class
PID:7012

C:\Windows\SysWOW64\Ondljl32.exe
C:\Windows\system32\Ondljl32.exe
168⤵
PID:6328

C:\Windows\SysWOW64\Oabhfg32.exe
C:\Windows\system32\Oabhfg32.exe
169⤵
PID:6716

C:\Windows\SysWOW64\Ohlqcagj.exe
C:\Windows\system32\Ohlqcagj.exe
170⤵
- Modifies registry class
PID:6736

C:\Windows\SysWOW64\Pnfiplog.exe
C:\Windows\system32\Pnfiplog.exe
171⤵
PID:7080

C:\Windows\SysWOW64\Pmiikh32.exe
C:\Windows\system32\Pmiikh32.exe
172⤵
PID:6972

C:\Windows\SysWOW64\Ppgegd32.exe
C:\Windows\system32\Ppgegd32.exe
173⤵
PID:7204

C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
174⤵
PID:7252

C:\Windows\SysWOW64\Pjmjdm32.exe
C:\Windows\system32\Pjmjdm32.exe
175⤵
PID:7308

C:\Windows\SysWOW64\Pmlfqh32.exe
C:\Windows\system32\Pmlfqh32.exe
176⤵
PID:7364

C:\Windows\SysWOW64\Ppjbmc32.exe
C:\Windows\system32\Ppjbmc32.exe
177⤵
PID:7420

C:\Windows\SysWOW64\Pdenmbkk.exe
C:\Windows\system32\Pdenmbkk.exe
178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7464

C:\Windows\SysWOW64\Phajna32.exe
C:\Windows\system32\Phajna32.exe
179⤵
PID:7508

C:\Windows\SysWOW64\Pjpfjl32.exe
C:\Windows\system32\Pjpfjl32.exe
180⤵
PID:7564

C:\Windows\SysWOW64\Pnkbkk32.exe
C:\Windows\system32\Pnkbkk32.exe
181⤵
PID:7604

C:\Windows\SysWOW64\Pmnbfhal.exe
C:\Windows\system32\Pmnbfhal.exe
182⤵
PID:7644

C:\Windows\SysWOW64\Pplobcpp.exe
C:\Windows\system32\Pplobcpp.exe
183⤵
PID:7688

C:\Windows\SysWOW64\Pdhkcb32.exe
C:\Windows\system32\Pdhkcb32.exe
184⤵
- Modifies registry class
PID:7724

C:\Windows\SysWOW64\Pffgom32.exe
C:\Windows\system32\Pffgom32.exe
185⤵
- Drops file in System32 directory
PID:7776

C:\Windows\SysWOW64\Pjbcplpe.exe
C:\Windows\system32\Pjbcplpe.exe
186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7840

C:\Windows\SysWOW64\Pmpolgoi.exe
C:\Windows\system32\Pmpolgoi.exe
187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7892

C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
188⤵
PID:7940

C:\Windows\SysWOW64\Pdjgha32.exe
C:\Windows\system32\Pdjgha32.exe
189⤵
PID:7992

C:\Windows\SysWOW64\Pfiddm32.exe
C:\Windows\system32\Pfiddm32.exe
190⤵
PID:8032

C:\Windows\SysWOW64\Pjdpelnc.exe
C:\Windows\system32\Pjdpelnc.exe
191⤵
PID:8072

C:\Windows\SysWOW64\Pmblagmf.exe
C:\Windows\system32\Pmblagmf.exe
192⤵
- Modifies registry class
PID:8112

C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
193⤵
PID:8160

C:\Windows\SysWOW64\Qhhpop32.exe
C:\Windows\system32\Qhhpop32.exe
194⤵
- Drops file in System32 directory
PID:6632

C:\Windows\SysWOW64\Qobhkjdi.exe
C:\Windows\system32\Qobhkjdi.exe
195⤵
- Modifies registry class
PID:7236

C:\Windows\SysWOW64\Qmeigg32.exe
C:\Windows\system32\Qmeigg32.exe
196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7316

C:\Windows\SysWOW64\Qpcecb32.exe
C:\Windows\system32\Qpcecb32.exe
197⤵
- Modifies registry class
PID:7412

C:\Windows\SysWOW64\Qdoacabq.exe
C:\Windows\system32\Qdoacabq.exe
198⤵
- Modifies registry class
PID:7496

C:\Windows\SysWOW64\Qfmmplad.exe
C:\Windows\system32\Qfmmplad.exe
199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7532

C:\Windows\SysWOW64\Qjiipk32.exe
C:\Windows\system32\Qjiipk32.exe
200⤵
PID:7632

C:\Windows\SysWOW64\Qmgelf32.exe
C:\Windows\system32\Qmgelf32.exe
201⤵
PID:7704

C:\Windows\SysWOW64\Qacameaj.exe
C:\Windows\system32\Qacameaj.exe
202⤵
PID:7768

C:\Windows\SysWOW64\Qdaniq32.exe
C:\Windows\system32\Qdaniq32.exe
203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7824

C:\Windows\SysWOW64\Afpjel32.exe
C:\Windows\system32\Afpjel32.exe
204⤵
PID:7928

C:\Windows\SysWOW64\Akkffkhk.exe
C:\Windows\system32\Akkffkhk.exe
205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8028

C:\Windows\SysWOW64\Amjbbfgo.exe
C:\Windows\system32\Amjbbfgo.exe
206⤵
PID:8064

C:\Windows\SysWOW64\Aaenbd32.exe
C:\Windows\system32\Aaenbd32.exe
207⤵
- Drops file in System32 directory
PID:8152

C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
208⤵
PID:6264

C:\Windows\SysWOW64\Ahofoogd.exe
C:\Windows\system32\Ahofoogd.exe
209⤵
PID:7296

C:\Windows\SysWOW64\Afbgkl32.exe
C:\Windows\system32\Afbgkl32.exe
210⤵
- Drops file in System32 directory
- Modifies registry class
PID:7444

C:\Windows\SysWOW64\Aoioli32.exe
C:\Windows\system32\Aoioli32.exe
211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7592

C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
212⤵
- Drops file in System32 directory
PID:7676

C:\Windows\SysWOW64\Apjkcadp.exe
C:\Windows\system32\Apjkcadp.exe
213⤵
PID:7800

C:\Windows\SysWOW64\Ahaceo32.exe
C:\Windows\system32\Ahaceo32.exe
214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7936

C:\Windows\SysWOW64\Akpoaj32.exe
C:\Windows\system32\Akpoaj32.exe
215⤵
PID:8068

C:\Windows\SysWOW64\Aokkahlo.exe
C:\Windows\system32\Aokkahlo.exe
216⤵
PID:8148

C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
217⤵
- Drops file in System32 directory
- Modifies registry class
PID:7304

C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
218⤵
PID:7552

C:\Windows\SysWOW64\Ahdpjn32.exe
C:\Windows\system32\Ahdpjn32.exe
219⤵
PID:7696

C:\Windows\SysWOW64\Aonhghjl.exe
C:\Windows\system32\Aonhghjl.exe
220⤵
PID:7820

C:\Windows\SysWOW64\Amqhbe32.exe
C:\Windows\system32\Amqhbe32.exe
221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8084

C:\Windows\SysWOW64\Apodoq32.exe
C:\Windows\system32\Apodoq32.exe
222⤵
PID:7264

C:\Windows\SysWOW64\Ahfmpnql.exe
C:\Windows\system32\Ahfmpnql.exe
223⤵
- Drops file in System32 directory
PID:7640

C:\Windows\SysWOW64\Agimkk32.exe
C:\Windows\system32\Agimkk32.exe
224⤵
- Modifies registry class
PID:7956

C:\Windows\SysWOW64\Amcehdod.exe
C:\Windows\system32\Amcehdod.exe
225⤵
PID:7196

C:\Windows\SysWOW64\Aaoaic32.exe
C:\Windows\system32\Aaoaic32.exe
226⤵
PID:7968

C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
227⤵
- Drops file in System32 directory
PID:7188

C:\Windows\SysWOW64\Bgkiaj32.exe
C:\Windows\system32\Bgkiaj32.exe
228⤵
PID:7348

C:\Windows\SysWOW64\Bobabg32.exe
C:\Windows\system32\Bobabg32.exe
229⤵
PID:8196

C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
230⤵
PID:8236

C:\Windows\SysWOW64\Bpdnjple.exe
C:\Windows\system32\Bpdnjple.exe
231⤵
PID:8284

C:\Windows\SysWOW64\Bhkfkmmg.exe
C:\Windows\system32\Bhkfkmmg.exe
232⤵
PID:8328

C:\Windows\SysWOW64\Bgnffj32.exe
C:\Windows\system32\Bgnffj32.exe
233⤵
- Modifies registry class
PID:8368

C:\Windows\SysWOW64\Boenhgdd.exe
C:\Windows\system32\Boenhgdd.exe
234⤵
PID:8412

C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8452

C:\Windows\SysWOW64\Bpfkpp32.exe
C:\Windows\system32\Bpfkpp32.exe
236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8492

C:\Windows\SysWOW64\Bgpcliao.exe
C:\Windows\system32\Bgpcliao.exe
237⤵
PID:8536

C:\Windows\SysWOW64\Bogkmgba.exe
C:\Windows\system32\Bogkmgba.exe
238⤵
PID:8584

C:\Windows\SysWOW64\Bphgeo32.exe
C:\Windows\system32\Bphgeo32.exe
239⤵
PID:8624

C:\Windows\SysWOW64\Bhpofl32.exe
C:\Windows\system32\Bhpofl32.exe
240⤵
PID:8668

C:\Windows\SysWOW64\Bknlbhhe.exe
C:\Windows\system32\Bknlbhhe.exe
241⤵
PID:8704

C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8752

C:\Windows\SysWOW64\Bpkdjofm.exe
C:\Windows\system32\Bpkdjofm.exe
243⤵
PID:8788

C:\Windows\SysWOW64\Bdfpkm32.exe
C:\Windows\system32\Bdfpkm32.exe
244⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8828

C:\Windows\SysWOW64\Bgelgi32.exe
C:\Windows\system32\Bgelgi32.exe
245⤵
PID:8868

C:\Windows\SysWOW64\Boldhf32.exe
C:\Windows\system32\Boldhf32.exe
246⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8912

C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
247⤵
- Modifies registry class
PID:8956

C:\Windows\SysWOW64\Cdimqm32.exe
C:\Windows\system32\Cdimqm32.exe
248⤵
PID:9000

C:\Windows\SysWOW64\Chdialdl.exe
C:\Windows\system32\Chdialdl.exe
249⤵
PID:9040

C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
250⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:9092

C:\Windows\SysWOW64\Conanfli.exe
C:\Windows\system32\Conanfli.exe
251⤵
- Drops file in System32 directory
PID:9136

C:\Windows\SysWOW64\Cammjakm.exe
C:\Windows\system32\Cammjakm.exe
252⤵
- Drops file in System32 directory
PID:9172

C:\Windows\SysWOW64\Cponen32.exe
C:\Windows\system32\Cponen32.exe
253⤵
PID:9212

C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
254⤵
- Drops file in System32 directory
- Modifies registry class
PID:8224

C:\Windows\SysWOW64\Ckebcg32.exe
C:\Windows\system32\Ckebcg32.exe
255⤵
PID:8296

C:\Windows\SysWOW64\Coqncejg.exe
C:\Windows\system32\Coqncejg.exe
256⤵
PID:8352

C:\Windows\SysWOW64\Caojpaij.exe
C:\Windows\system32\Caojpaij.exe
257⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8440

C:\Windows\SysWOW64\Cpbjkn32.exe
C:\Windows\system32\Cpbjkn32.exe
258⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8476

C:\Windows\SysWOW64\Chiblk32.exe
C:\Windows\system32\Chiblk32.exe
259⤵
- Modifies registry class
PID:8580

C:\Windows\SysWOW64\Cglbhhga.exe
C:\Windows\system32\Cglbhhga.exe
260⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8652

C:\Windows\SysWOW64\Ckgohf32.exe
C:\Windows\system32\Ckgohf32.exe
261⤵
PID:8728

C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
262⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8780

C:\Windows\SysWOW64\Cpdgqmnb.exe
C:\Windows\system32\Cpdgqmnb.exe
263⤵
PID:8876

C:\Windows\SysWOW64\Chkobkod.exe
C:\Windows\system32\Chkobkod.exe
264⤵
- Drops file in System32 directory
- Modifies registry class
PID:8920

C:\Windows\SysWOW64\Cgnomg32.exe
C:\Windows\system32\Cgnomg32.exe
265⤵
PID:8984

C:\Windows\SysWOW64\Coegoe32.exe
C:\Windows\system32\Coegoe32.exe
266⤵
PID:9056

C:\Windows\SysWOW64\Cacckp32.exe
C:\Windows\system32\Cacckp32.exe
267⤵
- Modifies registry class
PID:9104

C:\Windows\SysWOW64\Cdbpgl32.exe
C:\Windows\system32\Cdbpgl32.exe
268⤵
PID:9180

C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
269⤵
- Drops file in System32 directory
- Modifies registry class
PID:8204

C:\Windows\SysWOW64\Cogddd32.exe
C:\Windows\system32\Cogddd32.exe
270⤵
PID:8344

C:\Windows\SysWOW64\Dafppp32.exe
C:\Windows\system32\Dafppp32.exe
271⤵
- Drops file in System32 directory
PID:8460

C:\Windows\SysWOW64\Dddllkbf.exe
C:\Windows\system32\Dddllkbf.exe
272⤵
PID:8568

C:\Windows\SysWOW64\Dgcihgaj.exe
C:\Windows\system32\Dgcihgaj.exe
273⤵
PID:8660

C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
274⤵
- Drops file in System32 directory
PID:8772

C:\Windows\SysWOW64\Dahmfpap.exe
C:\Windows\system32\Dahmfpap.exe
275⤵
- Modifies registry class
PID:8900

C:\Windows\SysWOW64\Dpkmal32.exe
C:\Windows\system32\Dpkmal32.exe
276⤵
- Modifies registry class
PID:8996

C:\Windows\SysWOW64\Dhbebj32.exe
C:\Windows\system32\Dhbebj32.exe
277⤵
- Drops file in System32 directory
PID:9100

C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
278⤵
PID:9196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9196 -s 420
279⤵
- Program crash
PID:8596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
1⤵
PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9196 -ip 9196
1⤵
PID:8420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaoaic32.exe
Filesize
109KB

MD5
265e8cc4945b424dc547c34c100775a7

SHA1
c79a8aaed2894ec069f45f238e01fdac3bfeefae

SHA256
942658167682f4bcadbd1ef1e667eb278897cfece91f273491d522ff63d36b03

SHA512
3f37b1af823f3f6e3380da2b68f51003dc7308f1027ccbb3b09f3b30b192389c2739e03a208332e6a9ee71d9e928bfaeb03463ab807096a0313764a511dce758

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe
Filesize
109KB

MD5
a679bc2d5c129a88efe21c28021e35d2

SHA1
9e7f0162ac207d8cfa42f12d45bcd5e2f0ed9ea8

SHA256
8e5ad8c452132762b634dd19750915e0b5c94c2fa004f9aab3c0b59e071193fc

SHA512
19bcb688fa910f7218700826c6b018b97244af85347a390caae258e4e28a4271189f9172f51ad13c9b68f3ee6fd3d768b087cef844d2c01a122ea1fcb1bc1b3b

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe
Filesize
109KB

MD5
50fe789b62e567f5cb4b9af2b608b912

SHA1
c19640482ddfe05d07727c20e5fa14fb9cd599f5

SHA256
ed103721212a90564e970efd2de3f781cb1efe2dbfa7fb5c39df70feefa4bda3

SHA512
0e0f34f8da1966f9e9c7f482dd31d288c782b8195863236733163a879d0f873f046121bf36c8c1e8bfaa79de06f414fb8876d4545f05d96acefd065765c07c46

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe
Filesize
109KB

MD5
50ddcb1f86c9dec7fa02934565c0df32

SHA1
e9fc05f5f4fb63f9bda8fdbffc30ef2fbc1524a2

SHA256
a168302b6c93a175ddc531545f0e45ba002d758e7e9a9c9954eef74619d84cdc

SHA512
991db476005f946fdbc2b182de9f4d38201ef1da222f38cc849d20ca03433b72053bd8cd71c8037edb82437740df8301f8b6ecd8b65a117f58d8ceca3e4fcb8c

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe
Filesize
109KB

MD5
1554fc7a3f72ff18f8bb9f0484f7d462

SHA1
28684a7c0af1f29f91292c688ae34b1a1ca4ad11

SHA256
eb5d870786fc1764ef1d35ee26dcbc0b991d6722fbde672e17ac1fe4f9c8d788

SHA512
18ed8d8f2b53c1f7a8fd5c63172a01204973dd146aceed28f0b3acfafe8d0111890e82c001114f790935e64967ea1186fa9f739f5f4138af9b69ecbcffee637d

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe
Filesize
109KB

MD5
4b4cc1ce7987a43fc6bf46ba35035c95

SHA1
fc436b4db468ff465da3cb72c18f5a97e2fc722e

SHA256
2504e8161e82b77cc8ad0ec428e0f237fc67532ee059c28972498225e71a37d8

SHA512
577c13a4e171aeb0ffd74c11ebda87539a7f3ecb116fefee8b1eb29364445968722efd40d8176c071bcc4970883385deda06ac11ee479433503bde10a043a454

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe
Filesize
109KB

MD5
fd64454a14cb5c0d86b6637cc02ef63e

SHA1
8287b7c2b4e83b182d145ca0286259d6cf5e8607

SHA256
41888a4fa08fde13dfbe3ea7113f2768398e992377009582b3b40262b5ce3b1e

SHA512
0218de38c130cb270854c333364b0afa7b84befc124422b8748d0fbce0fe898a9eedae526cf8a0405b90a05f2b3a919d79611f2974df03c10fc89179c99ca810

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe
Filesize
109KB

MD5
63530b78e29123d0804d9db9e4a30abc

SHA1
626d56a5db18716b19131790d110545ef829bb56

SHA256
64cbaeac19b5684a549eb8c176352577734a7da8b4b29eaa019496b1fb3ea328

SHA512
bf66b1530e8c619a5beda57331c94f29b2b895c79647835fa21ae7dfbe83337cf2da083234617ecac58b8867a47fe9c1472185c8620f1b07fc012285a32a347e

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe
Filesize
109KB

MD5
f92f45e74d5809ff1c0f3a79d9096ddc

SHA1
9cf821cdab4444e4559081f68440af47bb569fe3

SHA256
a58f91bcaad16e345af5bf35b51f72ae25cc838e96a3fbbf9c4b840fe462f423

SHA512
1442a4e3ba7f7f5e8664e9c97f8e571c980a0caf0bfab3295bd4cb77270da9b4da1c2e558f3a66c2072992aab18debfb306d24e9fc3d48ca4328a738859a1da8

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe
Filesize
109KB

MD5
d85824a5bcb37fb515877c45d8d0f3e0

SHA1
c1bb03351336df06001b109952dd3aabb006a4d7

SHA256
007a3918676e72218d283ee2497401d92e677dcef314458d90ad565b80e50df3

SHA512
ddfc9b70f666d71f2c49644a91d49330e2bde566de4a733a7308863bd11071342e8f0bfd4aec206bd2173f2a2b400562a17dcb2b2da7828ac378cfef3f4cc7f3

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe
Filesize
109KB

MD5
6cf80b9c8f0173446ceaeaa6fd516886

SHA1
5303051206f57527270b39dc1780e2b80ff71760

SHA256
61798e547775a327e5ec73a0c6c0fff012b83a2d8209d913cea166e224ed042c

SHA512
e6150cfb8406e378946c47e6d2540a35343dc1f67d1e0966bca159521fa5831225ad48181861f07e25daf4c50d3c28b019c87ce2e38e86dd93cd474b8f50a4f4

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe
Filesize
109KB

MD5
5c90d8efae16e0eff1455d06eee379f5

SHA1
a0eeed81856e14e27f3fe63ce74de80eaf7ca345

SHA256
7831563f587755c10918b5b23b33b47a5ab300c91ae63b14b7d0c9dc9383b999

SHA512
bd203aa3186e0a3ef9976b0f5d07bf684d19374372636014c7d2ea915c819d1c1258d216cb188e2d27f5d971ac958af2ce3a3501d0f4a5bbd42e108eedd5576f

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe
Filesize
109KB

MD5
5bc361238cb12b1ac1d8523506c9f431

SHA1
c444375ec5a666f434bc0e7c09123a9425f010bb

SHA256
f8bde3c278728ef110bf0844c4f05de06cb7b960ff29788e8c8bc48e69497b41

SHA512
137d486d0dd38df66ce8b7d09bf9da45642a18df1490e2daedcff20275f2e2b17ba760bc6d50c7b46b8880b0fb7d51d1d5391e88059699fcc6a3903e9fd58830

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe
Filesize
109KB

MD5
4c1f4d2ad9655a52b0f7cd0a73c4317a

SHA1
c726d3adcde8daee7047e659ee496488aa82a0c4

SHA256
dc7085b9f4bd4306bd4571c14a960a8c017cfb4ce51ce3ac28d9ee5fc88f680f

SHA512
d1c32c5be98d915b0216d9fd8d6d4802500832b17192d57cb23c97d7ef781a9b21eeb9d6ccf56685c0744016fc1ef837f1246dd730ee3cd55ee0978108c97f70

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe
Filesize
109KB

MD5
07ddb266cd3327cf73e4ffe16e9ad11b

SHA1
fed0f1d4c56285ab27ea79a7190ab08ccd9e56ed

SHA256
6187919dc00a9d5d2f537402046c13240e0a41f53e53e5920d284d87e09c9299

SHA512
71104e16db3790634327706f377abcf7115944cc457995af8b5d5c58886582c7eec502513774c872345039d874eaade0a0a99d542f61205cb46f4b6e89c9b8ec

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe
Filesize
109KB

MD5
0ac0ff37087b5a83b4a02d96ba4adcba

SHA1
0279aa69d3118862f141c9a886408f48a867da38

SHA256
eb27c5893f701e910eda500a63f9e348a2ec1672d4eb5b1a0a3dfb62a80f1884

SHA512
8a8b4ef1728e45f61af8ac1282ac05db23576dbd2c3285aafbd895ec566ad11189cdcc9daed338357e8ddf7ecc7162bc2f2a2374bfe654d0c70f5625d6c04571

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe
Filesize
109KB

MD5
9e192e26a6e6b229a6cbe1b65cafe42a

SHA1
7f438b57eac0bff8624c9f7309a4ae206629731f

SHA256
486dfd412687185e4d5648d906cd8c34cdb54c6c9bf832419eaf461c7a99f111

SHA512
fb92f047f0f03e8fb1e20c3ad6100836ea2219a3f28750783a1f86dd0937d7296372b2f787c66e60c0fd69ad0899eb550bebab537840dc624cafc693761b6ed7

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe
Filesize
109KB

MD5
e77a2710bd10771c1ebe6ef8f9506c53

SHA1
a63cae8a86abae7cea2d142c912cb8e4caf40d47

SHA256
78a5c734bd72c69e3f4cde545668463c54f7632b1c1015af338e3d5dbddf518d

SHA512
fe07aac3044925a88fd543a61a9156debdb10c900903a9c04f86bd0b1a5dcccd8d1bdd5f4d561f15aa4f883ee5f6e1817234d434cbd892a0acd7f35166af88b0

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe
Filesize
109KB

MD5
49cdacaf61100e509d5a758ad8e4f301

SHA1
935c3421b766d7da0970c49e1dc5e5f18b133f0b

SHA256
b22f6bac0443e27f07cdd437791afc58def0c8fd162612877311d258b667d04c

SHA512
4825482613afb561dcd4cc9ccf798891c609e90db620b5c0364aa56db7a5a8f89b49dff0f1c770877da75ec8f7c6bbce4899bf7360665a3bb091962084d96cb9

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe
Filesize
109KB

MD5
66dcefff9608cbe7464f27ed46efd500

SHA1
abbecf006cba985c50f04d2b9c044c96750dfe40

SHA256
a8315583b3359f0971da8461d35d8d3a34154e83a2cae2c559edaeb5d6eee070

SHA512
23ddf07012c1e4850bf3bc3400ea7289e2b51db16fe3331d8c2a221ddaa2717eb25f91662187a93d5bd6f04cc426e89571dbe6247975535d34464432b9237de0

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe
Filesize
109KB

MD5
80796e31bf5f19111d80508f55004096

SHA1
d8e9f777a72fbfd640e302e6568e414a5e125d6f

SHA256
451233e68bca4e6140aa31d83c936c20336dda2b95d2a52aca815e87c0ad2325

SHA512
67f90153678cbe6c1e3ebacaef85353b5805e21b0f2dce8a939fbe85fcbfe666032a7ad20383374fac62e207e9cd78fb35c071b5080f0936f337a18229831097

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe
Filesize
109KB

MD5
7bb94e0af602383c54ee31e5bb4902b0

SHA1
e8b2d8eb1e984968a4107354caa733ff5d5362c9

SHA256
2c1cb443f8bec334b13aa22d2232e48863194da46d9d7a2e117c0581e7a48a93

SHA512
84363003a146ca224bbc8fcb6166cbd6f54794f456090ae0c254c880cdcf333cfc5ee32b5adf881078d72fce0bf640bcd8dea331256b785df5785159c542b9d2

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe
Filesize
109KB

MD5
9717f5b08dbded696a85044bdeb6095b

SHA1
90afc2201b3a2e12a913f1e2206697b2d2d91330

SHA256
18d1584b5530d10f83f484896528915fe24e745638648296e0ab3f7fdb09ad79

SHA512
0f3c8dd71d868826f45b609399ae96fad8cdf66c5a1e9e34cdac71176117b587153b7cf4f444c3236fa246b48ee40c150b5b0153c5210151a9d46335dd16ec8f

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe
Filesize
109KB

MD5
9482244fff8f4f3665da576113df00a2

SHA1
f38d0f6096e2d40d7662f4f3f011fad0036862c5

SHA256
22dae0546ac30d82429e8ea42ee4d6810c4fb624da51900b7694c113f3568be6

SHA512
02189baca6fd8e79667853b540c3faab3951c2d3f22ded8620b869aa9840b8168255024c4f00e3ba1e4360308e74a1dc20cb1458d528b2c03311382ea967b2f4

Download Submit
C:\Windows\SysWOW64\Gpelhd32.exe
Filesize
109KB

MD5
f942fc4ec4709f0bcd0b748482968124

SHA1
9dd9c819621fe89faaa2850d9762cc73975e54e3

SHA256
42edadf477c89fe8a7fb28dd93b525c870e2585300c53965fac035f9a62dc35b

SHA512
442989b0b5db8cff6177c6c429306d36b9fc68827fd7e33aff31bbfbbbf5b095b609f08d2dd78dc447a47ab62106e8f58207b54cf19dcc140580043883f148dc

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe
Filesize
109KB

MD5
5d9191a64903de0a439179422da90397

SHA1
d71833231d824e70e16a51d4b8f3fd7b477bd829

SHA256
c142ededc2ee7a495b552acf8c71cc9a58bb3a0b81d8fce1183f6faff9d88743

SHA512
691ffaacb7c0cf16b0020050d9b3d3484d2d3e40373ef953b47abe3c6eb2b53d3f002541acac143632b9eae289c16bbd673efdc8f030b608785162b516ee1bf0

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe
Filesize
109KB

MD5
b8fbb62f63d2d36253b5317f21b323f7

SHA1
00b40138eaf3876ad9201f2b9c6ab01d871d29fc

SHA256
db5020c61fc66cfb3605bd7f6315fdab5f10986cc23eada4c4c880a225e7b1a7

SHA512
7b7aa22f44cbc263b2ba2846e2b91f3fd6b8ab15d202e78c3f55dee76a40be39442d2548a3687e14d7471b49087a8b1df8445edcb45360118dac335bc9a72741

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe
Filesize
109KB

MD5
6330c8023a3f7ecd961eedb4051f6247

SHA1
f359f0f64b053005b04d3cb870d93d094f67ba47

SHA256
674151242d68afc9f6b8e052996b7b02442b7a66afc89bc8b9892f5caf2eb4e5

SHA512
8c9bbc5b2522a2b90e2fb4aea9bd6e23a68eabaa53034d08706a906a1af79ac440e9c02049a52f71c8d59aaae64e1c6976a6585e5278618ce4a6f0d78eba0352

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe
Filesize
109KB

MD5
058a1e478e3c200e54068922456fc668

SHA1
333d5e87268b3d24fde05c2648d0f1835ef943db

SHA256
11e3f6455516b0d9c9493bd455760eeba5584c7014cd3d9eb4ffb01c2dee52dd

SHA512
9a0f8fcae3729894ba99f0cae594da7aa90da8a1261676caaf2dfe4092f3dfe53be0e60da67d1855f3a2e45a2a86f9df75af06ec5a721e4fd81f989eca61a80f

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe
Filesize
109KB

MD5
1895efa2dff01c83e7255607515fe1e2

SHA1
32bfce9e47dfd6a06eeec27f7b96ca10012ff4ab

SHA256
df7ecf39b9ec65283c084aee7258fb54a1c2a4eeb583e7cbeb6f78d19de0154b

SHA512
1302ac0244c579ddcda141a8f9f49708b90d140197170c9cecca78c29f3316ba5aefcdeb85b71d5523cf98071d2e09e3b8eb33ef58ff28d4c8c5f75f46d6b547

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe
Filesize
109KB

MD5
e418c2eb7b7b5c0ba44ef990e690caac

SHA1
f9ae2ff3936084b64e5389a1fffd87009c24fca9

SHA256
8f542f2a223f08e22fcbf1f85fa22d169415a5e2a0171e3885f547383cf02af2

SHA512
b0332dd996ed8226e6029a6fae12ff50c9c0b589a6400353c528d3d5de10a716d1cefd33df0ed8247fc06611198182c5952578306cce506d5b2d385735210f90

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe
Filesize
109KB

MD5
704c0de73a9ef2f2dbac1a1d66db6d96

SHA1
18fdd1e18d1e2ecac65f3136aaf48c65e9811e23

SHA256
bec5438e0e0c139d30d750fbd0d35489cc59688dcf339dc8f2e3a999927da91d

SHA512
40222858dc33f2fb05b9706f57c3398ce26b7d25db571da19890d755a1e4096e35d0566432dc80e870ad9f3a544566bf6c2cb6607b6dc253bd1fde1163523850

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe
Filesize
109KB

MD5
bf862336b97241e3908739b468bc37e4

SHA1
8205ed61f3706fb288b1a3e78679b73803f314f9

SHA256
dbc5d9f5da3a019c689c7386318d0f6544648db7824e2729cb1aecf24cbb11d8

SHA512
6de660e41a91daf89716bd9fd6c23425bffca31fc71ced3abbbcad56c405063ed5a31ea01d6c861c7159cf371642be242989c7e8bc9aab7d0c98057713f35a04

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe
Filesize
109KB

MD5
2aef4652173f758ae798e7ee8340eff1

SHA1
c9fb417e1855af81796c7e1b6de8c7b6de73ecae

SHA256
9311096426ec988ed84dd99f5ec7d018d6667f4c4b84e7eed9ae31f34fd9ea0f

SHA512
cf12822bda3e8226b3e5625b0b1984a46433ec8ca8407c57c7b8676f7548e0caacf64bb1980d10143c352e0e561d37224412b4f7d67145ffb76b2e2bebe974ac

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe
Filesize
109KB

MD5
a8b480e7570b204d46ead5ec00f8dedc

SHA1
0b74832c75ba371cbe386986e42b1480fb5d3dc8

SHA256
1687c11ccf2575e44518caab6d6c96bd1860212029d1c15d2133c8795faf9495

SHA512
7a229a8d0246f140eac5cc7af107f9e7d01dee7359ed98b947ada29b9221fc23bd31c115acf12ac39ea066d95974ba90f381377b4cce3f17a6a670a2dbb2fcc0

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe
Filesize
109KB

MD5
cddd6321a6d5abf0a1c34f1da31994da

SHA1
52679be6194064e3f5d040109e45ebfbc389fe01

SHA256
5157718e05f6a666bc387e0e7f986653693dbcff8d3ac7f59170a6463b85ccd7

SHA512
7b44ec2f76fd5dfa32e931a039144de198a60d7ca9deb73736b2ef05602051bc7ceff1d840c28bd9fe7d0ead1227377e57f78f8db385ba0e2c4c83fade621cc4

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe
Filesize
109KB

MD5
f15fbf5bec79a0f219bb22ef387c6065

SHA1
429525b28a58a4f7efa57a5364c60096a88b5fe3

SHA256
fb2b52d25746c5b7322ca36b1ae791c93686345202d0edfb5c3d6397f192f2a7

SHA512
cce3a054ffd43db1b01fef72983c53f0465eb5d578e2af3681f9514455b39b649aa5e13432662deb10a96d072f67c255d31c7ba56298ec607805e7cdf6585eb2

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe
Filesize
109KB

MD5
adaa7fb3b26d698ca0a09443fb0e9992

SHA1
5ec61682e3c7402eddd7d88db27bf584859a4aa7

SHA256
843d43baa7f4ee54bc12c1d42c7b408b713970492c50094bf0562248f4af3bbe

SHA512
63a67135e91499306fcbca6577f9fe5e7d6f9acf502f4bc1cb72c71d400b7e3b3e5938db6538a403f97a71aff6195ff40f5903097d4ce3c8cc8e0c8307441503

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe
Filesize
109KB

MD5
ec27db43ea9ead343ee1e8530d6c52e6

SHA1
5f5f3369590ef9e8ad0cfc1d0c519b048b2c00cc

SHA256
435e0a94c7c1044a3578f24e26ca7f09267f1a9f4805f26b7afebe1d33fd942f

SHA512
6798e50300714b8b656c10fd2d93d032d29bad38fdd4d8eddb173074acd711ad232a5fa98c9c219646aec65dd13241e58d6d95a1d5384d5e4b85f2d7158aa5b9

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe
Filesize
109KB

MD5
b083fe687d0353ee8a052e50ac4c6479

SHA1
69f1dfcd99eac5732dcb322555dc970c04530671

SHA256
31a65a84f52ceb1ff755d96b3ced3d4f1c5d8acf3875fcf1779d74035d4ff30a

SHA512
23fdc99c555f933554b5d082a789c459d3e0275725e7bdf74361ce1015c7c2056e2ea71e16e37074dc44fb91482281c2fff4b71ef7c95d3918f7c06f9884791f

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe
Filesize
109KB

MD5
582a1acd01032f738bd8a8367324a059

SHA1
8d246998bff313c71a3a756dd63a420f045b9c16

SHA256
b00e3f99113dff5dadbfb3a75e0f446b0f3b5e850a07495f60e67eeb1b9d346c

SHA512
69f9d300b851ea623ef0e0af3d6b1a814fe33507119a437db619380753cbd8427b3a523220ea7a395b3b4286a8bc5d468c60a5144c433040c277938a50fa3c32

Download Submit
C:\Windows\SysWOW64\Ldklgegb.dll
Filesize
7KB

MD5
d67b35f373bdf81b01a832a5687e09c8

SHA1
34d5ffce155a532adde6bf7101ccae383ca113cf

SHA256
a77ecd70b791eb1bea05dc134b31cd44a210056dab11c9acfd8009adbada7663

SHA512
29ff038c2428ad1358eeb0a6d34e3e55f4e77ad6cb8d55ae532bc0b37d7e3e0ab12987fd6bee6314c0a94d6b424480a9192d7c7288e85c39d6c320f45cc5a3c2

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe
Filesize
109KB

MD5
e71f447a59099b83a4d514151a5ad56c

SHA1
29e39fc28578d08e428b739011b9b7fd2a4fe2fc

SHA256
59e74c99955efe2028aa449b67053aa3040e1e1a2bcd6a110895dfa22983272a

SHA512
8d2b7db9627626fb04f8fc07384fa4b54d1e929302d009fe2f819fde2d12712f30da234b3fb207b78b506159932f2ccf925982080bc93ec03b66cf535147ffa8

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe
Filesize
109KB

MD5
2edb6c1b304a04042355828edf681820

SHA1
524299753abe1151c94ba326f1420c09762cf6bd

SHA256
cc2f3565b8277c31e13a9cd70b472fae2146ffe43e88bff723ac07edb962e713

SHA512
7c440610be7667a45ad5394205d544126ed7cddcc297762083eb34c086c3cb7836f49ae42e8ecdc008ec183d97278e6574ab911b27e5b72887e7d653efccb724

Download Submit
C:\Windows\SysWOW64\Mmhgmmbf.exe
Filesize
64KB

MD5
137ba2e3ed3fa827a341a74a834f701e

SHA1
bf2f90ec3a3469ec7280ef5be8bc13e5b6d96e8b

SHA256
683ba937295b2b8352673e528fe73fc2151bb665a1b145afbe4a0d98d42252e0

SHA512
19386afe9ac6613e0d961d25600e5de13c0700240609f0d1402b175accfdcf3588bd2f0b9cb50a3463520476601ea8bf589d7161f9d285a64d9d02928f5859d6

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe
Filesize
109KB

MD5
034cf360aa645a8f0af464d20d25b299

SHA1
1a5ef089a01a85e51f4faf56c858022c3ac92c85

SHA256
2e77b827e8a84e7b3b952764ae33139b27a1d3daf2ad69207938ccd05fd67013

SHA512
379d8c7578262c58a9af501349855f8698c141a9055b9072729c12cbce6897475aefb27796a4a7c6140222459543d8cfba50b3d785cbc8ad812f2a23051ce3fb

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe
Filesize
109KB

MD5
d3854d5eff01a8fcd55260d133a10fe1

SHA1
57f29e49e7d7ee1303d859e607764fee7fc030dd

SHA256
f0aecfb3ead7c0cd0acf8c13878fcfd536cef0bc504017b9870d1d183e99dd41

SHA512
f71232252842ec86cdecbfb42bcad8b6cd7ecc1b94eb35612c2daeded2f9514b788fc9592226ef11ea6f9a550bc9f1b511fc16bfcce3d7d2034229538f2f1f88

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe
Filesize
109KB

MD5
9ed5b2edec397eab80e177d8fbc238b1

SHA1
279e7d4bb12500b45098749c59f9940da3a303c2

SHA256
c1b0b246ed3412b1595ecaa69144a00b25e135eeda89c924dd63a67503f49c02

SHA512
bd989d91b32b987dbbd6991df8122cc8615bf95cd95fa985d423009b5dec30c3803955e25af82888bf6973970e203932b406e76d059e6ef1e5eabb598fa61dda

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe
Filesize
109KB

MD5
9ef6ff2828b39477b77de772e95c7a45

SHA1
fe9cda313cd539c437c83e39de519bb44f2dd50a

SHA256
653b3ea8a50ef7837b0c43c6ba45c964ab0c51ef64391384f3c14bafb11008e3

SHA512
2b3aea8f5f941315194110723dd69773e18d99adcabeeb68500511aa9e3909af4ddc4fb0bebbb31e5d50571cd591b89bd9276cda3cd29f7e5838660de1d19617

Download Submit
memory/320-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/676-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/740-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/956-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/964-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1136-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1160-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1548-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1840-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1924-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2160-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2352-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2440-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2824-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3236-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3248-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3380-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3584-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3584-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3744-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3992-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4036-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4048-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4048-569-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4168-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4360-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4512-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4600-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5056-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5132-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5144-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5180-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5192-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5228-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5272-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5292-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5316-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5364-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5388-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5404-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5440-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5484-488-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5528-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5568-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5616-506-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5656-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5692-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5736-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5784-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5828-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5876-542-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5924-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5976-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6048-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6112-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download