61fcbc684017ca186b32fa030c3da59c505df80c632a04502a20e73496737d67

Analysis

max time kernel
141s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe
Size

128KB
MD5

35741ffd5d19f9d988ae7240a1e8bf40
SHA1

bc4b2f514b323b10e8b86d62d18ed8a3fa31f5a9
SHA256

61fcbc684017ca186b32fa030c3da59c505df80c632a04502a20e73496737d67
SHA512

3b9d76a1df2bbadc9fa9a0095c5b22b2aa757947d8763c78b525ff2993e87b129fd17f1eed1a20c2eed66b678d3ac48fdb84140f407392ed39eaf12fde349e28
SSDEEP

3072:zUO9bAQyF2GUEGS2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:zUOryFPx4BhHmNEcYj9nhV8NCU

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ceoibflm.exeEdihepnm.exeFkciihgg.exeAjfhnjhq.exeCenahpha.exePbddcoei.exeIpbdmaah.exeMdjagjco.exePengdk32.exeCbefaj32.exeFcckif32.exeGcojed32.exeGcagkdba.exeDopigd32.exeLiimncmf.exeOgifjcdp.exeAgglboim.exeCjmgfgdf.exeDhfajjoj.exeAjdbcano.exeJbjcolha.exeMmlpoqpg.exeChmndlge.exeChagok32.exeCnkplejl.exeCeaehfjj.exeFojlngce.exePjmehkqk.exeBnmcjg32.exeFhcpgmjf.exeDjgjlelk.exeKebbafoj.exeOgkcpbam.exeAejfpjne.exeGcimkc32.exeKiidgeki.exeKplpjn32.exeAfjlnk32.exeAmddjegd.exeCdfbibnb.exeHofdacke.exeIcgjmapi.exeOponmilc.exeOdapnf32.exeOcdqjceo.exeDgbdlf32.exeIihkpg32.exeMelnob32.exeQajadlja.exeBjdkjo32.exeGfpcgpae.exeNdcdmikd.exeNdhmhh32.exeOpakbi32.exePjjhbl32.exePgnilpah.exeQgcbgo32.exeCjpckf32.exeHelfik32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceoibflm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edihepnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddcoei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pengdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbefaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbcano.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihepnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceaehfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhcpgmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejfpjne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfbibnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qajadlja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Helfik32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pnbbbabh.exe	family_berbew
behavioral2/memory/1252-9-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pcojkhap.exe	family_berbew
behavioral2/memory/2636-17-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pkfblfab.exe	family_berbew
behavioral2/memory/4896-29-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pndohaqe.exe	family_berbew
behavioral2/memory/4028-33-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pengdk32.exe	family_berbew
behavioral2/memory/4840-40-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pbbgnpgl.exe	family_berbew
behavioral2/memory/4428-48-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pkjlge32.exe	family_berbew
behavioral2/memory/4940-61-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Pbddcoei.exe	family_berbew
behavioral2/memory/4684-65-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Qgallfcq.exe	family_berbew
behavioral2/memory/4516-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Qajadlja.exe	family_berbew
behavioral2/memory/1996-81-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Qgciaf32.exe	family_berbew
behavioral2/memory/2740-89-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Aegikj32.exe	family_berbew
behavioral2/memory/3956-96-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ajdbcano.exe	family_berbew
behavioral2/memory/1080-105-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Aejfpjne.exe	family_berbew
behavioral2/memory/2824-112-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Abngjnmo.exe	family_berbew
behavioral2/memory/2280-121-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Acocaf32.exe	family_berbew
behavioral2/memory/2868-129-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Abpcon32.exe	family_berbew
behavioral2/memory/4308-136-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ahmlgd32.exe	family_berbew
behavioral2/memory/876-145-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Abbpem32.exe	family_berbew
behavioral2/memory/4032-153-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Alkdnboj.exe	family_berbew
behavioral2/memory/1896-160-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bahmfj32.exe	family_berbew
behavioral2/memory/2480-173-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bhaebcen.exe	family_berbew
behavioral2/memory/4528-176-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Beeflhdh.exe	family_berbew
behavioral2/memory/1400-189-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bhdbhcck.exe	family_berbew
behavioral2/memory/1824-193-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bnnjen32.exe	family_berbew
C:\Windows\SysWOW64\Behbag32.exe	family_berbew
behavioral2/memory/3464-205-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2080-208-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bjdkjo32.exe	family_berbew
behavioral2/memory/1268-217-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Baocghgi.exe	family_berbew
behavioral2/memory/1052-224-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bobcpmfc.exe	family_berbew
behavioral2/memory/3504-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Bemlmgnp.exe	family_berbew
behavioral2/memory/4492-241-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Blfdia32.exe	family_berbew
behavioral2/memory/4672-248-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ceoibflm.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Pnbbbabh.exePcojkhap.exePkfblfab.exePndohaqe.exePengdk32.exePbbgnpgl.exePkjlge32.exePbddcoei.exeQgallfcq.exeQajadlja.exeQgciaf32.exeAegikj32.exeAjdbcano.exeAejfpjne.exeAbngjnmo.exeAcocaf32.exeAbpcon32.exeAhmlgd32.exeAbbpem32.exeAlkdnboj.exeBahmfj32.exeBhaebcen.exeBeeflhdh.exeBhdbhcck.exeBnnjen32.exeBehbag32.exeBjdkjo32.exeBaocghgi.exeBobcpmfc.exeBemlmgnp.exeBlfdia32.exeCeoibflm.exeChmeobkq.exeCogmkl32.exeCeaehfjj.exeClkndpag.exeCbefaj32.exeCdfbibnb.exeColffknh.exeChdkoa32.exeCkcgkldl.exeCbjoljdo.exeCkedalaj.exeDbllbibl.exeDdmhja32.exeDboigi32.exeDhkapp32.exeDkjmlk32.exeDdbbeade.exeDkljak32.exeDafbne32.exeDhpjkojk.exeDojcgi32.exeDahode32.exeDlncan32.exeEolpmi32.exeEdihepnm.exeEcjhcg32.exeEdkdkplj.exeEkemhj32.exeEdnaqo32.exeEkhjmiad.exeEabbjc32.exeEdpnfo32.exe

pid	process
1252	Pnbbbabh.exe
2636	Pcojkhap.exe
4896	Pkfblfab.exe
4028	Pndohaqe.exe
4840	Pengdk32.exe
4428	Pbbgnpgl.exe
4940	Pkjlge32.exe
4684	Pbddcoei.exe
4516	Qgallfcq.exe
1996	Qajadlja.exe
2740	Qgciaf32.exe
3956	Aegikj32.exe
1080	Ajdbcano.exe
2824	Aejfpjne.exe
2280	Abngjnmo.exe
2868	Acocaf32.exe
4308	Abpcon32.exe
876	Ahmlgd32.exe
4032	Abbpem32.exe
1896	Alkdnboj.exe
2480	Bahmfj32.exe
4528	Bhaebcen.exe
1400	Beeflhdh.exe
1824	Bhdbhcck.exe
3464	Bnnjen32.exe
2080	Behbag32.exe
1268	Bjdkjo32.exe
1052	Baocghgi.exe
3504	Bobcpmfc.exe
4492	Bemlmgnp.exe
4672	Blfdia32.exe
3064	Ceoibflm.exe
4480	Chmeobkq.exe
4384	Cogmkl32.exe
3192	Ceaehfjj.exe
3832	Clkndpag.exe
4588	Cbefaj32.exe
4476	Cdfbibnb.exe
2696	Colffknh.exe
4304	Chdkoa32.exe
2924	Ckcgkldl.exe
1712	Cbjoljdo.exe
624	Ckedalaj.exe
3820	Dbllbibl.exe
4608	Ddmhja32.exe
936	Dboigi32.exe
2972	Dhkapp32.exe
4364	Dkjmlk32.exe
440	Ddbbeade.exe
3344	Dkljak32.exe
2464	Dafbne32.exe
4936	Dhpjkojk.exe
856	Dojcgi32.exe
3436	Dahode32.exe
5004	Dlncan32.exe
4908	Eolpmi32.exe
640	Edihepnm.exe
4392	Ecjhcg32.exe
3060	Edkdkplj.exe
632	Ekemhj32.exe
1596	Ednaqo32.exe
4296	Ekhjmiad.exe
3804	Eabbjc32.exe
2072	Edpnfo32.exe

Drops file in System32 directory 64 IoCs

Processes:

Cabfga32.exeIcplcpgo.exeAmbgef32.exeCjbpaf32.exeGcojed32.exeGmjlcj32.exeBmkjkd32.exeBnpppgdj.exeOqfdnhfk.exeNgpccdlj.exeIfefimom.exeIckchq32.exeHobkfd32.exeAeiofcji.exeOponmilc.exeBjokdipf.exeHfnphn32.exeKdqejn32.exeFojlngce.exeBehbag32.exeEdkdkplj.exeLmppcbjd.exeLlgjjnlj.exeNcianepl.exeCagobalc.exeGcagkdba.exeGdeqhl32.exeFckajehi.exeIcifbang.exeChagok32.exeDhmgki32.exeJpgmha32.exeNdcdmikd.exeIicbehnq.exeKiidgeki.exeDddhpjof.exeBeeflhdh.exeBnnjen32.exeEadopc32.exeQgciaf32.exeEabbjc32.exeIihkpg32.exeDodbbdbb.exeBobcpmfc.exeEkhjmiad.exeJefbfgig.exeNdhmhh32.exeQgcbgo32.exeFcckif32.exeOneklm32.exeBmngqdpj.exeBhaebcen.exeLikjcbkc.exePjjhbl32.exeAbngjnmo.exeOncofm32.exeKmfmmcbo.exePjmehkqk.exePgnilpah.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmha32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfngap32.exe	Gcojed32.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gmjlcj32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Iicbehnq.exe	Ifefimom.exe
File opened for modification	C:\Windows\SysWOW64\Ifjodl32.exe	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Hbpgbo32.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Hmhhehlb.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Heomgj32.dll	Fojlngce.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjo32.exe	Behbag32.exe
File opened for modification	C:\Windows\SysWOW64\Ekemhj32.exe	Edkdkplj.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Gfpcgpae.exe	Gcagkdba.exe
File opened for modification	C:\Windows\SysWOW64\Gmoeoidl.exe	Gdeqhl32.exe
File created	C:\Windows\SysWOW64\Fdlnbm32.exe	Fckajehi.exe
File created	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Icifbang.exe	Iicbehnq.exe
File created	C:\Windows\SysWOW64\Kpbmco32.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bhdbhcck.exe	Beeflhdh.exe
File created	C:\Windows\SysWOW64\Dmbcpkhj.dll	Bnnjen32.exe
File created	C:\Windows\SysWOW64\Fljcmlfd.exe	Eadopc32.exe
File opened for modification	C:\Windows\SysWOW64\Aegikj32.exe	Qgciaf32.exe
File opened for modification	C:\Windows\SysWOW64\Edpnfo32.exe	Eabbjc32.exe
File opened for modification	C:\Windows\SysWOW64\Ipbdmaah.exe	Iihkpg32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bemlmgnp.exe	Bobcpmfc.exe
File created	C:\Windows\SysWOW64\Mifnjj32.dll	Ekhjmiad.exe
File created	C:\Windows\SysWOW64\Jplfcpin.exe	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Febgea32.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Hfgefhai.dll	Hobkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Beeflhdh.exe	Bhaebcen.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Acocaf32.exe	Abngjnmo.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Jcinbcgc.dll	Ifefimom.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8724 8924 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
8724	8924	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Nepgjaeg.exeOncofm32.exeOddmdf32.exeBeglgani.exeFhjfhl32.exeHoiafcic.exeKpgfooop.exeGmoeoidl.exeJehokgge.exeLfkaag32.exeDafbne32.exeEadopc32.exeGmjlcj32.exeBemlmgnp.exePcijeb32.exeBanllbdn.exeBganhm32.exeBgcknmop.exeChjaol32.exePbbgnpgl.exeLikjcbkc.exeAmgapeea.exeCdfbibnb.exeHmjdjgjo.exeAadifclh.exePengdk32.exeKdeoemeg.exeBmkjkd32.exeNjciko32.exeQdbiedpa.exeAjkaii32.exeHfnphn32.exePmannhhj.exeEabbjc32.exeQqijje32.exeOfeilobp.exePjeoglgc.exeBnnjen32.exeEdihepnm.exeHmhhehlb.exeAgoabn32.exeBnmcjg32.exeKplpjn32.exeOgnpebpj.exeAeklkchg.exeCeckcp32.exeAbpcon32.exeCeaehfjj.exeQmmnjfnl.exeKiidgeki.exe35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exeBnpppgdj.exeDgbdlf32.exeMnebeogl.exeOcdqjceo.exeHmfkoh32.exeIbqpimpl.exeNeeqea32.exePndohaqe.exeAcocaf32.exeBlfdia32.exeNnlhfn32.exeOnjegled.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhjfhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll"	Gmoeoidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll"	Dafbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eadopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekclg32.dll"	Gmjlcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicplccq.dll"	Bemlmgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll"	Pbbgnpgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfbibnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlqgg32.dll"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pengdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnnjen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoedk32.dll"	Edihepnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll"	Abpcon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceaehfjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndohaqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acocaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cilkoi32.dll"	Blfdia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exePnbbbabh.exePcojkhap.exePkfblfab.exePndohaqe.exePengdk32.exePbbgnpgl.exePkjlge32.exePbddcoei.exeQgallfcq.exeQajadlja.exeQgciaf32.exeAegikj32.exeAjdbcano.exeAejfpjne.exeAbngjnmo.exeAcocaf32.exeAbpcon32.exeAhmlgd32.exeAbbpem32.exeAlkdnboj.exeBahmfj32.exe

description	pid	process	target process
PID 3700 wrote to memory of 1252	3700	35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe	Pnbbbabh.exe
PID 3700 wrote to memory of 1252	3700	35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe	Pnbbbabh.exe
PID 3700 wrote to memory of 1252	3700	35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe	Pnbbbabh.exe
PID 1252 wrote to memory of 2636	1252	Pnbbbabh.exe	Pcojkhap.exe
PID 1252 wrote to memory of 2636	1252	Pnbbbabh.exe	Pcojkhap.exe
PID 1252 wrote to memory of 2636	1252	Pnbbbabh.exe	Pcojkhap.exe
PID 2636 wrote to memory of 4896	2636	Pcojkhap.exe	Pkfblfab.exe
PID 2636 wrote to memory of 4896	2636	Pcojkhap.exe	Pkfblfab.exe
PID 2636 wrote to memory of 4896	2636	Pcojkhap.exe	Pkfblfab.exe
PID 4896 wrote to memory of 4028	4896	Pkfblfab.exe	Pndohaqe.exe
PID 4896 wrote to memory of 4028	4896	Pkfblfab.exe	Pndohaqe.exe
PID 4896 wrote to memory of 4028	4896	Pkfblfab.exe	Pndohaqe.exe
PID 4028 wrote to memory of 4840	4028	Pndohaqe.exe	Pengdk32.exe
PID 4028 wrote to memory of 4840	4028	Pndohaqe.exe	Pengdk32.exe
PID 4028 wrote to memory of 4840	4028	Pndohaqe.exe	Pengdk32.exe
PID 4840 wrote to memory of 4428	4840	Pengdk32.exe	Pbbgnpgl.exe
PID 4840 wrote to memory of 4428	4840	Pengdk32.exe	Pbbgnpgl.exe
PID 4840 wrote to memory of 4428	4840	Pengdk32.exe	Pbbgnpgl.exe
PID 4428 wrote to memory of 4940	4428	Pbbgnpgl.exe	Pkjlge32.exe
PID 4428 wrote to memory of 4940	4428	Pbbgnpgl.exe	Pkjlge32.exe
PID 4428 wrote to memory of 4940	4428	Pbbgnpgl.exe	Pkjlge32.exe
PID 4940 wrote to memory of 4684	4940	Pkjlge32.exe	Pbddcoei.exe
PID 4940 wrote to memory of 4684	4940	Pkjlge32.exe	Pbddcoei.exe
PID 4940 wrote to memory of 4684	4940	Pkjlge32.exe	Pbddcoei.exe
PID 4684 wrote to memory of 4516	4684	Pbddcoei.exe	Qgallfcq.exe
PID 4684 wrote to memory of 4516	4684	Pbddcoei.exe	Qgallfcq.exe
PID 4684 wrote to memory of 4516	4684	Pbddcoei.exe	Qgallfcq.exe
PID 4516 wrote to memory of 1996	4516	Qgallfcq.exe	Qajadlja.exe
PID 4516 wrote to memory of 1996	4516	Qgallfcq.exe	Qajadlja.exe
PID 4516 wrote to memory of 1996	4516	Qgallfcq.exe	Qajadlja.exe
PID 1996 wrote to memory of 2740	1996	Qajadlja.exe	Qgciaf32.exe
PID 1996 wrote to memory of 2740	1996	Qajadlja.exe	Qgciaf32.exe
PID 1996 wrote to memory of 2740	1996	Qajadlja.exe	Qgciaf32.exe
PID 2740 wrote to memory of 3956	2740	Qgciaf32.exe	Aegikj32.exe
PID 2740 wrote to memory of 3956	2740	Qgciaf32.exe	Aegikj32.exe
PID 2740 wrote to memory of 3956	2740	Qgciaf32.exe	Aegikj32.exe
PID 3956 wrote to memory of 1080	3956	Aegikj32.exe	Ajdbcano.exe
PID 3956 wrote to memory of 1080	3956	Aegikj32.exe	Ajdbcano.exe
PID 3956 wrote to memory of 1080	3956	Aegikj32.exe	Ajdbcano.exe
PID 1080 wrote to memory of 2824	1080	Ajdbcano.exe	Aejfpjne.exe
PID 1080 wrote to memory of 2824	1080	Ajdbcano.exe	Aejfpjne.exe
PID 1080 wrote to memory of 2824	1080	Ajdbcano.exe	Aejfpjne.exe
PID 2824 wrote to memory of 2280	2824	Aejfpjne.exe	Abngjnmo.exe
PID 2824 wrote to memory of 2280	2824	Aejfpjne.exe	Abngjnmo.exe
PID 2824 wrote to memory of 2280	2824	Aejfpjne.exe	Abngjnmo.exe
PID 2280 wrote to memory of 2868	2280	Abngjnmo.exe	Acocaf32.exe
PID 2280 wrote to memory of 2868	2280	Abngjnmo.exe	Acocaf32.exe
PID 2280 wrote to memory of 2868	2280	Abngjnmo.exe	Acocaf32.exe
PID 2868 wrote to memory of 4308	2868	Acocaf32.exe	Abpcon32.exe
PID 2868 wrote to memory of 4308	2868	Acocaf32.exe	Abpcon32.exe
PID 2868 wrote to memory of 4308	2868	Acocaf32.exe	Abpcon32.exe
PID 4308 wrote to memory of 876	4308	Abpcon32.exe	Ahmlgd32.exe
PID 4308 wrote to memory of 876	4308	Abpcon32.exe	Ahmlgd32.exe
PID 4308 wrote to memory of 876	4308	Abpcon32.exe	Ahmlgd32.exe
PID 876 wrote to memory of 4032	876	Ahmlgd32.exe	Abbpem32.exe
PID 876 wrote to memory of 4032	876	Ahmlgd32.exe	Abbpem32.exe
PID 876 wrote to memory of 4032	876	Ahmlgd32.exe	Abbpem32.exe
PID 4032 wrote to memory of 1896	4032	Abbpem32.exe	Alkdnboj.exe
PID 4032 wrote to memory of 1896	4032	Abbpem32.exe	Alkdnboj.exe
PID 4032 wrote to memory of 1896	4032	Abbpem32.exe	Alkdnboj.exe
PID 1896 wrote to memory of 2480	1896	Alkdnboj.exe	Bahmfj32.exe
PID 1896 wrote to memory of 2480	1896	Alkdnboj.exe	Bahmfj32.exe
PID 1896 wrote to memory of 2480	1896	Alkdnboj.exe	Bahmfj32.exe
PID 2480 wrote to memory of 4528	2480	Bahmfj32.exe	Bhaebcen.exe

C:\Users\Admin\AppData\Local\Temp\35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35741ffd5d19f9d988ae7240a1e8bf40_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\Pnbbbabh.exe
  C:\Windows\system32\Pnbbbabh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\Pcojkhap.exe
    C:\Windows\system32\Pcojkhap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Pkfblfab.exe
      C:\Windows\system32\Pkfblfab.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pbbgnpgl.exe
        
        C:\Windows\system32\Pbbgnpgl.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Pbddcoei.exe
        
        C:\Windows\system32\Pbddcoei.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        25⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        29⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        34⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        35⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        37⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        40⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        41⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        42⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        43⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        44⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        45⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        46⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        47⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        48⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        49⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        50⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        51⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        53⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        54⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        55⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        56⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        57⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        59⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        61⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        62⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        65⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        67⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        69⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        71⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        73⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        74⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        75⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2988
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        77⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        78⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        79⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        80⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        81⤵
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        83⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        88⤵
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        90⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        91⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        92⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        94⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        96⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        97⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        98⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        99⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        101⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        103⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        104⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        105⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        106⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        107⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        108⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        110⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        111⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        112⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        113⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        114⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        115⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        116⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        118⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        121⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        122⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        123⤵
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        125⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        126⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        127⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        129⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        130⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        131⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        132⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        134⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        135⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        136⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        137⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        140⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        141⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        142⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        143⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        144⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        145⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        146⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        148⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        149⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        150⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        151⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        152⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        153⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        154⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        155⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        157⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        158⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        160⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        161⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        162⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        163⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        164⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        165⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        167⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        168⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        169⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        172⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        173⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        174⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        175⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        176⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        177⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        179⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        180⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        181⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        182⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        183⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        184⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        186⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        191⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6932
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        193⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        195⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        196⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        197⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        198⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        199⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        200⤵
        Drops file in System32 directory
        
        PID:7204
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7244
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7292
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        203⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        204⤵
        Modifies registry class
        
        PID:7376
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        205⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        206⤵
        Modifies registry class
        
        PID:7468
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        207⤵
        Modifies registry class
        
        PID:7508
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        208⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        209⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        210⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        211⤵
        Modifies registry class
        
        PID:7684
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        212⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        213⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        214⤵
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        215⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        216⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        217⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        218⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        219⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8084
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        221⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8168
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        224⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        225⤵
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        226⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        227⤵
        Modifies registry class
        
        PID:7408
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        228⤵
        Modifies registry class
        
        PID:7516
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        229⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        231⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        232⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        233⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        234⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        235⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        236⤵
        Drops file in System32 directory
        
        PID:8188
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        237⤵
        Drops file in System32 directory
        
        PID:7240
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7572
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7656
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        242⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        243⤵
        Modifies registry class
        
        PID:7936
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        244⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        245⤵
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        246⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        247⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        248⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        249⤵
        Modifies registry class
        
        PID:8024
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        250⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        251⤵
        Modifies registry class
        
        PID:7368
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        252⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        253⤵
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        254⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        256⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        257⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        258⤵
        Drops file in System32 directory
        
        PID:8240
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        259⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        260⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        261⤵
        Modifies registry class
        
        PID:8388
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        262⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8476
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        264⤵
        Modifies registry class
        
        PID:8524
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        265⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        266⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8600
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        267⤵
        Modifies registry class
        
        PID:8652
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        268⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        269⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        270⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        271⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        272⤵
        Modifies registry class
        
        PID:8880
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        273⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        274⤵
        Drops file in System32 directory
        
        PID:8968
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9008
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9052
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        277⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        278⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        279⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        280⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        281⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8316
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        283⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        284⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8568
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8592
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8676
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        288⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        289⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        290⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        291⤵
        Drops file in System32 directory
        
        PID:8904
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        292⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        293⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9116
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        295⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8208
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        297⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        298⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        299⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8352
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        301⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        302⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        303⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        304⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        305⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        306⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        307⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        308⤵
        Drops file in System32 directory
        
        PID:8300
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        309⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        310⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        311⤵
        Drops file in System32 directory
        
        PID:8228
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8512
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        313⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        314⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8924 -s 396
        315⤵
        Program crash
        
        PID:8724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8924 -ip 8924
1⤵
PID:8276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbpem32.exe

Filesize
128KB

MD5
f0e7b46f70852eb26fec689f3f7e5c66

SHA1
984ff75710da0d7928742d900efc40e78e4e29d3

SHA256
811c47380e6cbfa12f8ab1e0e0925b85f8d50fac519fce6e3afacbb4cb6f48b7

SHA512
70e63336410fbc334a16e7f598d9669a08911086cc336d23b4925d091bb2d75dffe03c639aa4582f424b45e32846914db467fa52bf2be9e3c1f8a6d2069ae229

Download Submit
C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
128KB

MD5
d98737d3784f35367f60db657b15b76b

SHA1
6a5adaa5823cce170a3fc86628a480df79b5fdc1

SHA256
b1ff9ce62a42d7da329a9eb2a4126839792d21fda994011e2eb80175d5d3e3de

SHA512
87f94bee00c81b2d3a681a06799872f0e9bfbc99c30622e2495a67172a87c6379626eedd6236f4eca98f905c314807f14a4515a7fbe1556a7d83e096d5bbab31

Download Submit
C:\Windows\SysWOW64\Abpcon32.exe

Filesize
128KB

MD5
7d23f0a523673d6c906688419ec0cba7

SHA1
cdd151bfcc348c393db69d46600f73995a3dddd4

SHA256
bcc90ea31b90dfa9b6a464e179995c659dd7480598ceb97042ae93bfefcc2725

SHA512
df03f6b667310ef607b593549fbc968ce9973e017a9f940b9740a550eb6a085bc89a12dc7663ecbc92793a117834fb8568e6e9599757c47e3043aa7752418016

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
128KB

MD5
cbfaffa58650bea51e479824cb106b73

SHA1
24b98160a623a9fefe97a52f0feef40d2f4ebc3c

SHA256
1f120ee7fafb4142c5e2a81ed30af7c84c3452db27affaf12155b8c78acf172f

SHA512
2b23abb92a6af4d5ded83c84eb3e06969127a268bc83085090324be34c682a0e1c992d1cc203df32990478c92a4305a36d460f9904485c615b64a40353f20d2d

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
128KB

MD5
a07cde244b8fa91c2745ff78e77d1b8b

SHA1
9c9304d11014793d43675ec03761808730c10fd2

SHA256
81da28af664a4b1652ee949280a7ad454689c84263094d975343c79e74e252bf

SHA512
49c417db3954a0a99301731ac4c0e918fc1d81893c7bbe3b523f1bc0e71b11be17203cef6706848597967bdcb0ad7bbef2d214ba66b4f053a4f20aa5c176f343

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
128KB

MD5
65df0a8883d9dae3fd0246d92d3612a0

SHA1
b6808feef6549073d31a81e3195f8b1466303e06

SHA256
c85eef625d86355e3d32440a3780a3d68eda0fd8ab283c74c8d456dc93d03252

SHA512
958b3b66c3179addbfefbe1e9df2afe0e76b83ba7d20bf20dfddaaff95f82f97afcff7611af053adf3681e4673677b9d9c49da9d19396faf0eb2a9e416bb01a7

Download Submit
C:\Windows\SysWOW64\Ahmlgd32.exe

Filesize
128KB

MD5
16bd29639580d237e30ba96bba45956c

SHA1
bbd5eb587bbc14bcdc84956f678ea1d4e51c8ffd

SHA256
4788c49b4afdbe350e0ae8f2cdbc1701c45c29803d3136ef792571a4bc5c4c43

SHA512
5bff1c4e74eb2c2e6c7fc28dd4fb112c202d26ed84ed4a52a464a33eb86d6837a88648a04da3868db1172a48946195e2bfd97b7faa4ec75816d88b2e306cfe6a

Download Submit
C:\Windows\SysWOW64\Ajdbcano.exe

Filesize
128KB

MD5
bc2c9c9b2f7ddd6463eee4f29c550da9

SHA1
a140284c68a4b95941b54bcaab976746df1d64a5

SHA256
ba23c0794777b31800832dac4edf3a64af80338b942b9ff43ea248450f927f4e

SHA512
10ca9f0851162f70cadfb99db6d0cf19ad6fafcc9a99f485e921a5cd98cfc18014570967c9ae2deb82440ff1c1ead75d5d2993dfcad56b036bc14a69ce0019a5

Download Submit
C:\Windows\SysWOW64\Alkdnboj.exe

Filesize
128KB

MD5
2d20b7a01961fbf0dba9a2e4119d4f8d

SHA1
5631fa3a467e07926445ab6a0ac0be611edbdbab

SHA256
2a8bebaa63747568bb8da3e73afde1f02fdf97518d80ad494abdd370b396ba09

SHA512
a0e7ec17b9d9cda4d367172c7bca13dd62c8ae79b5b50f2a28f714f55afbc56dc27867c7fae8712472f9e293c10ec4f8102e77106bad06b743029e3613f8e33e

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
128KB

MD5
b782c47341365503c0c5a49ab834c024

SHA1
97eed8a14a69f2b91dd517eb90eb96c94ddd48a8

SHA256
4e354a42c65e77e5c4eb73cffa1d91d524fc4e04df89ed3b175fbb05529a49b0

SHA512
5c01745177e286042fe1db49804fbe2b64e5d5810296da9e5073fba5de5d1a1eed07928e0dda861c7d3dff84a3a79322352992bca9dc21b6e8d0129e3aa4d644

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
128KB

MD5
2d3207f01cf816e783c97f2f21d8a316

SHA1
7d4ca767ab4f80f3168bbf31b7e0ba5fb50dd7d1

SHA256
63bc9673302b0b13221cf5eb1deea6b9b6204756afc48b2e7483add311f75bc7

SHA512
a940ce2c3968eca1e54a494960581f48a94462d827edca0bae46d93847e7265c848bee5a10aa00850061589fb7d5510d30861079b63f68cb3f75637909bd4857

Download Submit
C:\Windows\SysWOW64\Beeflhdh.exe

Filesize
128KB

MD5
8ed3b8f374d3f0d604ae76eaf3ec0197

SHA1
6718d19d1ff282bf544e92d3a69f7d4d5dcf7f4c

SHA256
1c447389e99406ba5c12f4c3ed7c58b05564f64127394c3ef815cbe8b7d47d2a

SHA512
f80d10a9ab4746447f711da57bd4e53c29c027f96b833e4788ff3d6f4a316badc1c904d9da8b992660ab597ded88918c3918aae65f5bdaa220cd0843f25d75ce

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
128KB

MD5
7ee4164c366ed96f93007a9d646c1cd5

SHA1
0a382737c0088fcbcd0ecdaaf295b13f8b1ba324

SHA256
5e66d1f1c354ae863ba338be3b4033db5beef784e0897ef5728169c912ba473e

SHA512
a6769a3d6b4ec8bbb50eff01880dc9b88bb42ca6007d95093842f56452a0a12e672bbdaa257b6f80d8405c038959644093449b46d3a482fa78b0b4cdac7e8651

Download Submit
C:\Windows\SysWOW64\Bemlmgnp.exe

Filesize
128KB

MD5
0b1b1376e6a3bfaefb571517fe7199c3

SHA1
677500e979dd2ec0228d8d567a090619f322ac94

SHA256
3df78ee0fd9f6753a432c55f6a025c5eb2727f8f85fffec6298ebbb289680be8

SHA512
a7e451e26bec10a42fb3d18ea6da8e6644379c87551d6936380cf2818416120ee0396754c8afb72d5aeb0f6ae03f5f16cd31d2e490fa5d44cc1b50e5948488c4

Download Submit
C:\Windows\SysWOW64\Bhaebcen.exe

Filesize
128KB

MD5
a95886bb2a8059a5b9ed176b5cc5bb29

SHA1
4a0e479c2dee5c12a08609d91f33c4151d818b8a

SHA256
af00866b6e97c7e500d86207e7dfd366bd5b011b183994f50fe0897c679eedf7

SHA512
81b8e96ba15b667f21ce77d342a1acfff6bfe02cd8a37a05290369af493ea82c182e7d367c66dda37c88136c3a0dc67c9f633db858f0f7bdfe2a6d59ebbf89ba

Download Submit
C:\Windows\SysWOW64\Bhdbhcck.exe

Filesize
128KB

MD5
d59b617486484d4b15674e53c33a21db

SHA1
0f789474ce614f2bc85ea7b8d83f44b480d8273d

SHA256
91f256bdc8c99dd652f531cbdac722add765764ec7c3a443e137996388a3ad5b

SHA512
48e3d40ed74147875c4ec0b1505763ec6922d8826696d467ab59b079fa8999025d044ebe7df6cbb70a55e644feb9c79106b0b66c46d6e8e5a78c5b6551ca5d5f

Download Submit
C:\Windows\SysWOW64\Bjdkjo32.exe

Filesize
128KB

MD5
bff376d5717a32063e77143f6a92743d

SHA1
a0d515811e922f0b1d30d5f62a9afc7e3fdbd4bc

SHA256
071efb4e813030c9041ff80ab8ebb355348fb3a344f133e7ebd1f308348ec5f9

SHA512
771bbc4ca12dcbd49d215aff006fcd9479c838dd414df97789f929cbde350dde0e3d31f31d920e6ead59f124c63a9a3a37413f520f83b9c0928aaffce841f630

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
128KB

MD5
1f718125a6d2b4be0e177f186de275e5

SHA1
24bdd69e5a173b227084743bdf4217df6b57e9c2

SHA256
4980e7ad89d555b9cbd9e4a567d79194f8b1c0ac5ec4f29ffac28998eb6b5b65

SHA512
83e3e6d8b01430a9105178adcd185bc55e5ed4180be08a8cb1d2360033d2f01c78f779e85d72022ef0ca3feb749352a956aff6c4787a18f5f33a32c26992ff0a

Download Submit
C:\Windows\SysWOW64\Bnnjen32.exe

Filesize
128KB

MD5
1f417c735ebd639443ef7b6a8746c286

SHA1
038d810ffd47a21ae2c7214bd5c5bc574762fd9b

SHA256
d5ea7250c3236890629e3d9fadd6c2def5fdc86c0fed2d1a335fe321ef10ff40

SHA512
761daf8ed4438b1cb8352e4abb6faab3a711651bbe2599b56ee840097549c79f6eb03d8dc7b8e64f46cf9f5c20f711a0c88f0e3c6a94bd0506c82251371d65d6

Download Submit
C:\Windows\SysWOW64\Bobcpmfc.exe

Filesize
128KB

MD5
0d1f8643c82a51030d41a8f4f3c2756c

SHA1
b18d8f72530e08118033c021104c502a3d8681bd

SHA256
5b116ce4ec4df3a22dbc951ee5b1ba2a7d1419786d5d1e17a3c0ea02f719fa16

SHA512
f45762a6c42a6d33ba44a024c096816035e951d1dd590fc575f3ba26fa9bd122bed9970677b041ead134a52ae763f603770ad21e675aee5dbb543327512a3bb7

Download Submit
C:\Windows\SysWOW64\Cbjoljdo.exe

Filesize
128KB

MD5
79658c71e5f85ed992795da30af8e95c

SHA1
9ce28eb551b799c8819c01ac4717c8225f470737

SHA256
971989d73368d0dc664358f5e6950d563ca9bb305ff777476211b249084086dc

SHA512
7209f66b2b1248b2ce43d2dd538fb67db4de51b4a60dc1a4282ced3cd405b21e73e7c02e72e503b3178a5ed8aa1802688a9e7547262927c067c163e75523fb65

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
128KB

MD5
c27aadf789131cb280cd45ddcf236e94

SHA1
62e5f71a1025d04d85d6be1b28e2ee7f0b104d5b

SHA256
843c63a294bdc4a932a806d235d2a6877fd3ba70f3f62d520171be8767efaee4

SHA512
50cafc39169cb7e4c219e6e76011a88a357568f10111797e9c9afb6da074025a3f6b2d00f042b712d2cd58952fc08190627b9b393b1d237d1a9810e4e66c4ecf

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
128KB

MD5
8e7b4883318ad80ad8acdc7491003f31

SHA1
54d078f7e0f4a96ba0393d82aafc043c81489e47

SHA256
42b21444b4c2859f585328352b0192f679623940380021e76ac736187d76bb99

SHA512
0b5fc63196be17ddd46a3ae84b5226128df48725f8596ec6ab62db964a2f3577ce4d04995655071db676b032a97f3e4e01d83c4f25a041b1a8d4dda415755b71

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
128KB

MD5
55e0527a053c93becbc7ec82b4a3f6f4

SHA1
fe6c109269f7bb6b9c5fa4c56b6c9607dd0d2c85

SHA256
d132cc04b77a33e7b01a49c539e6d1a009df0ec58884ba11dc95163fa9a57a09

SHA512
8cdf2324072b8dbdbb19d8092716cdca2bfbf2b4cb42ca3856936c9e4f0d306d6514cc79facd1f9595bfbb1b3833f1affec99d47d30bb4cf7c4eb3d87f1c3580

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
128KB

MD5
a31f4a3312e298eb5086b6b09a8723ea

SHA1
04bc1cc59e31af5c508c877bfb41cc7550a0af6f

SHA256
d34b659b55bc20565eb3f93296aec3af1a0b36cfbbeca920ca60b57b47f26b4e

SHA512
02ab5e70a166d8e39fdcf5e0596b6dfbc1b0804d15ba76cb59ff81eaee294dbecf7d2bfab4e86305caf231703d3436386c18c95f06c1400abf33be48dcdd6f68

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
128KB

MD5
9a21c31f4da008bbf67a66e60d3df35a

SHA1
eb058c24c2c76f5c4c972cbc9c07aeb625a00252

SHA256
2cb4043ac55d3d648339dc57efd46d7c07801dcd0e32586a0416f36d82abf118

SHA512
186e562e37e4604f51a7bfa956fde458a8990d3e42589fe15e98532d2b381e4f1ddb915b09895cc991e8814a389fc5cb3aa7b98afb06890abc6b1b72aedaf6dc

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
128KB

MD5
c8f7d73a8da694228cb7a8eea81c7513

SHA1
880804604d03ce5909ffa9f39665c692834b768e

SHA256
d4c1647c6cd0094479580a5a525645f9617b12f4a9069c8caf8fb343b4c904e4

SHA512
1ab11791bc9e1cc7abcefaf3dcdbf5067143818bed6115f2c56c34ff242adf4b0c971ad1f0a758e8b2b9fe2c38cc225504b833468971656799a36393826854d1

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
128KB

MD5
a2b21a62aee21489f8932f29332930a7

SHA1
62ac3023e1077bc69b1181795107839db82722b0

SHA256
76547938edf30fb238665164803013070e1c0865a52b4636e4513a812553cbc2

SHA512
e7cb0111a9a3e415221799bb92c76ab2f0aad29b8933f873ae50e87c013e8def2a32ac2136aa233a9db92eeac9bab8bdd88c009b81463e93ad7d5143f7af7308

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
128KB

MD5
37b983c156900a3068446516cb04b713

SHA1
65b27dbdb81217b4fd797b1b4d91ba75e4c8b204

SHA256
9e88c15d260100d18a6f0e4f4d753b4d4abf2c40321594693f0d206d5b231f72

SHA512
4d07475e020d4c828b02533f8b1f3d36336b08a9fd9cc4f2cdecb053318df307b242df90227edb7565649a885906915c2d8336d64fa19004cf47774091d78010

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
128KB

MD5
32dcf578747a3e65bdc6166976277a9d

SHA1
895289d31557a5a9dc8d786b72d2725e23b7c4c0

SHA256
946dbf93d01b3eb17577a2bd5a04d5e7b19a45ed44944898308025e4ff1771eb

SHA512
a8937b701bf5a22baf3158a4780fe129d7af17086373d5efbc0edde71f41fe462550ccbd7a8f927243378a2199d5201c5f46a6c015c21f4d6ee23e37bd291493

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
128KB

MD5
b1761250281b2447b3187287a069aa28

SHA1
ef1dc797633e6b7fa977f2a1d395d353784bdae0

SHA256
8a21f4e0d1643bc8b1c793c765db93c767f25bb9f3f28e5dd6c94ecf52213a00

SHA512
aa1612c3e04c005af44b0554da084841bf27f61b4f113b5c8923013852f07f0286a63079829c93f5f985af28475249d4956a143a263f17bec7c89fc40ce18c87

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
128KB

MD5
0584dbb1fb6c419b994bb6ae815fdbd5

SHA1
3c8db162bd30aa9d6477edab5e8b1d90212c18ce

SHA256
02d47858db25472695a5f6ea1d22d970e07eccc727b557829936cc541be22e7d

SHA512
c634834e5983ccc4319b60f2ac94f8278ac616b0b9c12ff1a0d5ddef805c98d70dff027d2faf26943ce6c613d9f450bf1eb5aa50d579da57ad006c582d8442b7

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
128KB

MD5
2497a6ed6fda394c9665ed5102501919

SHA1
6f29db97d147ffc955e375f3847671f0190c91d0

SHA256
6d25ef076218ae356bf4a780a7d81f562296f348cc48509f0d932eb297330334

SHA512
8b629127a36d0e4295eb79c9ab74dc9371f266a11d658ec34c8c184b3fffaca8cebd4760800eb2c7da37cee443def71ae0f05fe00231e1d951307c0eb285d004

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
ad6c8d3b238eafb981cb74f762ad93e4

SHA1
75a110f0fb799aa4fbdaae02ac541b70655740f2

SHA256
4eae3c4d0948d1c31fc4b521f4935ce3ce961cb92784dd807c708b11edf32c18

SHA512
e8c43ee4e30da2fe522c52cea73f9b39c61bd788be1f6a63996c225cc74115dabb0d88f4366e8ef203f844f48aa01eb169f6d7b9d4cb3bc6b1e80481978c28b1

Download Submit
C:\Windows\SysWOW64\Pbbgnpgl.exe

Filesize
128KB

MD5
bae3e70430ea635adaa82350cfd1a6a8

SHA1
92d50be9465011636859222fb024215704082351

SHA256
f4fb30593e95590c8ae5dbdd010903639832a565d1df8e79a4a64d840333b753

SHA512
76d80fad55d0c84b430001f0ce5db97fa933cd6c5eca70658bcd3316d5328cf5017d417161d97ef9ddff4ed5f175f8a9cc56e045c261c5a1e38e451c6e1a0c34

Download Submit
C:\Windows\SysWOW64\Pbddcoei.exe

Filesize
128KB

MD5
2b449520605e17339ed8c22d2c4d0064

SHA1
556c0eba5e3aede8a244e375b366186a60260822

SHA256
880de3281dfdc8f8a2911846794cedf374dcca78373685d6dffba21313339696

SHA512
eab99fac53b38d81226e23127b98b1134a0b7e7b0ec78ff76a62e3b8d3380d1530e555ac7bcde5e21ff1b0c34617aed0d1b96ed44e21f62132f2499b59808e29

Download Submit
C:\Windows\SysWOW64\Pcojkhap.exe

Filesize
128KB

MD5
0bd49eba0358db8dfb5183e3ab3c8b4f

SHA1
a8ba39cccaeac78e57669d00c7c8fd50a51a53a8

SHA256
38e0455936fed1df26f3008b81bde1564603cf5d734850740b719d7653ff061c

SHA512
f25bc3ea9313e49b207738007a12335ba394b1c3826866c54ac5cf6d435297a7368b801897345dbca4a59b15dadafa888d41b44ed68721a02c17ebf8a8f9c9b6

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
128KB

MD5
abb8476d2343bc54fd6cc5d070020c6b

SHA1
93bb7bdd0871816985d250be89a058309a33ff6e

SHA256
acdefd9f8e4337661b79632bb396fbf0269a08e64bed5de37532d9b694f22658

SHA512
4166a0e7ebe080bc019f2b9b34b9e419a89926089623108bf67cb37f2b6c1bc0177d018f49311bbbad2694535438f4e2186cef81307ef3c98180778bc015d5b8

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
128KB

MD5
8a41f4ac3d9cd19876062154d5c434d1

SHA1
7fcec58e74bced89e30c35cd35485fa9c870d870

SHA256
8bba1e5221de88da3c76da4d4f9c548af72af49f987459e6578b75ba291835af

SHA512
20d45767bdefce4b6929b82ba0f1166648da02536c2e9d2a0baff7261e2b2aecde25208901f45a40f472f71e23f94cc6e374152ed6c66062c1d0f58a77f3f463

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
128KB

MD5
7c6371ed09f7e11075b9c02afe849150

SHA1
61d412511b89b52fbfc520c4dc84d934b72ce976

SHA256
e99720597a24d8f9664206e9358d62f4f73d780f0d665e145a77c982da146011

SHA512
dd43829390ef64c2d8f0667b4ebfdf453549dfdf683b0c4d16202bf27c3791b7ec44e89f81f3ef1b0722e132b01b354ceee199f04e82164b3f61e7553fa28c00

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
128KB

MD5
461742002f0fb61400daf25fc8385f0f

SHA1
11667ccd617875f72174b7200711407d3a688cf8

SHA256
01b4a1330d6b89c34a8ab60a28d2c5ecf60b6a23e626aafae521f6d001c82211

SHA512
1ddd5effcdf4e53324c9ff3c845c474b4eeb6210d819c541d8a63ca1ff2a920dafd1679c742321741fac6eb30e921cde7201d3d681fc92ce9b655f58640664f0

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
128KB

MD5
8e56a2c0751e6735e324501ffd3a4e72

SHA1
a21e8e17d5153d996aeeede3656847bb5348189e

SHA256
9bc3e1631e101754d59ee22e178cf8d058932044f1c431782a6839abfbc18aac

SHA512
5e4f933adb6b1bd01cd0faca993b83f1e81a1c51190c861f8ee9ab7899adef612c28b45c7ad484e410ed7bcd436a40757caa425c6028b540d11869e61e18fcdd

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
128KB

MD5
ce6b88d4f59fa468e138b91a7717e240

SHA1
913b344e74a0e4a7e086bd4f0f0b02a7a4df1598

SHA256
a0b9974a4149462125945069003d5579cde67fb663135bff3abc060188f17c71

SHA512
0b85e9ef4b8fbbc70ccd33b3037ef88ba0293d0338d72f8416ab53ad3d8d15e0c7880defbc8e2aa09ef1938a80e3772bf6700c0e643fa249befcb6436c14d2a1

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
128KB

MD5
6f39e881336b8b2b19183d78bb88c7bb

SHA1
547c4ba3eb2ee9fe4f827a7cbdffc8967b661d4d

SHA256
241222448fe3266f911f8f94d2b56c67eacf917b3735a52766d7f4f2fd39151e

SHA512
3294bf3fe9b18a45659cb436e8411d2a0b114101333791f6477d982f512fe7266b32c1eaecd26ef06a5b1dc9637bd83b4d85b8f3cc1eda5d0f7df597e8feeeb8

Download Submit
C:\Windows\SysWOW64\Qajadlja.exe

Filesize
128KB

MD5
14683319818cdb521d82e382a57ee5f2

SHA1
86ff9cb3b1e896a39bcaac2bb4b73f2a76fb4fd1

SHA256
9d361453cecc2633462ad7e5c06ed29547d89bf98c7183299912bb1aaa2144c4

SHA512
36e4b61a8236d6b05a17315b87d2a46801080aa2732df80f3239ef9729a63b1201d1a981ae725288e7eefb23d2a369641740e79b941e72a9a962d3bd35498467

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
128KB

MD5
f19215e941bae6a113d66c9960842cf9

SHA1
b08acb8d0fa519d83add660b83d5364523db2b22

SHA256
be5360096ec71fe84ff65c74c4fc516f12d9b1aa212b99de39f429a0dc949b64

SHA512
c0bd6bdd6e377ae77883760292f19fdb85b1dddca284baff75cdd284ce29f1b85d14fa131b1139f7fb559c16c9b8f9b1fc11d4f7da46e051f457c0065e79b623

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
128KB

MD5
7714e554cae143c92d56192e7808d560

SHA1
7aae44c3e165f4c3424bfdfe9b38f9624678c184

SHA256
28c2e27559a94e5d5a9aca9c64fe591b9807145e910b5c2842504eb5055dce67

SHA512
12dbd86f0133fa5705862b5981692497f5ada9075f654e0c04f4603b4382b3faa4ea6f763495e8766f85b27bfa37a1e2741f6fe4dc2ab1c637116c3686e48deb

Download Submit
memory/440-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/948-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1152-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1364-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-597-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-507-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-519-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3168-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3700-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3804-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3820-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4672-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download