21ffaab39ff69094d48d38d4ca4f5882f3b19b694a4f824a8707172b402875ee

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe
Size

128KB
MD5

49a4dfc5d5235abfa678bd124a302280
SHA1

e0d06a9331b77e85b50fdd055a15369a677d8ae2
SHA256

21ffaab39ff69094d48d38d4ca4f5882f3b19b694a4f824a8707172b402875ee
SHA512

9c7d1ddc7e9504ecf41cdde58f189c40392184d09876f2f48b97751188bb8de6c0c2bf1197e8c14be664864e716506b7c7901f64762a9e888e01d341fef2e3f7
SSDEEP

3072:iMMQpf5lRb9eDCX3Q7c48Ga2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:iMdf5lRBGgJ4BhHmNEcYj9nhV8NCU

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Qgcbgo32.exeBcebhoii.exeKlqcioba.exeMipcob32.exeMdmnlj32.exeNdfqbhia.exeNfgmjqop.exeQqfmde32.exeCmqmma32.exeDodbbdbb.exeKefkme32.exeBeglgani.exeCeqnmpfo.exe49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exePnonbk32.exePmidog32.exeBnbmefbg.exeCmiflbel.exeJcbihpel.exeKbceejpf.exeOcnjidkf.exePmoahijl.exePclgkb32.exeBapiabak.exeLfhdlh32.exeOfeilobp.exePcijeb32.exeAnfmjhmd.exeNjqmepik.exeOjjolnaq.exePqbdjfln.exeAfhohlbj.exeAgglboim.exeMlampmdo.exeQnhahj32.exeAeklkchg.exeAfmhck32.exeChokikeb.exeJmbdbd32.exeKdcbom32.exeKmkfhc32.exeOdocigqg.exePncgmkmj.exePcbmka32.exeLbjlfi32.exeNlmllkja.exeCegdnopg.exeNebdoa32.exeOcgmpccl.exeDmjocp32.exeMlopkm32.exeAjanck32.exeAeniabfd.exeJlkagbej.exeNpmagine.exeAnogiicl.exeNjefqo32.exePfjcgn32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/3300-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Iikhfg32.exe	family_berbew
behavioral2/memory/5032-9-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ipdqba32.exe	family_berbew
behavioral2/memory/3316-17-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jlkagbej.exe	family_berbew
behavioral2/memory/5080-29-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jcbihpel.exe	family_berbew
behavioral2/memory/3904-36-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jmknaell.exe	family_berbew
behavioral2/memory/4648-45-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jcefno32.exe	family_berbew
behavioral2/memory/1360-49-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jmmjgejj.exe	family_berbew
behavioral2/memory/3296-56-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jfeopj32.exe	family_berbew
behavioral2/memory/3432-65-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jpnchp32.exe	family_berbew
behavioral2/memory/2736-73-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jblpek32.exe	family_berbew
behavioral2/memory/2252-81-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jmbdbd32.exe	family_berbew
behavioral2/memory/1840-88-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jcllonma.exe	family_berbew
behavioral2/memory/412-97-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kiidgeki.exe	family_berbew
behavioral2/memory/1600-104-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdnidn32.exe	family_berbew
behavioral2/memory/4596-117-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kfmepi32.exe	family_berbew
behavioral2/memory/1492-120-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmfmmcbo.exe	family_berbew
C:\Windows\SysWOW64\Kpeiioac.exe	family_berbew
behavioral2/memory/2456-141-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4360-133-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kbceejpf.exe	family_berbew
behavioral2/memory/4868-149-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kimnbd32.exe	family_berbew
C:\Windows\SysWOW64\Kdcbom32.exe	family_berbew
behavioral2/memory/5040-161-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kedoge32.exe	family_berbew
behavioral2/memory/1952-158-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmkfhc32.exe	family_berbew
behavioral2/memory/4348-177-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2576-174-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdeoemeg.exe	family_berbew
behavioral2/memory/3232-185-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kefkme32.exe	family_berbew
behavioral2/memory/2952-197-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Klqcioba.exe	family_berbew
behavioral2/memory/2756-201-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lbjlfi32.exe	family_berbew
behavioral2/memory/4580-209-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Liddbc32.exe	family_berbew
behavioral2/memory/4864-217-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Llcpoo32.exe	family_berbew
behavioral2/memory/4316-224-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lfhdlh32.exe	family_berbew
behavioral2/memory/2116-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Llemdo32.exe	family_berbew
behavioral2/memory/4968-241-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lfkaag32.exe	family_berbew
behavioral2/memory/4536-253-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lmdina32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Iikhfg32.exeIpdqba32.exeJlkagbej.exeJcbihpel.exeJmknaell.exeJcefno32.exeJmmjgejj.exeJfeopj32.exeJpnchp32.exeJblpek32.exeJmbdbd32.exeJcllonma.exeKiidgeki.exeKdnidn32.exeKfmepi32.exeKmfmmcbo.exeKpeiioac.exeKbceejpf.exeKimnbd32.exeKdcbom32.exeKedoge32.exeKmkfhc32.exeKdeoemeg.exeKefkme32.exeKlqcioba.exeLbjlfi32.exeLiddbc32.exeLlcpoo32.exeLfhdlh32.exeLlemdo32.exeLfkaag32.exeLmdina32.exeLgmngglp.exeLmgfda32.exeLdanqkki.exeLingibiq.exeLmiciaaj.exeMbfkbhpa.exeMipcob32.exeMlopkm32.exeMchhggno.exeMibpda32.exeMlampmdo.exeMdhdajea.exeMeiaib32.exeMmpijp32.exeMcmabg32.exeMelnob32.exeMmbfpp32.exeMdmnlj32.exeMiifeq32.exeMlhbal32.exeNljofl32.exeNdaggimg.exeNebdoa32.exeNlmllkja.exeNgbpidjh.exeNjqmepik.exeNdfqbhia.exeNfgmjqop.exeNnneknob.exeNpmagine.exeNggjdc32.exeNjefqo32.exe

pid	process
5032	Iikhfg32.exe
3316	Ipdqba32.exe
5080	Jlkagbej.exe
3904	Jcbihpel.exe
4648	Jmknaell.exe
1360	Jcefno32.exe
3296	Jmmjgejj.exe
3432	Jfeopj32.exe
2736	Jpnchp32.exe
2252	Jblpek32.exe
1840	Jmbdbd32.exe
412	Jcllonma.exe
1600	Kiidgeki.exe
4596	Kdnidn32.exe
1492	Kfmepi32.exe
4360	Kmfmmcbo.exe
2456	Kpeiioac.exe
4868	Kbceejpf.exe
1952	Kimnbd32.exe
5040	Kdcbom32.exe
2576	Kedoge32.exe
4348	Kmkfhc32.exe
3232	Kdeoemeg.exe
2952	Kefkme32.exe
2756	Klqcioba.exe
4580	Lbjlfi32.exe
4864	Liddbc32.exe
4316	Llcpoo32.exe
2116	Lfhdlh32.exe
4968	Llemdo32.exe
4536	Lfkaag32.exe
2452	Lmdina32.exe
2208	Lgmngglp.exe
4148	Lmgfda32.exe
2132	Ldanqkki.exe
4708	Lingibiq.exe
744	Lmiciaaj.exe
1844	Mbfkbhpa.exe
4840	Mipcob32.exe
3004	Mlopkm32.exe
2244	Mchhggno.exe
3280	Mibpda32.exe
3956	Mlampmdo.exe
2680	Mdhdajea.exe
3204	Meiaib32.exe
880	Mmpijp32.exe
1160	Mcmabg32.exe
4108	Melnob32.exe
1784	Mmbfpp32.exe
3684	Mdmnlj32.exe
2768	Miifeq32.exe
2776	Mlhbal32.exe
1328	Nljofl32.exe
1488	Ndaggimg.exe
2476	Nebdoa32.exe
2516	Nlmllkja.exe
5068	Ngbpidjh.exe
4892	Njqmepik.exe
4296	Ndfqbhia.exe
316	Nfgmjqop.exe
2136	Nnneknob.exe
5024	Npmagine.exe
2836	Nggjdc32.exe
4988	Njefqo32.exe

Drops file in System32 directory 64 IoCs

Processes:

Odmgcgbi.exeAgglboim.exeJcbihpel.exeKmkfhc32.exeLingibiq.exeMipcob32.exeCajlhqjp.exeDknpmdfc.exeLfkaag32.exeMdmnlj32.exeAccfbokl.exeBjokdipf.exePfhfan32.exeKbceejpf.exePcbmka32.exeIikhfg32.exeCagobalc.exeDfiafg32.exeOcgmpccl.exeDaconoae.exeLlcpoo32.exeAeniabfd.exeKfmepi32.exeNdaggimg.exeBcoenmao.exeNebdoa32.exeQqfmde32.exeAfmhck32.exePfjcgn32.exeAjfhnjhq.exeBeglgani.exeJmmjgejj.exeMmpijp32.exeOcnjidkf.exePclgkb32.exeLmdina32.exeDelnin32.exeDkifae32.exeQddfkd32.exeAnfmjhmd.exeBffkij32.exeLfhdlh32.exeLmiciaaj.exeNljofl32.exeOdocigqg.exeNdfqbhia.exeCnkplejl.exeAndqdh32.exeKimnbd32.exeKdeoemeg.exeKlqcioba.exeMlampmdo.exeDmjocp32.exeOfqpqo32.exeJlkagbej.exeKdnidn32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Jmknaell.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kbceejpf.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Gjdlbifk.dll	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Jcbihpel.exe	Jlkagbej.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nebdoa32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7096 6976 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
7096	6976	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Jfeopj32.exeLfkaag32.exePfaigm32.exeQddfkd32.exeAjfhnjhq.exeBjddphlq.exeDmefhako.exeJcbihpel.exeKedoge32.exeNfgmjqop.exeOncofm32.exeOneklm32.exeOcgmpccl.exeIikhfg32.exeBaicac32.exeJpnchp32.exeLlemdo32.exeCjmgfgdf.exeDfiafg32.exeDhkjej32.exeKbceejpf.exeKmkfhc32.exeKdeoemeg.exeAndqdh32.exeBffkij32.exeDddhpjof.exeJmbdbd32.exeKdnidn32.exeKefkme32.exeLgmngglp.exeMelnob32.exeLingibiq.exeMlopkm32.exeLbjlfi32.exeMeiaib32.exePfjcgn32.exePmidog32.exePqbdjfln.exeCagobalc.exeMcmabg32.exeQnjnnj32.exePflplnlg.exeOdmgcgbi.exeQfcfml32.exeQgcbgo32.exeDjgjlelk.exePfhfan32.exePqpgdfnp.exeBcoenmao.exeCmiflbel.exeNljofl32.exeNjqmepik.exeNjefqo32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcbihpel.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exeIikhfg32.exeIpdqba32.exeJlkagbej.exeJcbihpel.exeJmknaell.exeJcefno32.exeJmmjgejj.exeJfeopj32.exeJpnchp32.exeJblpek32.exeJmbdbd32.exeJcllonma.exeKiidgeki.exeKdnidn32.exeKfmepi32.exeKmfmmcbo.exeKpeiioac.exeKbceejpf.exeKimnbd32.exeKdcbom32.exeKedoge32.exe

description	pid	process	target process
PID 3300 wrote to memory of 5032	3300	49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe	Iikhfg32.exe
PID 3300 wrote to memory of 5032	3300	49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe	Iikhfg32.exe
PID 3300 wrote to memory of 5032	3300	49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe	Iikhfg32.exe
PID 5032 wrote to memory of 3316	5032	Iikhfg32.exe	Ipdqba32.exe
PID 5032 wrote to memory of 3316	5032	Iikhfg32.exe	Ipdqba32.exe
PID 5032 wrote to memory of 3316	5032	Iikhfg32.exe	Ipdqba32.exe
PID 3316 wrote to memory of 5080	3316	Ipdqba32.exe	Jlkagbej.exe
PID 3316 wrote to memory of 5080	3316	Ipdqba32.exe	Jlkagbej.exe
PID 3316 wrote to memory of 5080	3316	Ipdqba32.exe	Jlkagbej.exe
PID 5080 wrote to memory of 3904	5080	Jlkagbej.exe	Jcbihpel.exe
PID 5080 wrote to memory of 3904	5080	Jlkagbej.exe	Jcbihpel.exe
PID 5080 wrote to memory of 3904	5080	Jlkagbej.exe	Jcbihpel.exe
PID 3904 wrote to memory of 4648	3904	Jcbihpel.exe	Jmknaell.exe
PID 3904 wrote to memory of 4648	3904	Jcbihpel.exe	Jmknaell.exe
PID 3904 wrote to memory of 4648	3904	Jcbihpel.exe	Jmknaell.exe
PID 4648 wrote to memory of 1360	4648	Jmknaell.exe	Jcefno32.exe
PID 4648 wrote to memory of 1360	4648	Jmknaell.exe	Jcefno32.exe
PID 4648 wrote to memory of 1360	4648	Jmknaell.exe	Jcefno32.exe
PID 1360 wrote to memory of 3296	1360	Jcefno32.exe	Jmmjgejj.exe
PID 1360 wrote to memory of 3296	1360	Jcefno32.exe	Jmmjgejj.exe
PID 1360 wrote to memory of 3296	1360	Jcefno32.exe	Jmmjgejj.exe
PID 3296 wrote to memory of 3432	3296	Jmmjgejj.exe	Jfeopj32.exe
PID 3296 wrote to memory of 3432	3296	Jmmjgejj.exe	Jfeopj32.exe
PID 3296 wrote to memory of 3432	3296	Jmmjgejj.exe	Jfeopj32.exe
PID 3432 wrote to memory of 2736	3432	Jfeopj32.exe	Jpnchp32.exe
PID 3432 wrote to memory of 2736	3432	Jfeopj32.exe	Jpnchp32.exe
PID 3432 wrote to memory of 2736	3432	Jfeopj32.exe	Jpnchp32.exe
PID 2736 wrote to memory of 2252	2736	Jpnchp32.exe	Jblpek32.exe
PID 2736 wrote to memory of 2252	2736	Jpnchp32.exe	Jblpek32.exe
PID 2736 wrote to memory of 2252	2736	Jpnchp32.exe	Jblpek32.exe
PID 2252 wrote to memory of 1840	2252	Jblpek32.exe	Jmbdbd32.exe
PID 2252 wrote to memory of 1840	2252	Jblpek32.exe	Jmbdbd32.exe
PID 2252 wrote to memory of 1840	2252	Jblpek32.exe	Jmbdbd32.exe
PID 1840 wrote to memory of 412	1840	Jmbdbd32.exe	Jcllonma.exe
PID 1840 wrote to memory of 412	1840	Jmbdbd32.exe	Jcllonma.exe
PID 1840 wrote to memory of 412	1840	Jmbdbd32.exe	Jcllonma.exe
PID 412 wrote to memory of 1600	412	Jcllonma.exe	Kiidgeki.exe
PID 412 wrote to memory of 1600	412	Jcllonma.exe	Kiidgeki.exe
PID 412 wrote to memory of 1600	412	Jcllonma.exe	Kiidgeki.exe
PID 1600 wrote to memory of 4596	1600	Kiidgeki.exe	Kdnidn32.exe
PID 1600 wrote to memory of 4596	1600	Kiidgeki.exe	Kdnidn32.exe
PID 1600 wrote to memory of 4596	1600	Kiidgeki.exe	Kdnidn32.exe
PID 4596 wrote to memory of 1492	4596	Kdnidn32.exe	Kfmepi32.exe
PID 4596 wrote to memory of 1492	4596	Kdnidn32.exe	Kfmepi32.exe
PID 4596 wrote to memory of 1492	4596	Kdnidn32.exe	Kfmepi32.exe
PID 1492 wrote to memory of 4360	1492	Kfmepi32.exe	Kmfmmcbo.exe
PID 1492 wrote to memory of 4360	1492	Kfmepi32.exe	Kmfmmcbo.exe
PID 1492 wrote to memory of 4360	1492	Kfmepi32.exe	Kmfmmcbo.exe
PID 4360 wrote to memory of 2456	4360	Kmfmmcbo.exe	Kpeiioac.exe
PID 4360 wrote to memory of 2456	4360	Kmfmmcbo.exe	Kpeiioac.exe
PID 4360 wrote to memory of 2456	4360	Kmfmmcbo.exe	Kpeiioac.exe
PID 2456 wrote to memory of 4868	2456	Kpeiioac.exe	Kbceejpf.exe
PID 2456 wrote to memory of 4868	2456	Kpeiioac.exe	Kbceejpf.exe
PID 2456 wrote to memory of 4868	2456	Kpeiioac.exe	Kbceejpf.exe
PID 4868 wrote to memory of 1952	4868	Kbceejpf.exe	Kimnbd32.exe
PID 4868 wrote to memory of 1952	4868	Kbceejpf.exe	Kimnbd32.exe
PID 4868 wrote to memory of 1952	4868	Kbceejpf.exe	Kimnbd32.exe
PID 1952 wrote to memory of 5040	1952	Kimnbd32.exe	Kdcbom32.exe
PID 1952 wrote to memory of 5040	1952	Kimnbd32.exe	Kdcbom32.exe
PID 1952 wrote to memory of 5040	1952	Kimnbd32.exe	Kdcbom32.exe
PID 5040 wrote to memory of 2576	5040	Kdcbom32.exe	Kedoge32.exe
PID 5040 wrote to memory of 2576	5040	Kdcbom32.exe	Kedoge32.exe
PID 5040 wrote to memory of 2576	5040	Kdcbom32.exe	Kedoge32.exe
PID 2576 wrote to memory of 4348	2576	Kedoge32.exe	Kmkfhc32.exe

C:\Users\Admin\AppData\Local\Temp\49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49a4dfc5d5235abfa678bd124a302280_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\Jlkagbej.exe
C:\Windows\system32\Jlkagbej.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\Jcbihpel.exe
C:\Windows\system32\Jcbihpel.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\Jcefno32.exe
C:\Windows\system32\Jcefno32.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\Jcllonma.exe
C:\Windows\system32\Jcllonma.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\Kfmepi32.exe
C:\Windows\system32\Kfmepi32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\Kbceejpf.exe
C:\Windows\system32\Kbceejpf.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\Kimnbd32.exe
C:\Windows\system32\Kimnbd32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4348

C:\Windows\SysWOW64\Kdeoemeg.exe
C:\Windows\system32\Kdeoemeg.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3232

C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2952

C:\Windows\SysWOW64\Klqcioba.exe
C:\Windows\system32\Klqcioba.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2756

C:\Windows\SysWOW64\Lbjlfi32.exe
C:\Windows\system32\Lbjlfi32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4580

C:\Windows\SysWOW64\Liddbc32.exe
C:\Windows\system32\Liddbc32.exe
28⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316

C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2116

C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
31⤵
- Executes dropped EXE
- Modifies registry class
PID:4968

C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4536

C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452

C:\Windows\SysWOW64\Lgmngglp.exe
C:\Windows\system32\Lgmngglp.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:2208

C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
35⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
36⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\Lingibiq.exe
C:\Windows\system32\Lingibiq.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4708

C:\Windows\SysWOW64\Lmiciaaj.exe
C:\Windows\system32\Lmiciaaj.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:744

C:\Windows\SysWOW64\Mbfkbhpa.exe
C:\Windows\system32\Mbfkbhpa.exe
39⤵
- Executes dropped EXE
PID:1844

C:\Windows\SysWOW64\Mipcob32.exe
C:\Windows\system32\Mipcob32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4840

C:\Windows\SysWOW64\Mlopkm32.exe
C:\Windows\system32\Mlopkm32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3004

C:\Windows\SysWOW64\Mchhggno.exe
C:\Windows\system32\Mchhggno.exe
42⤵
- Executes dropped EXE
PID:2244

C:\Windows\SysWOW64\Mibpda32.exe
C:\Windows\system32\Mibpda32.exe
43⤵
- Executes dropped EXE
PID:3280

C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3956

C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
45⤵
- Executes dropped EXE
PID:2680

C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
46⤵
- Executes dropped EXE
- Modifies registry class
PID:3204

C:\Windows\SysWOW64\Mmpijp32.exe
C:\Windows\system32\Mmpijp32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880

C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
48⤵
- Executes dropped EXE
- Modifies registry class
PID:1160

C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:4108

C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
50⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3684

C:\Windows\SysWOW64\Miifeq32.exe
C:\Windows\system32\Miifeq32.exe
52⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWOW64\Mlhbal32.exe
C:\Windows\system32\Mlhbal32.exe
53⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1328

C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1488

C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2476

C:\Windows\SysWOW64\Nlmllkja.exe
C:\Windows\system32\Nlmllkja.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516

C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
58⤵
- Executes dropped EXE
PID:5068

C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4892

C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4296

C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:316

C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
62⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
64⤵
- Executes dropped EXE
PID:2836

C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4988

C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
66⤵
PID:2508

C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2904

C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
68⤵
- Modifies registry class
PID:784

C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
69⤵
- Drops file in System32 directory
- Modifies registry class
PID:5044

C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4788

C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
71⤵
- Modifies registry class
PID:2328

C:\Windows\SysWOW64\Odocigqg.exe
C:\Windows\system32\Odocigqg.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1548

C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
73⤵
- Drops file in System32 directory
PID:2360

C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
74⤵
PID:3084

C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
75⤵
PID:5052

C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
76⤵
PID:1420

C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2348

C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948

C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4508

C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3588

C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2332

C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140

C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3476

C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5124

C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
85⤵
- Modifies registry class
PID:5168

C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
86⤵
- Modifies registry class
PID:5244

C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304

C:\Windows\SysWOW64\Pqbdjfln.exe
C:\Windows\system32\Pqbdjfln.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5376

C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
89⤵
PID:5420

C:\Windows\SysWOW64\Pmidog32.exe
C:\Windows\system32\Pmidog32.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5464

C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
91⤵
PID:5508

C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5556

C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
93⤵
- Modifies registry class
PID:5600

C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652

C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5704

C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
96⤵
- Modifies registry class
PID:5748

C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
97⤵
- Modifies registry class
PID:5792

C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5836

C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5872

C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916

C:\Windows\SysWOW64\Adgbpc32.exe
C:\Windows\system32\Adgbpc32.exe
101⤵
PID:5956

C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000

C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040

C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6084

C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
105⤵
- Drops file in System32 directory
- Modifies registry class
PID:6124

C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
106⤵
PID:2996

C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240

C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5312

C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
109⤵
- Drops file in System32 directory
- Modifies registry class
PID:5404

C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5476

C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5564

C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
112⤵
- Drops file in System32 directory
PID:5624

C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
113⤵
PID:5724

C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5776

C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
115⤵
- Drops file in System32 directory
PID:5864

C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
116⤵
- Modifies registry class
PID:5932

C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
117⤵
PID:6008

C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
118⤵
- Drops file in System32 directory
- Modifies registry class
PID:6060

C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
119⤵
PID:6136

C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5180

C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
121⤵
- Modifies registry class
PID:5360

C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
122⤵
PID:5460

C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
123⤵
PID:5644

C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732

C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812

C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
126⤵
- Drops file in System32 directory
- Modifies registry class
PID:5952

C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
127⤵
PID:6072

C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
128⤵
PID:5148

C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
129⤵
PID:5400

C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
130⤵
PID:5580

C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5744

C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5948

C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116

C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
134⤵
- Modifies registry class
PID:5384

C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
135⤵
- Drops file in System32 directory
- Modifies registry class
PID:5712

C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
136⤵
PID:6076

C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
137⤵
- Drops file in System32 directory
PID:5352

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
138⤵
- Drops file in System32 directory
PID:5896

C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
139⤵
PID:5276

C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
140⤵
PID:6148

C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6192

C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6236

C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
143⤵
- Drops file in System32 directory
- Modifies registry class
PID:6280

C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
144⤵
PID:6324

C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
145⤵
PID:6364

C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
146⤵
- Modifies registry class
PID:6408

C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
147⤵
- Modifies registry class
PID:6452

C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
148⤵
- Drops file in System32 directory
PID:6496

C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
149⤵
- Modifies registry class
PID:6536

C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
150⤵
- Drops file in System32 directory
PID:6580

C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6632

C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
152⤵
- Drops file in System32 directory
PID:6676

C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
153⤵
PID:6740

C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
154⤵
PID:6780

C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6824

C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
156⤵
- Modifies registry class
PID:6872

C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
157⤵
- Drops file in System32 directory
PID:6916

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
158⤵
PID:6976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 216
159⤵
- Program crash
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6976 -ip 6976
1⤵
PID:7068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe
Filesize
128KB

MD5
6ed5cd8c9cdc679de322a64b1865c98c

SHA1
6925e2aee627a472f160fc5ee5df97cf729adb27

SHA256
2db7358fdd774aeac4fce73a6e5a512a202fe1ffa3be76a8431f9f584e8bea1c

SHA512
c3002e5fa9bb1f920c643051cf3a10b89961ab6f7e72a2c5298dee6be5603c85c1b35975e0e33b2b5fd6480ce7350bbb06bd24ed94c995ef7a129f8c15585703

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe
Filesize
128KB

MD5
4a3ab5cfc587e3740673e008b4399645

SHA1
3c531400ad111383ddd0617b673e04b8b9df4f2f

SHA256
83e55430e99aaac134a39fefe3f65ea7cf84a3227383e4a4c244f95f89320578

SHA512
74c6b46bf54b1abfdaa55bb92f57095622452e5316b5810aac73c015a3c870283cf047f19f8ccce7b95eb2527a7936af25cc70e5d85e58661d8c138c59c1d583

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe
Filesize
128KB

MD5
c3b024b5b5ed5352b0a58f0a9af9efcd

SHA1
a780ce894cdc50851a9f9c529bef132cb8b652e1

SHA256
ff560dbc1cf76bd0d9ca6a9876f2ae5930ea5e97a747548c46bb88c8573dbfc1

SHA512
7b4845c3355452956de02179458d2e7f4d411ac4a6653392781224d694ab6716f10cd1313655cfc7492c375b258c632f49490a1e030b5219f2b3acda2ddd9492

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe
Filesize
128KB

MD5
a5c9540f902e5590ed83f427b0ec9b70

SHA1
518d8c8bad02203dbab2cde3d3e275f37de02166

SHA256
057d998004f3aa2971305403f61184551a20300961903bef08bc5be6f52b1047

SHA512
2addd33e05d82a1c008a096b435df0cd19253308cce4e6fb6fd6e86c40c48ab2a024924e70e7b88e52992f88b54b6a8b30576f670d5839f511061c4e1818d198

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe
Filesize
128KB

MD5
c2408ce9cde12ad042dfe7b569ee8276

SHA1
ed802ead937081b51541d2e327390916856c5621

SHA256
f037201415ca56ffbf1d931bc88389d5e4080ba8355f6c9c60e912a87cab0f64

SHA512
56eb60661a4242f26ed6e05591dd9b17c637178befce3687cae346c240def2e910bee057a1a6c5e78890ba4dd90a590f9cfd88e39838c08992d7cfa5151a35f6

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe
Filesize
128KB

MD5
c8f7d73a8da694228cb7a8eea81c7513

SHA1
880804604d03ce5909ffa9f39665c692834b768e

SHA256
d4c1647c6cd0094479580a5a525645f9617b12f4a9069c8caf8fb343b4c904e4

SHA512
1ab11791bc9e1cc7abcefaf3dcdbf5067143818bed6115f2c56c34ff242adf4b0c971ad1f0a758e8b2b9fe2c38cc225504b833468971656799a36393826854d1

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe
Filesize
128KB

MD5
a40bc714dd24de831730988518924691

SHA1
d315d5e51e60b6cf1078a2e6363eada47a21b04d

SHA256
6682b506c57cce84e7cd48e6d1cfa1a65d0e3a2525e367ffdea559b9dc2427d4

SHA512
c408ded96caab598e10e06e2d47ab824020ab0b70324010606cf9c3154ca081425eb60979207730be572ca9ab3fcd386a930b7ae9bc05759bcca41ed3ad1cfcd

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe
Filesize
128KB

MD5
25c3594be41639448a3bd6ee2512e11e

SHA1
894fa3ae541857c196006e4b8b82ad024dfe9c13

SHA256
f681ebe5a6809e0d71b69ace45346650c23442d7117355acbaf84041e452c50b

SHA512
291c5ced9ff2f4d8701aae4c4e6a7bccd503d932ebb3f1de38765a79ca33836239d48190c9461867eee0a1104d85ff6147e6e4e243ea99adb663493396362af5

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe
Filesize
128KB

MD5
5d99e0be6855925e23d04dca09452fd1

SHA1
9d177dc961804a04e7079e9b8358cda4f1e69b39

SHA256
001c54201008591c41aff289f45ae62d3dc6614f80f15d61f456f93c048c8a29

SHA512
4fc1e13ef974b6000d67eb14411805a18b4406666552c737343cb660462e83fd2cc219aab656cbfdc3c8d29db419848a6b67a0025d29d36aa81fc08bf5ff898e

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe
Filesize
128KB

MD5
532292c888ad2bce260f9ab7baf02dcf

SHA1
098355d83fac5fc6feba43a74668e0ca74e6dca4

SHA256
29b700fba17e72b036fb1078a099e094b89127158ab7fcb43365dbfc0a6dfcb0

SHA512
6c1ec55a94514639e5eaf5ce5947c31096a1405acc63bf85025ace67cbdeeaa6622c4d5eb7a7cea72f5a461179d1933696b3d55e94be0a7ae268ee8d39771b6d

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe
Filesize
128KB

MD5
822ffdaba0455df548aec5e0a56336f7

SHA1
db7fac8874a123c586f8f04b4af6a8c25737b3af

SHA256
c514cc5c543c7f9cfab800ec11e6c50c30736737d2d5f0bd4c91f929d5c52661

SHA512
f5655fa4a5737273284a39af2a919290305a0ffa5f6cbb16d48dea2513cb002b4fc8d7eec52b960e0e4259f1011a9f7b3c35ce1e4ab50b2cdf84c4def38e376b

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe
Filesize
128KB

MD5
0edb693289869b5350e2bf22c642b01a

SHA1
10807cd854ce952686c3f5ba7df2b27fafcce046

SHA256
44135f46fef1cd84baf09fb7d8aa159cbba8042fdd2faa6aca81915bfc5d6290

SHA512
a105596f6753d99b51518edff2e0d37b9fe12130100a9e4777b9a7acbcae9cb5a9f2fca91f46be9b3431e6086d9b0c664fd988534274fdb996ba653961f6f341

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe
Filesize
128KB

MD5
a292132f1ddd39403bd768d272425ff1

SHA1
5d63d4cc8fac37bc6e1b19ec38d5f80145b025dc

SHA256
3aa897442fe55336011c1d23d8b169792d6d6d39be9c3dfe2c8ce162480b94b5

SHA512
6f621ed89a08e3f064b18210ec66528826e5ef3ae7307489cc1d2bb41ec277a2d43373cf1c03580c470fe9cec6efff95a82061663982ec9f1e6059ea4a122a59

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe
Filesize
128KB

MD5
3bbc91f8e07ba84fabe7a2a11f623a0c

SHA1
b2a64caed2c1ef1a9777183d78edb9c92e561858

SHA256
0a2879c55d247672355f519c5455f7d484ed02c23c36cec2711c22527b0b4b1a

SHA512
cd5087852c4ec14a10ecc693c0cc665610b29a507a07822902628c4085e5ea9c57ceb681ae023d0f66be133a097aa205004ee83fd70e1eb76316394738b05100

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe
Filesize
128KB

MD5
1cdb88c0c86d4c7ae0a17e91e78d9d59

SHA1
74f7d6adba57a4356de13ba98c76187f8d668108

SHA256
22aecefedf67d6d2639a554fbe64d3b83e1c32dba7634a9c5ad251e950206bc6

SHA512
f0248265f612cf16ded5886804068ca61189e40aa1e173f33ac714b796400ad7208036d9331ef285b057814a6373cb0d5cce023275fbfab3a8ad6edf4a73a54c

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe
Filesize
128KB

MD5
52467f396ddc1d4d8b10655779d914c7

SHA1
316796f55d0415ec1ca454d2e2018a86becab385

SHA256
0d900dd95ae1f20c744b4858b5196e7e77be2ed376f6a30f06b4241e0480b677

SHA512
ea8137a122dca4760bf06c311087b20a21bccc393ba043d6b88ae43d6eebc0ae731b00a68654c220c9d65975ce5bef95577e99362b0906863e33b028c529d0f4

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe
Filesize
128KB

MD5
51490cfd6f3137fe92b34ae6e9654a96

SHA1
512c83ec0dca25a1411ca98d0c5cff4bfc6118bf

SHA256
4b35cf5c50dda42558d3fef8cb7ecd00ddada4d053d00ae554c1d44f0005171d

SHA512
1e790962d152a2155a9e13c8a4b0e0a95341231ce884acc78f58c81dd0d1dca0c5b2e2ec85d0f3f5c81b6c7dfafddef70690a0788b1a507062d42add9835fd0c

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe
Filesize
128KB

MD5
c08d65cca3856fbc41cb5a4126782fed

SHA1
f35a48fa03b92ae8d09656edf15d795005fff11b

SHA256
e13f9727741b32e6127549eefa59ab169198c04ddf3e0b958405af687a5d61d8

SHA512
8abf3abfe0b6d27488ecfa5e9dab25d5c16cfa4621c49722d691e2c0340703b17c39dc230577221e22215200c3a156e6ad22fccc62ebec24078c1cd3fffec1a2

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe
Filesize
128KB

MD5
75aae5437c08915557e71199547b5f02

SHA1
cfcb823cf79725ce1ec2d3ad70585fe8accd1e05

SHA256
4d4c77f8ee6143f7a2202ebf9b2147a6854334cd1b4d1c43880e9294116aed3b

SHA512
c3937359155df3dcb0614665875b9ac61fb506b1a02be5a1590ad9f6506109ff0542342a3eae0411c278f3e5e54548d0ade3cdb4a9d2ef27736cc68780c95357

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe
Filesize
128KB

MD5
c6d4dd291d32552021be586fa3a6993d

SHA1
14e1756441d83a31360cf30b1951c09ee36c756a

SHA256
62e0c2ff204afa8921156558a10f01a56b3e2d93eb669fd31b376ffa664f2e91

SHA512
f32a2badd9ca20b84d74e8837d340d9f088bfaa721c4fa58b9a4a2f0a816f28b13c66222785cc8d79f55127441c4118283d772a323b8a1d86a4a6a44fa190ea5

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe
Filesize
128KB

MD5
e7a1c54547dc2013cba3e3e15825504b

SHA1
d98bf573fc7e8b90b3fbb5c309ed5024aabe016b

SHA256
1114ebf0b301829162c7b17e446c86cd5b882ae06f0a57a9388c355532f7b23a

SHA512
e76c29cd613fdcd416413731d676ea10c4cc6f02bde6ff720b269e2cfbcbc1eafd17095a88fbee3c5434cd25fa43e77272054e0ac30245c2709f9e1f7a36f2dc

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe
Filesize
128KB

MD5
b2c9b666567b225648c75b3312b36ec9

SHA1
6a1d9c96ab15a5050d295a7bb923c59ad04a769d

SHA256
b0564402576d37f9f8c2ef46379d33fead164e9f26aeb2b62dadc661cde1a012

SHA512
a8b4fc8546968c0072811d02ad8eb5167e39e41e1683df5e724ddb52fb99a7a2f8d5c04ebe49b8c4ce61ae5d15583809bfc06bef06f178267083819eddb9e00a

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe
Filesize
128KB

MD5
76ace225a1e430e6c4bf4a2153cd5cea

SHA1
b0f57310eae7c6573a21da81f90c0984beb5c1e0

SHA256
de35300e129799be30a5c48c4790560f0a6dd6539b2fbe7f87dc068963224471

SHA512
09af13f7e9d566605285c88ee9696be2be96c1f472934d1189c6a6db17b179eeeb01c8cc7bbc2ac6ec83d7092ec72a17471513728620d9ff0dc4323d0038241b

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe
Filesize
128KB

MD5
f0bdc4ec690b87dde54d482bec24b9b9

SHA1
17ec20474a72758eddc461c2520a5e6dfdfea1fe

SHA256
ae4da4468667073e8a2094f13b3341e7ec08565006547a92bd9ed52b73d1e9db

SHA512
259941fed3fd4c57ab3f9f465e3b500c4754bd4586aa2f6ee5139446e625970f5cd51fcabf1cdfa21fb7747a78311b8396a38330510f3ee640e7ada007a18574

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe
Filesize
128KB

MD5
21dab48e3a687fe26c1cf63ec68849c2

SHA1
b95852e4bf4b87e3c1ea7181ac8344f36575fd70

SHA256
5a456c329179306522ce1f6c9c2ba3ee4272b567414bfd1b196c1feffcce9744

SHA512
bd3036100649d3c65bd7c0f940bcd08fe0ecb55a5a8e862963824aeab613aa70f405a3586a4b5f53b7afae1ed872c65a676a9b785df7f055fcf7bb6e77e0a58e

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe
Filesize
128KB

MD5
b3e614365f6517e413754ecaf8e6006f

SHA1
8f348debf015630529b8abe580d83ef4d05c1a94

SHA256
ba627047ad4805c6b46f58de914bdb9efa0f3e546508202e92798ac9bf6644df

SHA512
1a91b910fc3c1ccea88a709254d66feac98da90969ca77e11681bf2125ddf6a03b03d85985db575174ae92ebbe18e7814c25d16c05c6067b7e6ebd52940d13a9

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe
Filesize
128KB

MD5
5e32d234ab4a8e2fb35cb860dc6d6435

SHA1
11fe5cce9f397a8bcb7597fe1545607b3fc2af71

SHA256
43767ec65a38e430892c05a5a5cebf9cc8ab6bed6a43771aa957a44c4776a654

SHA512
a757569a77bb8d2484fcf96c8d709dc209e70b757a59e353b60192c50efe1a18361988b51346a08ffe9dd423a37e8411d28e9e80df520d4d7e16a97c8fb1f35d

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe
Filesize
128KB

MD5
416b58276388738f9210f583f82d64ba

SHA1
50a138dcd8f06af751eb3d940c1151394af88047

SHA256
02951fd9602e93258017a1574251084fb1b0ca1004436988ac8fd92b9a316b68

SHA512
042841a73d7d020fada53f0edd27075306f9193324b168ac496b012e1db6d320344d8bf0327fc1c8382a420ef93339c8e9c5ff2a8b21dea095e063f47a9296ea

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe
Filesize
128KB

MD5
fed6223c3325d7bd0de260677d554171

SHA1
b1fc038b270542194be4505f18fc9018d0cef679

SHA256
767ea531874e2bfa0dc09f03a653132ff1aedd3d5beffb62e3339dd5448c6501

SHA512
e39b84104c5fa77b5c44fa56cf223db27d1cf8c86fdc73a810f120cd92fcd2eaa32f4f687d32ad6d812e4d324cbfb1c1346203b574d4c387ac4649857d6951f0

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe
Filesize
128KB

MD5
ad2cf9970bcd672d5489137e7d533d87

SHA1
c807bee528581d8ed51b529f2a661fdb5dc356ec

SHA256
9100ab2b942e8bf6c1b2f49518e772aabe0e8fa45d88db90e4bc88c0cfcd5e4b

SHA512
50ee4e259dca4a24383576b31ea0d3524aa2554b33b46de7975697bb68df39b67fb3c712df1819bc29f0ac191c2cc946a01b23ef85b113a0a7d9510bb99c6563

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe
Filesize
128KB

MD5
7bf5b3b4ffd857dfae6ddb17df3b19c4

SHA1
ac2f27d73827a8157ed79a8aae2bc65cba37c0ce

SHA256
131cc16d3fdbd475c5ef9775aa80c870d9a71ddcb71f3986cb46bcb687e10fcd

SHA512
41e649dc6548202cfd8ec661a87cf3044d1b6f55051d7343ca5a89c37ce53f8ebffb8415c2861a83e1cdf5a3995125114dedc830a0f44b9cfb6d44f1f8cce1c5

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe
Filesize
128KB

MD5
a15329624cd2b516467ad1e190fc8d85

SHA1
7754b451457ca47ff3d5a419d55f31cbbfca73ab

SHA256
2db059ff9c210a390c2621da1a495c3cd8b9c43c4e8c21e4fe741c0b58cf1742

SHA512
ca43647d91b51988a53b8b0dceac06dbc3c37905f0ffbc808986ef040220be80a13067e90d8e79dcda2eafa3dc17d028d4a00dd482c8bead45eb44ed494f55a8

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe
Filesize
128KB

MD5
911c79ec86a1b8a0635d1b9fd97accfd

SHA1
328291658b4d1ebb3152d0de818878c3ed64aa5a

SHA256
069745e1fe261a7200eab6cc738ff4e9ad607fb56c9f70621d2c000f14767eef

SHA512
7c04c77137fadd5b2020918684560b438e03fa911c29a43458c0588c8c11cc7a75f8f72d312d7f044b6b7cf8f5c86261061696bfcdcf20af8d69467ddc77d94a

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe
Filesize
128KB

MD5
c12c8bc536f90dab985743bcca856695

SHA1
a69b84994614c29834eb152415576513b6d705c5

SHA256
e7eb814ba67300e1cbfea87623d40a3e8c08a62a6916d36aa5d41b5e73413db7

SHA512
7e384e41e66fce3e5925cc2a3ae2fbb8fd04b9ad4ba897313005a86dc10b82c04a3f9f3e53e59792a53bb2268449580bfc1dab5327529011cb43176f0e754bb2

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe
Filesize
128KB

MD5
4e97220cb71d2913227f0677dda2a755

SHA1
5f108cc2510b5af02b74a1dad62b69e8763a9fc3

SHA256
5a3eeee9f4a0b94a3c02b5de6f3039d672bd2d1091ee6d4904b527a037800c1b

SHA512
5b139093a27256fb20cdb908f9132837a304e5453a430bbe833c9b0e50aa19d0b301f3843449a41d5c4a00e42780a89f3b7a9de027ced5eba961a51fbe6d53bf

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe
Filesize
128KB

MD5
222973a25d1d618b58c7baf488d980e0

SHA1
a2bfcf0a1c6f9364a85d1c019e18b8c25501aaac

SHA256
30db27bce50cfcb954b9e57afa527c40aa6adae0b56be64c2d94596d056fee57

SHA512
80339e75985e9adcbf638d9deb6c047e612bb730a4a9dedbed6b9f1561411bc42cecc0c59d90898ceb1ccb09c0226d834347c09059be8dff65fbf7aa72304688

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe
Filesize
128KB

MD5
d26120e40c51ebdab0e45314a476a5df

SHA1
810bb24dae469a5f78486e9b422a2536c4fc4bae

SHA256
bba42e4f5d8f838421c5cc3701e70d099304d170282ed60afe704a8ed339c1cd

SHA512
067eaa8586fb13ac8ad7999466e50bf9e2df4f98b7da7b907d4da27aaa54304db9bd6f092cbd86debb19201ee9ffe6fc0265cdf784f24dfabc09094b15021dfc

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe
Filesize
128KB

MD5
abc12035a848b4299f23bd6437077e80

SHA1
d6b9c7eb654380fdb5587b882230dfc396ebd172

SHA256
00741dec7abede630b3d13313907a3a54e8a5db716b0215ff1b9003768f3a07e

SHA512
83125b64b71871324e52c7d5168975419018be6a117e2dd738762d5e469cb77de983fbe69a8a1681ef97210027f99fa7e37c623c29f9f19e57c175645753190a

Download Submit
C:\Windows\SysWOW64\Npmagine.exe
Filesize
128KB

MD5
ac859ee3f70590f0b4bdb8d83ccd951f

SHA1
83922e4ccb3d34367154b5cf47a58bbcf040a81d

SHA256
881fa7b3138f510e45a30df16616e02e65803d908db89c7a1601cab9bb39126d

SHA512
80c5b850b8a73d149ea8afe8762dc4e684f3b1e2db5af62f969ff7ab6c0add2b4947974f6af3eebb392be76605a917de5e61ec14838d80847029840710a07112

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe
Filesize
128KB

MD5
0584dbb1fb6c419b994bb6ae815fdbd5

SHA1
3c8db162bd30aa9d6477edab5e8b1d90212c18ce

SHA256
02d47858db25472695a5f6ea1d22d970e07eccc727b557829936cc541be22e7d

SHA512
c634834e5983ccc4319b60f2ac94f8278ac616b0b9c12ff1a0d5ddef805c98d70dff027d2faf26943ce6c613d9f450bf1eb5aa50d579da57ad006c582d8442b7

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe
Filesize
64KB

MD5
3d5f3e3b9fb3860c2b92e18e31ec06dc

SHA1
d150e0ae1b22e538a9b2dff9795e9aaf2fa23688

SHA256
592578c5266c56ddca12e548a4343c333a854d0c8b585275c80e8816595575ec

SHA512
109aeaed66ef09949d7fe2ecae280cf59d9e24ac2a1e084ee784a03951f883d5cab7c54c5546c28fe4858d841cda6989a4410cdc75feefe90edfa23ba4f543ef

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe
Filesize
128KB

MD5
e519502b8e5aa6a06333199ac93de06a

SHA1
6b865280113d2806dc8d17cb8751a164dbe726da

SHA256
7fc09541fd9eec005507ee43df9b541205bf4b26c91005c2919550345d16be87

SHA512
daf984ab839e182f80ce9baa3954cace8000bccd6a9de74ac2eebc6f6dfa7f6ae784b6819a7a0de177f6fd7218c8ca952bd530da04440d6e846388598ee2ee54

Download Submit
memory/316-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/412-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/744-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/784-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1160-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1488-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2244-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2508-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-531-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-504-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3280-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3300-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3316-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3316-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-483-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4988-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-556-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5124-569-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5168-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5244-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5304-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5376-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download