a560207b31b6939697c4f0db61c0016255ed5f3d8722e4945ac96c12389bdeb8

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exe
Size

276KB
MD5

5a5dcf503745a6d46ae1f4fb5dbd83d0
SHA1

7f14c44b34dbf1246bf88df071167114af80419f
SHA256

a560207b31b6939697c4f0db61c0016255ed5f3d8722e4945ac96c12389bdeb8
SHA512

c1f73e470cde7e09662a0415491c900e558075d449bf0669da636e128bf6c9a09495c73b84da695a198cb6a2b1b1dc0eea2214e852c670b706ad28f15cfd5d2a
SSDEEP

6144:BV3TORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5AX/KXWZCKl/j:3SR+pMUQunbpd/mF6ECJlzxAKN2X/WW7

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Emmdom32.exeIbcaknbi.exeJgmjmjnb.exeLqhdbm32.exeLobjni32.exePjdpelnc.exeJojdlfeo.exeLohqnd32.exeJnlkedai.exeDmohno32.exeHaaaaeim.exeKpiqfima.exeOfegni32.exeHolfoqcm.exeMokfja32.exeMfhbga32.exeNjhgbp32.exeFbbicl32.exeLegben32.exeBnlhncgi.exeJohggfha.exeIeidhh32.exeLpfgmnfp.exeLnldla32.exeGpdennml.exeOckdmmoj.exeDfnbgc32.exeKodnmkap.exeEdbiniff.exeHpioin32.exeNfgklkoc.exePbjddh32.exeAhaceo32.exeCgifbhid.exeKidben32.exeLlcghg32.exeLmaamn32.exeCgqlcg32.exeEkjded32.exeFbgbnkfm.exeJocefm32.exeDddllkbf.exeNnhmnn32.exeKcoccc32.exeMohidbkl.exePaeelgnj.exeGndick32.exeDndnpf32.exeEecphp32.exeMmmqhl32.exeNfcabp32.exeLpjjmg32.exeAmnlme32.exeDhgonidg.exeKoonge32.exeNoppeaed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnlkedai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfgmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpdennml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbnkfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eecphp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe

Malware Dropper & Backdoor - Berbew 58 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Dmohno32.exe	family_berbew
C:\Windows\SysWOW64\Dndnpf32.exe	family_berbew
C:\Windows\SysWOW64\Dfnbgc32.exe	family_berbew
C:\Windows\SysWOW64\Eecphp32.exe	family_berbew
C:\Windows\SysWOW64\Emmdom32.exe	family_berbew
C:\Windows\SysWOW64\Efgemb32.exe	family_berbew
C:\Windows\SysWOW64\Fflohaij.exe	family_berbew
C:\Windows\SysWOW64\Fmkqpkla.exe	family_berbew
C:\Windows\SysWOW64\Gmdcfidg.exe	family_berbew
C:\Windows\SysWOW64\Gimqajgh.exe	family_berbew
C:\Windows\SysWOW64\Holfoqcm.exe	family_berbew
C:\Windows\SysWOW64\Hbohpn32.exe	family_berbew
C:\Windows\SysWOW64\Hpchib32.exe	family_berbew
C:\Windows\SysWOW64\Ibcaknbi.exe	family_berbew
C:\Windows\SysWOW64\Imkbnf32.exe	family_berbew
C:\Windows\SysWOW64\Ieidhh32.exe	family_berbew
C:\Windows\SysWOW64\Jcmdaljn.exe	family_berbew
C:\Windows\SysWOW64\Jocefm32.exe	family_berbew
C:\Windows\SysWOW64\Jgmjmjnb.exe	family_berbew
C:\Windows\SysWOW64\Jniood32.exe	family_berbew
C:\Windows\SysWOW64\Jnlkedai.exe	family_berbew
C:\Windows\SysWOW64\Kckqbj32.exe	family_berbew
C:\Windows\SysWOW64\Kcmmhj32.exe	family_berbew
C:\Windows\SysWOW64\Kodnmkap.exe	family_berbew
C:\Windows\SysWOW64\Kpcjgnhb.exe	family_berbew
C:\Windows\SysWOW64\Lpfgmnfp.exe	family_berbew
C:\Windows\SysWOW64\Lnldla32.exe	family_berbew
C:\Windows\SysWOW64\Lmaamn32.exe	family_berbew
C:\Windows\SysWOW64\Lobjni32.exe	family_berbew
C:\Windows\SysWOW64\Mcpcdg32.exe	family_berbew
C:\Windows\SysWOW64\Mcbpjg32.exe	family_berbew
C:\Windows\SysWOW64\Mmmqhl32.exe	family_berbew
C:\Windows\SysWOW64\Mfhbga32.exe	family_berbew
C:\Windows\SysWOW64\Njhgbp32.exe	family_berbew
C:\Windows\SysWOW64\Ocgbld32.exe	family_berbew
C:\Windows\SysWOW64\Ofhknodl.exe	family_berbew
C:\Windows\SysWOW64\Ocohmc32.exe	family_berbew
C:\Windows\SysWOW64\Paeelgnj.exe	family_berbew
C:\Windows\SysWOW64\Qfkqjmdg.exe	family_berbew
C:\Windows\SysWOW64\Bmeandma.exe	family_berbew
C:\Windows\SysWOW64\Cnaaib32.exe	family_berbew
C:\Windows\SysWOW64\Cglbhhga.exe	family_berbew
C:\Windows\SysWOW64\Cgqlcg32.exe	family_berbew
C:\Windows\SysWOW64\Dhgonidg.exe	family_berbew
C:\Windows\SysWOW64\Ekcgkb32.exe	family_berbew
C:\Windows\SysWOW64\Fbbicl32.exe	family_berbew
C:\Windows\SysWOW64\Gndick32.exe	family_berbew
C:\Windows\SysWOW64\Hlppno32.exe	family_berbew
C:\Windows\SysWOW64\Iacngdgj.exe	family_berbew
C:\Windows\SysWOW64\Iajdgcab.exe	family_berbew
C:\Windows\SysWOW64\Kpiqfima.exe	family_berbew
C:\Windows\SysWOW64\Kidben32.exe	family_berbew
C:\Windows\SysWOW64\Lcfidb32.exe	family_berbew
C:\Windows\SysWOW64\Llcghg32.exe	family_berbew
C:\Windows\SysWOW64\Nfgklkoc.exe	family_berbew
C:\Windows\SysWOW64\Nodiqp32.exe	family_berbew
C:\Windows\SysWOW64\Ncbafoge.exe	family_berbew
C:\Windows\SysWOW64\Oonlfo32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Dmohno32.exeDndnpf32.exeDfnbgc32.exeEecphp32.exeEmmdom32.exeEfgemb32.exeFflohaij.exeFmkqpkla.exeGmdcfidg.exeGimqajgh.exeHolfoqcm.exeHbohpn32.exeHpchib32.exeIbcaknbi.exeImkbnf32.exeIeidhh32.exeJcmdaljn.exeJocefm32.exeJgmjmjnb.exeJniood32.exeJnlkedai.exeKckqbj32.exeKcmmhj32.exeKodnmkap.exeKpcjgnhb.exeLpfgmnfp.exeLnldla32.exeLmaamn32.exeLobjni32.exeMcpcdg32.exeMcbpjg32.exeMmmqhl32.exeMfhbga32.exeNjfkmphe.exeNjhgbp32.exeNmipdk32.exeNnhmnn32.exeNfcabp32.exeOcgbld32.exeOfhknodl.exeOclkgccf.exeOcohmc32.exeOabhfg32.exePaeelgnj.exePaiogf32.exePjdpelnc.exeQfkqjmdg.exeAknbkjfh.exeAhaceo32.exeAmnlme32.exeApodoq32.exeAopemh32.exeBmeandma.exeBddcenpi.exeBnlhncgi.exeBajqda32.exeCnaaib32.exeCgifbhid.exeCglbhhga.exeCkjknfnh.exeCgqlcg32.exeDddllkbf.exeDpkmal32.exeDqnjgl32.exe

pid	process
4732	Dmohno32.exe
1928	Dndnpf32.exe
2360	Dfnbgc32.exe
772	Eecphp32.exe
1136	Emmdom32.exe
1812	Efgemb32.exe
4788	Fflohaij.exe
1556	Fmkqpkla.exe
2084	Gmdcfidg.exe
2832	Gimqajgh.exe
5108	Holfoqcm.exe
1776	Hbohpn32.exe
1952	Hpchib32.exe
2516	Ibcaknbi.exe
748	Imkbnf32.exe
2688	Ieidhh32.exe
2776	Jcmdaljn.exe
984	Jocefm32.exe
2616	Jgmjmjnb.exe
3088	Jniood32.exe
1020	Jnlkedai.exe
3096	Kckqbj32.exe
2868	Kcmmhj32.exe
3252	Kodnmkap.exe
4948	Kpcjgnhb.exe
1996	Lpfgmnfp.exe
1960	Lnldla32.exe
5032	Lmaamn32.exe
652	Lobjni32.exe
1180	Mcpcdg32.exe
4012	Mcbpjg32.exe
4068	Mmmqhl32.exe
4784	Mfhbga32.exe
4144	Njfkmphe.exe
2060	Njhgbp32.exe
1984	Nmipdk32.exe
744	Nnhmnn32.exe
4808	Nfcabp32.exe
4740	Ocgbld32.exe
1632	Ofhknodl.exe
3404	Oclkgccf.exe
1380	Ocohmc32.exe
2992	Oabhfg32.exe
3136	Paeelgnj.exe
4296	Paiogf32.exe
4036	Pjdpelnc.exe
4436	Qfkqjmdg.exe
4648	Aknbkjfh.exe
4848	Ahaceo32.exe
5040	Amnlme32.exe
1716	Apodoq32.exe
464	Aopemh32.exe
2268	Bmeandma.exe
4024	Bddcenpi.exe
3432	Bnlhncgi.exe
848	Bajqda32.exe
892	Cnaaib32.exe
3660	Cgifbhid.exe
1252	Cglbhhga.exe
4512	Ckjknfnh.exe
4516	Cgqlcg32.exe
708	Dddllkbf.exe
3884	Dpkmal32.exe
1012	Dqnjgl32.exe

Drops file in System32 directory 64 IoCs

Processes:

Apodoq32.exeJbagbebm.exeKoonge32.exePpnenlka.exeNfgklkoc.exeLqhdbm32.exeMcpcdg32.exeBajqda32.exeGejhef32.exeHpioin32.exeIafkld32.exeNmcpoedn.exeEfgemb32.exeImkbnf32.exeIeidhh32.exeNmipdk32.exeOfegni32.exePmmlla32.exeKpcjgnhb.exeCnaaib32.exeHaaaaeim.exeJniood32.exePaiogf32.exeDqnjgl32.exeLohqnd32.exeLcfidb32.exeMohidbkl.exeGpdennml.exeHolfoqcm.exeHpchib32.exeIbcaknbi.exeNfcabp32.exeEhpadhll.exeFqppci32.exeKpiqfima.exeDmohno32.exeHbohpn32.exeLoofnccf.exeNcbafoge.exePbjddh32.exeDndnpf32.exeLobjni32.exeOcgbld32.exePaeelgnj.exeFbdehlip.exeHnibokbd.exeEkajec32.exeNcmhko32.exePjdpelnc.exeLegben32.exeNodiqp32.exeFgcjfbed.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jbagbebm.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Ppnenlka.exe
File opened for modification	C:\Windows\SysWOW64\Noppeaed.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Lqhdbm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbpjg32.exe	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Jmpjlk32.dll	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Nndbpeal.dll	Gejhef32.exe
File opened for modification	C:\Windows\SysWOW64\Hlppno32.exe	Hpioin32.exe
File opened for modification	C:\Windows\SysWOW64\Iahgad32.exe	Iafkld32.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Fflohaij.exe	Efgemb32.exe
File created	C:\Windows\SysWOW64\Afakoidm.dll	Imkbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Jcmdaljn.exe	Ieidhh32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhmnn32.exe	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Oonlfo32.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Ieidhh32.exe	Imkbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfgmnfp.exe	Kpcjgnhb.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Ffdihjbp.dll	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Cknmplfo.dll	Ofegni32.exe
File opened for modification	C:\Windows\SysWOW64\Jnlkedai.exe	Jniood32.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Dhgonidg.exe	Dqnjgl32.exe
File created	C:\Windows\SysWOW64\Dagdgfkf.dll	Iafkld32.exe
File created	C:\Windows\SysWOW64\Cbqfhb32.dll	Lohqnd32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjjmg32.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Hnibokbd.exe	Gpdennml.exe
File opened for modification	C:\Windows\SysWOW64\Hbohpn32.exe	Holfoqcm.exe
File opened for modification	C:\Windows\SysWOW64\Ibcaknbi.exe	Hpchib32.exe
File opened for modification	C:\Windows\SysWOW64\Imkbnf32.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Ocgbld32.exe	Nfcabp32.exe
File created	C:\Windows\SysWOW64\Hknfelnj.dll	Dqnjgl32.exe
File created	C:\Windows\SysWOW64\Gimngjie.dll	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Fbplml32.exe	Fqppci32.exe
File opened for modification	C:\Windows\SysWOW64\Koonge32.exe	Kpiqfima.exe
File created	C:\Windows\SysWOW64\Lpjjmg32.exe	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Oidalg32.dll	Dmohno32.exe
File opened for modification	C:\Windows\SysWOW64\Hpchib32.exe	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Llcghg32.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Maenpfhk.dll	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Dfnbgc32.exe	Dndnpf32.exe
File created	C:\Windows\SysWOW64\Bgmioggn.dll	Efgemb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpcdg32.exe	Lobjni32.exe
File opened for modification	C:\Windows\SysWOW64\Ofhknodl.exe	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Bpfljc32.dll	Fbdehlip.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Hnibokbd.exe
File created	C:\Windows\SysWOW64\Hpchib32.exe	Hbohpn32.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Ekcgkb32.exe	Ekajec32.exe
File created	C:\Windows\SysWOW64\Jfmlqhcc.dll	Kpiqfima.exe
File opened for modification	C:\Windows\SysWOW64\Nodiqp32.exe	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Loofnccf.exe	Legben32.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Nodiqp32.exe
File opened for modification	C:\Windows\SysWOW64\Nmhijd32.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Gkaclqkk.exe	Fgcjfbed.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6204 4772 WerFault.exe Pififb32.exe
6648 4772 WerFault.exe Pififb32.exe

pid	pid_target	process	target process
6204	4772	WerFault.exe	Pififb32.exe
6648	4772	WerFault.exe	Pififb32.exe

Modifies registry class 64 IoCs

Processes:

Ppnenlka.exeEfgemb32.exeLnldla32.exeMpapnfhg.exeOfegni32.exeFbgbnkfm.exeHaaaaeim.exeKidben32.exeEecphp32.exeJocefm32.exeLpfgmnfp.exePaeelgnj.exeDddllkbf.exePafkgphl.exeFbplml32.exeGndick32.exeIajdgcab.exeJcmdaljn.exeMfhbga32.exeOabhfg32.exeAopemh32.exeBmeandma.exeGimqajgh.exeJgmjmjnb.exeLpjjmg32.exePbjddh32.exeHnibokbd.exeJohggfha.exeLlcghg32.exeQfkqjmdg.exeAmnlme32.exeEhpadhll.exeGpdennml.exeIafkld32.exeKpccmhdg.exeGmdcfidg.exeJniood32.exeKodnmkap.exeBddcenpi.exeCgifbhid.exeOfhknodl.exeApodoq32.exeFbdehlip.exeFgcjfbed.exeCgqlcg32.exeEbaplnie.exeDfnbgc32.exeFmkqpkla.exeHpchib32.exeImkbnf32.exeNjfkmphe.exeIahgad32.exeKcoccc32.exePmmlla32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll"	Efgemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efgemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnldla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eecphp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll"	Lpfgmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbmonhi.dll"	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkphhg32.dll"	Gndick32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iajdgcab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmdaljn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll"	Eecphp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimqajgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll"	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkbkddd.dll"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll"	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknmplfo.dll"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafkld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll"	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll"	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgcjfbed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papambbb.dll"	Ebaplnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmkqpkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakoidm.dll"	Imkbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnbgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eecphp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkbnf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exeDmohno32.exeDndnpf32.exeDfnbgc32.exeEecphp32.exeEmmdom32.exeEfgemb32.exeFflohaij.exeFmkqpkla.exeGmdcfidg.exeGimqajgh.exeHolfoqcm.exeHbohpn32.exeHpchib32.exeIbcaknbi.exeImkbnf32.exeIeidhh32.exeJcmdaljn.exeJocefm32.exeJgmjmjnb.exeJniood32.exeJnlkedai.exe

description	pid	process	target process
PID 1140 wrote to memory of 4732	1140	5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exe	Dmohno32.exe
PID 1140 wrote to memory of 4732	1140	5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exe	Dmohno32.exe
PID 1140 wrote to memory of 4732	1140	5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exe	Dmohno32.exe
PID 4732 wrote to memory of 1928	4732	Dmohno32.exe	Dndnpf32.exe
PID 4732 wrote to memory of 1928	4732	Dmohno32.exe	Dndnpf32.exe
PID 4732 wrote to memory of 1928	4732	Dmohno32.exe	Dndnpf32.exe
PID 1928 wrote to memory of 2360	1928	Dndnpf32.exe	Dfnbgc32.exe
PID 1928 wrote to memory of 2360	1928	Dndnpf32.exe	Dfnbgc32.exe
PID 1928 wrote to memory of 2360	1928	Dndnpf32.exe	Dfnbgc32.exe
PID 2360 wrote to memory of 772	2360	Dfnbgc32.exe	Eecphp32.exe
PID 2360 wrote to memory of 772	2360	Dfnbgc32.exe	Eecphp32.exe
PID 2360 wrote to memory of 772	2360	Dfnbgc32.exe	Eecphp32.exe
PID 772 wrote to memory of 1136	772	Eecphp32.exe	Emmdom32.exe
PID 772 wrote to memory of 1136	772	Eecphp32.exe	Emmdom32.exe
PID 772 wrote to memory of 1136	772	Eecphp32.exe	Emmdom32.exe
PID 1136 wrote to memory of 1812	1136	Emmdom32.exe	Efgemb32.exe
PID 1136 wrote to memory of 1812	1136	Emmdom32.exe	Efgemb32.exe
PID 1136 wrote to memory of 1812	1136	Emmdom32.exe	Efgemb32.exe
PID 1812 wrote to memory of 4788	1812	Efgemb32.exe	Fflohaij.exe
PID 1812 wrote to memory of 4788	1812	Efgemb32.exe	Fflohaij.exe
PID 1812 wrote to memory of 4788	1812	Efgemb32.exe	Fflohaij.exe
PID 4788 wrote to memory of 1556	4788	Fflohaij.exe	Fmkqpkla.exe
PID 4788 wrote to memory of 1556	4788	Fflohaij.exe	Fmkqpkla.exe
PID 4788 wrote to memory of 1556	4788	Fflohaij.exe	Fmkqpkla.exe
PID 1556 wrote to memory of 2084	1556	Fmkqpkla.exe	Gmdcfidg.exe
PID 1556 wrote to memory of 2084	1556	Fmkqpkla.exe	Gmdcfidg.exe
PID 1556 wrote to memory of 2084	1556	Fmkqpkla.exe	Gmdcfidg.exe
PID 2084 wrote to memory of 2832	2084	Gmdcfidg.exe	Gimqajgh.exe
PID 2084 wrote to memory of 2832	2084	Gmdcfidg.exe	Gimqajgh.exe
PID 2084 wrote to memory of 2832	2084	Gmdcfidg.exe	Gimqajgh.exe
PID 2832 wrote to memory of 5108	2832	Gimqajgh.exe	Holfoqcm.exe
PID 2832 wrote to memory of 5108	2832	Gimqajgh.exe	Holfoqcm.exe
PID 2832 wrote to memory of 5108	2832	Gimqajgh.exe	Holfoqcm.exe
PID 5108 wrote to memory of 1776	5108	Holfoqcm.exe	Hbohpn32.exe
PID 5108 wrote to memory of 1776	5108	Holfoqcm.exe	Hbohpn32.exe
PID 5108 wrote to memory of 1776	5108	Holfoqcm.exe	Hbohpn32.exe
PID 1776 wrote to memory of 1952	1776	Hbohpn32.exe	Hpchib32.exe
PID 1776 wrote to memory of 1952	1776	Hbohpn32.exe	Hpchib32.exe
PID 1776 wrote to memory of 1952	1776	Hbohpn32.exe	Hpchib32.exe
PID 1952 wrote to memory of 2516	1952	Hpchib32.exe	Ibcaknbi.exe
PID 1952 wrote to memory of 2516	1952	Hpchib32.exe	Ibcaknbi.exe
PID 1952 wrote to memory of 2516	1952	Hpchib32.exe	Ibcaknbi.exe
PID 2516 wrote to memory of 748	2516	Ibcaknbi.exe	Imkbnf32.exe
PID 2516 wrote to memory of 748	2516	Ibcaknbi.exe	Imkbnf32.exe
PID 2516 wrote to memory of 748	2516	Ibcaknbi.exe	Imkbnf32.exe
PID 748 wrote to memory of 2688	748	Imkbnf32.exe	Ieidhh32.exe
PID 748 wrote to memory of 2688	748	Imkbnf32.exe	Ieidhh32.exe
PID 748 wrote to memory of 2688	748	Imkbnf32.exe	Ieidhh32.exe
PID 2688 wrote to memory of 2776	2688	Ieidhh32.exe	Jcmdaljn.exe
PID 2688 wrote to memory of 2776	2688	Ieidhh32.exe	Jcmdaljn.exe
PID 2688 wrote to memory of 2776	2688	Ieidhh32.exe	Jcmdaljn.exe
PID 2776 wrote to memory of 984	2776	Jcmdaljn.exe	Jocefm32.exe
PID 2776 wrote to memory of 984	2776	Jcmdaljn.exe	Jocefm32.exe
PID 2776 wrote to memory of 984	2776	Jcmdaljn.exe	Jocefm32.exe
PID 984 wrote to memory of 2616	984	Jocefm32.exe	Jgmjmjnb.exe
PID 984 wrote to memory of 2616	984	Jocefm32.exe	Jgmjmjnb.exe
PID 984 wrote to memory of 2616	984	Jocefm32.exe	Jgmjmjnb.exe
PID 2616 wrote to memory of 3088	2616	Jgmjmjnb.exe	Jniood32.exe
PID 2616 wrote to memory of 3088	2616	Jgmjmjnb.exe	Jniood32.exe
PID 2616 wrote to memory of 3088	2616	Jgmjmjnb.exe	Jniood32.exe
PID 3088 wrote to memory of 1020	3088	Jniood32.exe	Jnlkedai.exe
PID 3088 wrote to memory of 1020	3088	Jniood32.exe	Jnlkedai.exe
PID 3088 wrote to memory of 1020	3088	Jniood32.exe	Jnlkedai.exe
PID 1020 wrote to memory of 3096	1020	Jnlkedai.exe	Kckqbj32.exe

C:\Users\Admin\AppData\Local\Temp\5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a5dcf503745a6d46ae1f4fb5dbd83d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\Dmohno32.exe
C:\Windows\system32\Dmohno32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\Dndnpf32.exe
C:\Windows\system32\Dndnpf32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\Dfnbgc32.exe
C:\Windows\system32\Dfnbgc32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\Eecphp32.exe
C:\Windows\system32\Eecphp32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\Emmdom32.exe
C:\Windows\system32\Emmdom32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\Efgemb32.exe
C:\Windows\system32\Efgemb32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\Fflohaij.exe
C:\Windows\system32\Fflohaij.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\Fmkqpkla.exe
C:\Windows\system32\Fmkqpkla.exe
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Gmdcfidg.exe
C:\Windows\system32\Gmdcfidg.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\Gimqajgh.exe
C:\Windows\system32\Gimqajgh.exe
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\Holfoqcm.exe
C:\Windows\system32\Holfoqcm.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\Hbohpn32.exe
C:\Windows\system32\Hbohpn32.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\Hpchib32.exe
C:\Windows\system32\Hpchib32.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\Ibcaknbi.exe
C:\Windows\system32\Ibcaknbi.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\Imkbnf32.exe
C:\Windows\system32\Imkbnf32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\Ieidhh32.exe
C:\Windows\system32\Ieidhh32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\Jcmdaljn.exe
C:\Windows\system32\Jcmdaljn.exe
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\Jocefm32.exe
C:\Windows\system32\Jocefm32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\Jgmjmjnb.exe
C:\Windows\system32\Jgmjmjnb.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\Jnlkedai.exe
C:\Windows\system32\Jnlkedai.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\Kckqbj32.exe
C:\Windows\system32\Kckqbj32.exe
23⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWOW64\Kcmmhj32.exe
C:\Windows\system32\Kcmmhj32.exe
24⤵
- Executes dropped EXE
PID:2868

C:\Windows\SysWOW64\Kodnmkap.exe
C:\Windows\system32\Kodnmkap.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3252

C:\Windows\SysWOW64\Kpcjgnhb.exe
C:\Windows\system32\Kpcjgnhb.exe
26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4948

C:\Windows\SysWOW64\Lpfgmnfp.exe
C:\Windows\system32\Lpfgmnfp.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1996

C:\Windows\SysWOW64\Lqhdbm32.exe
C:\Windows\system32\Lqhdbm32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4536

C:\Windows\SysWOW64\Lnldla32.exe
C:\Windows\system32\Lnldla32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1960

C:\Windows\SysWOW64\Lmaamn32.exe
C:\Windows\system32\Lmaamn32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\Lobjni32.exe
C:\Windows\system32\Lobjni32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:652

C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180

C:\Windows\SysWOW64\Mcbpjg32.exe
C:\Windows\system32\Mcbpjg32.exe
33⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWOW64\Mmmqhl32.exe
C:\Windows\system32\Mmmqhl32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\Mfhbga32.exe
C:\Windows\system32\Mfhbga32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4784

C:\Windows\SysWOW64\Njfkmphe.exe
C:\Windows\system32\Njfkmphe.exe
36⤵
- Executes dropped EXE
- Modifies registry class
PID:4144

C:\Windows\SysWOW64\Njhgbp32.exe
C:\Windows\system32\Njhgbp32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\Nmipdk32.exe
C:\Windows\system32\Nmipdk32.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984

C:\Windows\SysWOW64\Nnhmnn32.exe
C:\Windows\system32\Nnhmnn32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744

C:\Windows\SysWOW64\Nfcabp32.exe
C:\Windows\system32\Nfcabp32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4808

C:\Windows\SysWOW64\Ocgbld32.exe
C:\Windows\system32\Ocgbld32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4740

C:\Windows\SysWOW64\Ofhknodl.exe
C:\Windows\system32\Ofhknodl.exe
42⤵
- Executes dropped EXE
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\Oclkgccf.exe
C:\Windows\system32\Oclkgccf.exe
43⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
44⤵
- Executes dropped EXE
PID:1380

C:\Windows\SysWOW64\Oabhfg32.exe
C:\Windows\system32\Oabhfg32.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:2992

C:\Windows\SysWOW64\Paeelgnj.exe
C:\Windows\system32\Paeelgnj.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3136

C:\Windows\SysWOW64\Paiogf32.exe
C:\Windows\system32\Paiogf32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4296

C:\Windows\SysWOW64\Pjdpelnc.exe
C:\Windows\system32\Pjdpelnc.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4036

C:\Windows\SysWOW64\Qfkqjmdg.exe
C:\Windows\system32\Qfkqjmdg.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:4436

C:\Windows\SysWOW64\Aknbkjfh.exe
C:\Windows\system32\Aknbkjfh.exe
50⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWOW64\Ahaceo32.exe
C:\Windows\system32\Ahaceo32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\Amnlme32.exe
C:\Windows\system32\Amnlme32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5040

C:\Windows\SysWOW64\Apodoq32.exe
C:\Windows\system32\Apodoq32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1716

C:\Windows\SysWOW64\Aopemh32.exe
C:\Windows\system32\Aopemh32.exe
54⤵
- Executes dropped EXE
- Modifies registry class
PID:464

C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:2268

C:\Windows\SysWOW64\Bddcenpi.exe
C:\Windows\system32\Bddcenpi.exe
56⤵
- Executes dropped EXE
- Modifies registry class
PID:4024

C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848

C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892

C:\Windows\SysWOW64\Cgifbhid.exe
C:\Windows\system32\Cgifbhid.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3660

C:\Windows\SysWOW64\Cglbhhga.exe
C:\Windows\system32\Cglbhhga.exe
61⤵
- Executes dropped EXE
PID:1252

C:\Windows\SysWOW64\Ckjknfnh.exe
C:\Windows\system32\Ckjknfnh.exe
62⤵
- Executes dropped EXE
PID:4512

C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4516

C:\Windows\SysWOW64\Dddllkbf.exe
C:\Windows\system32\Dddllkbf.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:708

C:\Windows\SysWOW64\Dpkmal32.exe
C:\Windows\system32\Dpkmal32.exe
65⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\Dqnjgl32.exe
C:\Windows\system32\Dqnjgl32.exe
66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1012

C:\Windows\SysWOW64\Dhgonidg.exe
C:\Windows\system32\Dhgonidg.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3360

C:\Windows\SysWOW64\Ebaplnie.exe
C:\Windows\system32\Ebaplnie.exe
68⤵
- Modifies registry class
PID:2400

C:\Windows\SysWOW64\Ekjded32.exe
C:\Windows\system32\Ekjded32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124

C:\Windows\SysWOW64\Edbiniff.exe
C:\Windows\system32\Edbiniff.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788

C:\Windows\SysWOW64\Ehpadhll.exe
C:\Windows\system32\Ehpadhll.exe
71⤵
- Drops file in System32 directory
- Modifies registry class
PID:628

C:\Windows\SysWOW64\Ekajec32.exe
C:\Windows\system32\Ekajec32.exe
72⤵
- Drops file in System32 directory
PID:4240

C:\Windows\SysWOW64\Ekcgkb32.exe
C:\Windows\system32\Ekcgkb32.exe
73⤵
PID:2220

C:\Windows\SysWOW64\Fqppci32.exe
C:\Windows\system32\Fqppci32.exe
74⤵
- Drops file in System32 directory
PID:1384

C:\Windows\SysWOW64\Fbplml32.exe
C:\Windows\system32\Fbplml32.exe
75⤵
- Modifies registry class
PID:2412

C:\Windows\SysWOW64\Fbbicl32.exe
C:\Windows\system32\Fbbicl32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392

C:\Windows\SysWOW64\Fbdehlip.exe
C:\Windows\system32\Fbdehlip.exe
77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4816

C:\Windows\SysWOW64\Fbgbnkfm.exe
C:\Windows\system32\Fbgbnkfm.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4520

C:\Windows\SysWOW64\Fgcjfbed.exe
C:\Windows\system32\Fgcjfbed.exe
79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2648

C:\Windows\SysWOW64\Gkaclqkk.exe
C:\Windows\system32\Gkaclqkk.exe
80⤵
PID:4612

C:\Windows\SysWOW64\Gejhef32.exe
C:\Windows\system32\Gejhef32.exe
81⤵
- Drops file in System32 directory
PID:2576

C:\Windows\SysWOW64\Gndick32.exe
C:\Windows\system32\Gndick32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3900

C:\Windows\SysWOW64\Gpdennml.exe
C:\Windows\system32\Gpdennml.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5140

C:\Windows\SysWOW64\Hnibokbd.exe
C:\Windows\system32\Hnibokbd.exe
84⤵
- Drops file in System32 directory
- Modifies registry class
PID:5196

C:\Windows\SysWOW64\Hpioin32.exe
C:\Windows\system32\Hpioin32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5292

C:\Windows\SysWOW64\Hlppno32.exe
C:\Windows\system32\Hlppno32.exe
86⤵
PID:5336

C:\Windows\SysWOW64\Hpmhdmea.exe
C:\Windows\system32\Hpmhdmea.exe
87⤵
PID:5380

C:\Windows\SysWOW64\Haaaaeim.exe
C:\Windows\system32\Haaaaeim.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5424

C:\Windows\SysWOW64\Iacngdgj.exe
C:\Windows\system32\Iacngdgj.exe
89⤵
PID:5472

C:\Windows\SysWOW64\Iafkld32.exe
C:\Windows\system32\Iafkld32.exe
90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5516

C:\Windows\SysWOW64\Iahgad32.exe
C:\Windows\system32\Iahgad32.exe
91⤵
- Modifies registry class
PID:5560

C:\Windows\SysWOW64\Iajdgcab.exe
C:\Windows\system32\Iajdgcab.exe
92⤵
- Modifies registry class
PID:5604

C:\Windows\SysWOW64\Jbagbebm.exe
C:\Windows\system32\Jbagbebm.exe
93⤵
- Drops file in System32 directory
PID:5648

C:\Windows\SysWOW64\Johggfha.exe
C:\Windows\system32\Johggfha.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5692

C:\Windows\SysWOW64\Jojdlfeo.exe
C:\Windows\system32\Jojdlfeo.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736

C:\Windows\SysWOW64\Kpiqfima.exe
C:\Windows\system32\Kpiqfima.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5792

C:\Windows\SysWOW64\Koonge32.exe
C:\Windows\system32\Koonge32.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5832

C:\Windows\SysWOW64\Kidben32.exe
C:\Windows\system32\Kidben32.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5884

C:\Windows\SysWOW64\Kcoccc32.exe
C:\Windows\system32\Kcoccc32.exe
99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5928

C:\Windows\SysWOW64\Kpccmhdg.exe
C:\Windows\system32\Kpccmhdg.exe
100⤵
- Modifies registry class
PID:5972

C:\Windows\SysWOW64\Likhem32.exe
C:\Windows\system32\Likhem32.exe
101⤵
PID:6016

C:\Windows\SysWOW64\Lohqnd32.exe
C:\Windows\system32\Lohqnd32.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6060

C:\Windows\SysWOW64\Lcfidb32.exe
C:\Windows\system32\Lcfidb32.exe
103⤵
- Drops file in System32 directory
PID:6104

C:\Windows\SysWOW64\Lpjjmg32.exe
C:\Windows\system32\Lpjjmg32.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4928

C:\Windows\SysWOW64\Legben32.exe
C:\Windows\system32\Legben32.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5192

C:\Windows\SysWOW64\Loofnccf.exe
C:\Windows\system32\Loofnccf.exe
106⤵
- Drops file in System32 directory
PID:5208

C:\Windows\SysWOW64\Llcghg32.exe
C:\Windows\system32\Llcghg32.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5360

C:\Windows\SysWOW64\Mpapnfhg.exe
C:\Windows\system32\Mpapnfhg.exe
108⤵
- Modifies registry class
PID:3192

C:\Windows\SysWOW64\Mablfnne.exe
C:\Windows\system32\Mablfnne.exe
109⤵
PID:5500

C:\Windows\SysWOW64\Mjlalkmd.exe
C:\Windows\system32\Mjlalkmd.exe
110⤵
PID:5592

C:\Windows\SysWOW64\Mohidbkl.exe
C:\Windows\system32\Mohidbkl.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5656

C:\Windows\SysWOW64\Mokfja32.exe
C:\Windows\system32\Mokfja32.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724

C:\Windows\SysWOW64\Nfgklkoc.exe
C:\Windows\system32\Nfgklkoc.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5800

C:\Windows\SysWOW64\Noppeaed.exe
C:\Windows\system32\Noppeaed.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876

C:\Windows\SysWOW64\Nmcpoedn.exe
C:\Windows\system32\Nmcpoedn.exe
115⤵
- Drops file in System32 directory
PID:5948

C:\Windows\SysWOW64\Ncmhko32.exe
C:\Windows\system32\Ncmhko32.exe
116⤵
- Drops file in System32 directory
PID:6008

C:\Windows\SysWOW64\Nodiqp32.exe
C:\Windows\system32\Nodiqp32.exe
117⤵
- Drops file in System32 directory
PID:6076

C:\Windows\SysWOW64\Nmhijd32.exe
C:\Windows\system32\Nmhijd32.exe
118⤵
PID:116

C:\Windows\SysWOW64\Ncbafoge.exe
C:\Windows\system32\Ncbafoge.exe
119⤵
- Drops file in System32 directory
PID:5232

C:\Windows\SysWOW64\Ofegni32.exe
C:\Windows\system32\Ofegni32.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5364

C:\Windows\SysWOW64\Oonlfo32.exe
C:\Windows\system32\Oonlfo32.exe
121⤵
PID:5464

C:\Windows\SysWOW64\Ockdmmoj.exe
C:\Windows\system32\Ockdmmoj.exe
122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588

C:\Windows\SysWOW64\Pafkgphl.exe
C:\Windows\system32\Pafkgphl.exe
123⤵
- Modifies registry class
PID:5716

C:\Windows\SysWOW64\Pmmlla32.exe
C:\Windows\system32\Pmmlla32.exe
124⤵
- Drops file in System32 directory
- Modifies registry class
PID:5828

C:\Windows\SysWOW64\Pbjddh32.exe
C:\Windows\system32\Pbjddh32.exe
125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5916

C:\Windows\SysWOW64\Ppnenlka.exe
C:\Windows\system32\Ppnenlka.exe
126⤵
- Drops file in System32 directory
- Modifies registry class
PID:6036

C:\Windows\SysWOW64\Pififb32.exe
C:\Windows\system32\Pififb32.exe
127⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 400
128⤵
- Program crash
PID:6204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 400
128⤵
- Program crash
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4772 -ip 4772
1⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:6412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmeandma.exe
Filesize
276KB

MD5
947fb3774e9898e0d271d731003f87f3

SHA1
7431b80c2cda4b33223ea9fce6ccfaf987fd280c

SHA256
a0827fd50186645aa96d979c457f9dc3aca4c8387af8fd8171f0418912517a80

SHA512
7800b08719261b5dbc94719b7c878c79119b039c4cd3b4e04e30c6500a3c116d712d7f4084f0eead0ce83bbe3251a58446280b5c8040bfb458c5da8bdf829a9c

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe
Filesize
276KB

MD5
471b09f6ff92b7b3af53aba9a55d42cf

SHA1
bfc78fa13a19fd8aeaf648a1e49d2fac6503df68

SHA256
f4da67398cdcc4c889d88d04ee0f1129712c27030f0edd9b146461f191f2beec

SHA512
d0c2e7c50cde847206fdb6b443115b65a1f9b6327bb1a8f73d81adf39c0edada844b4381fa88bb509cc7ac9393e11f0f30b7a9849dd5692edaccabd67b99784e

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe
Filesize
276KB

MD5
79117665283060ec11ed19f84d39175c

SHA1
2660a3109ed9fb3709933aa5254f5ef7dbbf67f2

SHA256
d963b3cf91886c5b202986be245860bc50b8bdbcd81eb85c9b7dbe19ecff5902

SHA512
a74af82e852481a249b0fa5c6cf1650974ac7e3c7a18459b2fee07b8fc01e0c264f1b57d0d937228f638e51dca55eb9fcacc573829e709947a336b4b6bcf4901

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe
Filesize
192KB

MD5
27b356defbf093bff4138e11a6b35f8b

SHA1
10a7255280e67375a53d47146ffc76081b672a8d

SHA256
e49449d6887cb154ac8ff80af405e09f9e60eaa7097e8854078ef1875d2a0518

SHA512
61acf3d410108d65a88d99679d82f525039c6d6daaf640071e08fd14f95c8ed88d934e624c5f3899c17222681b68b7fc8acfd0fcc09cd3060e96a978a72d8d12

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe
Filesize
276KB

MD5
e13da1397bc3f8ff8cd27ddf7f8a46cb

SHA1
30a71130fbe82f3f14e9bba29d9631a2d7bfbd89

SHA256
2494939cf1831682b402282275a2d7cad066de06f2ce64e3509252b09b72a976

SHA512
3d759ac601aacd3a041348e006428feb2112216a39075f23e802a94680063c11acdda9482fca0ff813f35a4e19dd92e2168173bdd28f060657def28cd5785d82

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe
Filesize
276KB

MD5
dccea0dbefe14f0bd9a997a117c5075d

SHA1
845ee4276c4951fb73d711e7afed197c304a9595

SHA256
d117167cf8cdb37dcf5efd23f52c0aebcdd6532d4a8739ae8ae8e48b909042e8

SHA512
876f8a81f905eae2fce9e8b77e3f53ab2c9419daa32aced557127873acd6f27178d7ea91cb01049082b1734afdc743402a19529582d4231543e34376e3c81fc5

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe
Filesize
276KB

MD5
259dc584d7c997a188114bb0314f2597

SHA1
29b9cffefd00126b5f57969154d383b941769850

SHA256
39976ad45b5c6e9d2ee9f09c8f3027310c720763b5bf539e88aafeb5f6dc5926

SHA512
6a92fede69c97c75eac5cf93bc678042cf17b908761a6d40d58bc9ab01f366ae304fb641c2b97935abee6f28e92b917d01c476327f93c6f58127aa4f24882812

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe
Filesize
276KB

MD5
78b294b5dd4a0d8185effd5821a03156

SHA1
89f05704f1f8550e974d928c7aa2ae8132bec4cb

SHA256
e7b3768eec9330c250349cc79263b98bc1c77af4b97b1e1f36bc3e98a1d6aaae

SHA512
61dfabb74f21a3ef79a7bc01dd4e88612abe8ab49d696e0b7f70942ce038dc9f62a1d5b55670ea20a4b27ca3276054be6f66fc41f1b9d6524ca2feb66cee0ee7

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe
Filesize
276KB

MD5
d420c6538700412b67a8a5cfbd68b362

SHA1
1c0fd90c6b852c58947da18f8a1ca5786b7adf06

SHA256
cc977dcbe5b09aa174a0f375ecbf8f4ae3267cf5f333a9dedf2748e2915529a6

SHA512
ef64ecf092b796a246c66d7ff621101c8b37287b289f808846a81bb5d3e5fc8b2e28a5e2821e57ba7ef4ed6f9a8189b188e90fbbf0fe398ecd7acf26af868db9

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe
Filesize
276KB

MD5
0bea1af8dd8a5a2fc790a0d8c1bee19d

SHA1
ae18948a21b46793cc3bebf2374613d491cbf58d

SHA256
f712826620c0650b0bde19cc0b57fe85b64b7ca15df206eb3aed1765bee61b5e

SHA512
b537e2ff862425bb5b2fdbc1209b2a9caafccafa860a35996910081788f2366e8d2271623ddbc83f65e3298fe2aa9e429bd3694a583933c41eb5017b6b395efd

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe
Filesize
276KB

MD5
c9132b8f2c6c0fa818bf10ad3250dc44

SHA1
7355827e44e05c07c281a531f9d997f0c9332480

SHA256
031864fb51013addf517f8ae3dfb9efd13fcbf29be182e4ee5912b10d825d360

SHA512
2de9ea2e5ddd01c7b2be87eeebe0572ea0d32391f345887ec51e2ff4105fbe2d4982d44db7258095e37953678aa5408aa0ccb017e9e322ad9bd5711da3d9daf0

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe
Filesize
276KB

MD5
7720fb06b61b3676610a9b9fe49040bb

SHA1
5e3c776d1311511ea44286fe8ef9c5814f73aaa6

SHA256
710e069784d889dfeb4a721ec8aecd39a0b47e5b6f5cc09af53a09fb540778e6

SHA512
dcae6132cd7d51f6a1d2592ad3c21a38660080088d38c9e34d085463e8f1d7e76e70854aaea019e3a76d5c6f6e5e7a5a4158dba050c17f4a73f1c4c4c896a8c5

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe
Filesize
276KB

MD5
e6493d28f3bebc33f1243f376c2a1ba5

SHA1
a42f271a69f8a502e60b840ec21aee8a37747e4b

SHA256
e42fbc5395947f2af37f74a3ccf8f1d55b024b5e5208357b82e828a56d02f607

SHA512
6cd07b3b964ce30c3a900ff1ec52e7eb65837ef65abc5d0d81a9b6f5d69bc1f4ed3c71130c253938a5eb315d89d39b072ba74aa9cb4d57adf2970c38decea2e4

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe
Filesize
276KB

MD5
69dca06810948c0ea76ae787bd5ec00a

SHA1
d3b207ee3b7db4ee88f1e5d9d667ef09ea62afd7

SHA256
ba73be0aeeeb5069b74742a09400056288c2a35258eba0d909edb9eff4215484

SHA512
78ed765aa22803896d795a0378ec3d10abf16ee5984dc3b6c8acb07688968e40ef25c272403df5fbb1f7780cbb81b43f7776bf48dbd8fc1f03824a78b71ff921

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe
Filesize
276KB

MD5
2c0c3f184ca941a2381b48c98689db25

SHA1
9c65a0d0142e701023331e53593125769a20fc09

SHA256
550a74482c78e6fb89dc665a505bc664e85956cfbcc4f23000fe8defa1e7b0b0

SHA512
ed977508491c3c46f3e51d7439f16cc7284ab4351c0c0885506a9bac3f5402aa3f060eb31c87642c1e684273a3672e891bb2b549661658944b52b04f713aede7

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe
Filesize
276KB

MD5
4f487844ac11c87a4c359c932d106cd7

SHA1
7c36d4254d6ef4aa92863e0819b329f5a87e30d4

SHA256
55afd5ef414a729ec25b973c9d695dde447d43bceb16a1ddc0b815f9e20bb792

SHA512
1a91b0abad7136151b12380c75337b0a3e6f59ed4dac8503647ad7f50b0b36ca15f5b276b62e95a602f856295ea8b94a2b3bd4d170034ad2f6095f3abec9cabd

Download Submit
C:\Windows\SysWOW64\Gkaclqkk.exe
Filesize
64KB

MD5
1690a3508a3b7fb9eb977d6a4bc82be4

SHA1
9d3aa992073850da6094ec38fd0f150c5367d4ee

SHA256
33b5b378604b94cb457af5e136edab4b08554d8992b6b7a4a2447638fc59dce1

SHA512
c013f2eb047e2ea9d65dd75d6220d756fa74fe3a233b0ffb99c4c6f4148f773d3c75fc355285895802c8583900d6c4c866a80746c54705a91e0db2ae5f572e97

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe
Filesize
276KB

MD5
f037d900ab3c17db4cd790b2b90ffbd2

SHA1
66312479936d4138b8e0cab61843c0b7e2b5e582

SHA256
b3bd8ecdf8372087dfcabb048ef51ff15022efefb2ba8d3ca91d88260308bab1

SHA512
1f689e0672cbd33be6401dec30188001bfdc01b4d2e721833ffe1070d9adcb176434cecebfaa23d8ccd205f0ebee82c0c02e7142773c7b53fd8add175ec8a5f8

Download Submit
C:\Windows\SysWOW64\Gndick32.exe
Filesize
276KB

MD5
ab9e5f2d51e7148baf5f6cc4ee5557c0

SHA1
f97ff6f4915e01e63bc87d9a4924eaef70feca42

SHA256
cfb0f2de19154425fff52586d31a69a81bbc8f5a8e31476f3741d885124fb509

SHA512
d066b478f5fb61f07d8cf3b2abee385ca9d28d18ee73e8894dbcda7f86347b329527aad01964e2fe46766cc37b34d3e01cdf1c210db4a81f8cb5fec1da18e7be

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe
Filesize
276KB

MD5
e2567f4493d47c3070ea52c9f34a2061

SHA1
aae8fc3eb75c7de77ca5c8efa564fc109f3c4784

SHA256
ea0166d3de49f47161f534fefdcf8ad18f42d37c80ca9112e45dc7dea5d4ee00

SHA512
acdf4ad2e90b2fe2a4a1c70580bce197eb97aabd81fab58895aa621c41154aaf041a8e9b37bb3c396a5b2ad0a16d37f47b0255f8d09920e4a3dba0fbb6039404

Download Submit
C:\Windows\SysWOW64\Hlppno32.exe
Filesize
276KB

MD5
34e873f861e8138e166a96db64b10d90

SHA1
f5d76bdb064675451cd27339781cd96f9e217bc5

SHA256
4fba563f535bf346e41a62f60828b0e02c12791cc815e7063223787571c43e6a

SHA512
75a965ca7a138683dfd8ef58c45d77e717040b549549edbbb965438cb5ba1639f180808bc69ae09d73721ff960ff10302477724e98563890fad55c30819afecb

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe
Filesize
276KB

MD5
c0dc9e6b31943958f2158980379fe2b3

SHA1
cd12a5e0c417ef81af06852eff950d58bc71313e

SHA256
348715adf2b3fc342dc98848e1400effe402c90a770e9ceee2fc6a02905bdbb6

SHA512
fa9532f6f91ede13abd6fcb707333eac90d7e641a2bb1fa1c73ac9800a93aea9bac8b0bfa7dfc97a575e8c7d7524537780333026a7fdc3dc23e1d708e6716358

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe
Filesize
276KB

MD5
af8fc4bfd5d7f124497ed5b2cc642c69

SHA1
d7745c9548d2dce7b8ba0bee585d905a8edf31a1

SHA256
cdbc3c3f632f150cd3d66ffaf0958ea5515ae68efd3ee9bf38d001208eb89a3d

SHA512
ad51fc9f43c2e8b8808a5936e1132808089fe31698b3898359d21414a770c0b724e3a221069b4f7da7c61912eca63d8dcce574f01d2cdee0ae9d79f4df927a33

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe
Filesize
276KB

MD5
a2072fa2821bb037c4403c83eeec20b3

SHA1
11f0a9634019209520d5093eafc34e6bc96b0017

SHA256
22e501a2cbea4e2a246626d54e83d54cd91c12d608cf4dcfc47345e1d25037b3

SHA512
e376ea4a8c482ef4cd47d9170b109ee83993915f036893602c39b0fa7802e0850eea10b506a2c344fce9a0b6134b7f740be355bf0f255f116b9ea9a858eabf55

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe
Filesize
276KB

MD5
1becf426bebb18865392772223a7c136

SHA1
712dab38c33d6328dc5630d2e0fc08d9014e8b03

SHA256
7af0f96e5699456b8ca71dc77ed705631ee1096fe9074ccc626cbe9b25b1d36a

SHA512
c49ddcbfc25e1e21d0cec895fd00fa553a053dfc23d09d060a1b1056614f24376333ef80c925ac6f840d0f6689a5ec4b46d049ffb518d923f5919cbb0a29df72

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe
Filesize
276KB

MD5
8c8e7aa4f7bba6fb08091a461868ad10

SHA1
65b745a21889b0b8debfec480c1910da76071031

SHA256
828f5c53d15003f0f118e20fbbf2b645fbd908d4e709e87ad8ef2a90ac79e086

SHA512
5942307fdc25dba57a44ea873bf615c500147bbb59f491a710e9645119376e4ef2406f3fb6cafecf126b41a93fac980ae7f19f0ea2b1de3d77197d90a220b396

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe
Filesize
276KB

MD5
7dcb44610f387dd4286730914bba082f

SHA1
951ab72e3c2cd9ee27935471bde7b1494b4990d6

SHA256
36986b1b2c39ace98b9ee6d3ec3dbcc9853fe7772aa20c8ce1e8b460753ffc8d

SHA512
077db419e854542783246da97d639cec515f6c386b25f2f9979ee712772e1cc3df8b9aac66efcb9ce2d6bc0261533e516ff4eb900a5f071186753451b393d2e5

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe
Filesize
276KB

MD5
914ebbafb0775dd761971d30fca77f7a

SHA1
680b23cbee59b4fc5cdd1498925c93c3a861d5ca

SHA256
6e99ca3ea53581e1da21e7fe05818e53e5f162a51773332546e8a37c048e7bf1

SHA512
6951eb7659bdacfbe72a4e571b2e76d7c4df6898f3e51ba09647f5cc19c380d1241811a0de069689a1ba33c663ebb69515cc2909ce913401754b26a80a3e87f9

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe
Filesize
276KB

MD5
abb46f1bafc6387e6a69ebc98aaa1398

SHA1
51404b4f0588abbd371a2721291910e5f8fa4da7

SHA256
39d03d10cc70b21dc0878feedb50acd1c844bcde3006103a8dfa6ebf57443203

SHA512
93fc52ca8dd563f5efbb695941360095113883341247835cca5c81cc4389cb01e9cfb922a5a90f5c8fad7330b2812c438336bbda0835b3953d67e15dd125e676

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe
Filesize
276KB

MD5
6820851d162d2b9b62894d1e0358eef1

SHA1
00b3fc32dc5a2cd999fca6774559b34d39529a46

SHA256
539eb67453c49e6bf8ae18934a32f4694fb93f94f2c38c2681a5429bde74afae

SHA512
e60cfe6921c4dbb4b522bd9caa1e2c95b6f897dc8cc638334dbd3ab4e8f8ef5ee2994a5ec194714ad53859f661d6e97d4cffc033018c55f55df385ef050511bd

Download Submit
C:\Windows\SysWOW64\Jniood32.exe
Filesize
276KB

MD5
2dc5d45b17456286bb2220f91f67b593

SHA1
56b8b244c6261a88d4b4fe8f20da78eb9e26d682

SHA256
da834dbfd2366410a03c18f20a2707c4c87258ad031318a34aa765660b4707b7

SHA512
2d2bce4b605fa44cfaa99e979b27c5bf82f5b8ea33168603d4d3f08aac274380219a3ce12f080ca9272a20e38f23b77ef5d0ffedf23f19ed0866c01983c97389

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe
Filesize
276KB

MD5
18b2df3d03d83f04fce349b99620498a

SHA1
b57dce7dd5af114b735ad7ec00197c2ee0f934e8

SHA256
5782ac6004fb8fa455397695febef7b97829e0e036e3a4e28098c60288d3afd7

SHA512
f06325a0db18deb866a635baaeefc75045f1562f713a5443ebf2f997ede352b649b6e6eef19ae7db5a89c26ddc536d847a79730461dfe76801adf7db264439b4

Download Submit
C:\Windows\SysWOW64\Jocefm32.exe
Filesize
276KB

MD5
653da05359af49389bafee5c1990d14d

SHA1
ddcb3a7a1766ed9cc058eda0b9990b4f99a3468d

SHA256
0cb692f84a64d9dfee192de1c364c0fdf550944bf0761bd30a2347a7bf34d154

SHA512
157384a071cd018af5221af2bb61c6c5249cf025c4e1c98289711308bf9f9555fc8452bab7ae31e3fb76ca92c7d15b9b2939b5ce57e7204f2d9af4631b882eab

Download Submit
C:\Windows\SysWOW64\Kckqbj32.exe
Filesize
276KB

MD5
75ed842c9286e2001ba1923141dd0a8c

SHA1
b0a82e28a3a970294f9e3b6f22ba5d4c929a5d4e

SHA256
df2042cfdd59396838f20a491d59f5e57eda465ecdfef179560840a2d7f8d228

SHA512
c200969f47702a36f16882485f92493ba866b9d9cb6d494400b56afe81eecb07aec66cadcc041df1be8be2e6553a75cbf60991df223e3594940862a20853cf7e

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe
Filesize
276KB

MD5
b704e785d8388ffd7c1d6d6574bcdb9c

SHA1
276ca5694ea173099bc38aaeecf92aeef08f325c

SHA256
fc90d4186056074da52682dca6ca53d0ff73dfe974915a29050ffb794954280b

SHA512
e8ae02188cb2f639a68e1e61dd72ff2ca12d886c3c2a4f115acba42136416fb99a830a8774560287d96bc6ff9f405b322f1a8e2e5ab545efed6ea33245b5b4f5

Download Submit
C:\Windows\SysWOW64\Kidben32.exe
Filesize
276KB

MD5
1e1cc054c2db503fe07c656d131f00ec

SHA1
b3c26261bf96041fe1e07c2c4da7084c1b73b984

SHA256
7fbe7b2bbb578cac1d3aab5ec1c4841b8462c1084c0607e068c882ac089580de

SHA512
b2d9d47b5e642c2cd179999b3e1d711be2006cc95b1c4e6ba6cc2870e461204696d3af78a2d72f8a63ca791b79dc3053e754c4b63233308e10607c7b3c835ec5

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe
Filesize
276KB

MD5
81d267be2fe497c2c7bd97e3f9b1f501

SHA1
eb378e2bb5539b64b09985e087c48ba05ecac6ed

SHA256
ed72ff1e805c86605835f9c40cb8e035e0316be8cd99ef8832a0c37759ed9dbd

SHA512
5df97eab5f394b07f7a66eaa3c5e117f105fa8dc98e731c3dd5c6a58ed4379c9a20da54a43277af68005195ae8774a539cd1cfee7f2ea91bc6f4f07fece27492

Download Submit
C:\Windows\SysWOW64\Kpcjgnhb.exe
Filesize
276KB

MD5
61cb9365d0574603d9d874b0b8667e99

SHA1
bb0acf60e5861bd851df01948274651306aad570

SHA256
bcb9bd2300e54c65a0d26915ed594108bd41d18d0ae3882b95c1c5f9371ea37c

SHA512
e1b8cea9bf7745cad551ccc903b59bfac7333db80b7a7667667e73e5f5cb8a818971f52a4fbfa75c919a4cf5f1deff7ac340ba6dff6d31417040c9f76df6eb9d

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe
Filesize
276KB

MD5
9efb87c20208f83101d943eb74ccbc82

SHA1
7dae7849605fc2d0a520c92cc19ce570819e9443

SHA256
b43345aa98b30bd292bacbbe9ebac1cf053e317221c0058cb4d544b1b479514f

SHA512
1a31f7bfa20b2b369ee0b45ed53a5b41e28b743dc3caa6339df8508c5aadc6ef4a39270b38be22fd80e9642c05cfdbc735e5d469e8f90dbf6e20d4d09c72d665

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe
Filesize
276KB

MD5
2a4c38f4fbc161bcb72b50353a5cdb69

SHA1
ec3575ea4d0628068f3b3c1e7d0d5eaa7858389c

SHA256
0c4847b331d4ba524cf609442955d1e2aedcaf40174ffc5bbaade605d8d55346

SHA512
772e2592e250f830a94390ff4cd01c979ee97f253504146fd6b1a3c527c06ba2f7ecc0628e3f13b94a14e3948d9425177f6968da317e3074c683bee2f7068620

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe
Filesize
276KB

MD5
23c6ec4533283460a656dcdd834e4d9f

SHA1
fb43de5d34a22be0ec89a7190b2be647242468a9

SHA256
195992662814ee7c670b7449ad80e07f161e958497b47a80498d79eaf9edb60e

SHA512
4a8f1c95e3b13e1a18aa8bbadae3ad9ce7b36292d98765cdc6975ab590ba264c5baf7fd2ee46f8d6c240f48c0d7f5ca973fcedeffa8eed42332a352939ea7864

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe
Filesize
276KB

MD5
0ecdc71faf957b9e304149b808a4e46f

SHA1
5e0b815dd6a915a65ca41e7e890dc8bf8ad8d9be

SHA256
a746b37765df940018eabc43d6f2acba06a99b65d86f8e881526f892bfce9d78

SHA512
81a378b0e9e9be401edd3e4f2aa9480607b6e488bf1f2ebc0df1084b9108b93b2e5544f222b8cff8fefce795c46868e907950b798b5c66599e7f5f8732d3bd2f

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe
Filesize
276KB

MD5
15c03b606fa0806127487616f39b925d

SHA1
71666f485aee61d7922b3b2841701b52e9c47e7a

SHA256
78e383ced112a64f317b170735298e270d954381afa439a91f0c60351c8ba17a

SHA512
eaf0ee3b9af3d2747f1bcc64de33df24b1c81965aa29d259059c1a6c97b4d61ea7b5d187c4be0c01822839a29c5a2c5f137832b330f6958972671513215baf6a

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe
Filesize
276KB

MD5
5186e04a3bc6fcead9835b31ffcf224e

SHA1
f61810664b71f8f6db2d496d166411b539241c54

SHA256
578393f7f46bced19f91b540cae0ec8dc5e79f8f61b5bba864d900c939316bbe

SHA512
eb09ade962b6c7e902e2271448cb94cdb9bf459b2158742c0093d0df9baef4b310496b71472ceca05712e4c0688dd3e330085e822873612e16733937ce25949d

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe
Filesize
276KB

MD5
474c5d5c4b3416f62036b1aee3ddcbd7

SHA1
ef43f6320e59c027b98911fe7277182bfc5d45df

SHA256
ed5a3978639a403be1c5d9f640aa30ea023e775a5d8f4388808b1689b63ff3e0

SHA512
88fdaefc27dc61781d9a406ea612e818ea9da96e3939370a5b46c4e89797c0bdc6f29286dd4a4781b48455a00f6c7aca54fbe28cbd2c90887949377765e8f0a8

Download Submit
C:\Windows\SysWOW64\Mcbpjg32.exe
Filesize
276KB

MD5
68a4b66b6210dc7dde7fe1828b6a63e0

SHA1
2bbdcd4378bad7ff5150a8667f018408736faefe

SHA256
ba4d64cda3eca3ef2442079eae63ed9039b402d6628f32acde9a57b6ca1c739e

SHA512
0f6402be30c2d3953e54b355ffab9d5ef9ef7ec69500472a4e42687d7fb4027192679f23aff86f89a701847dbf6439e2459ce6f3c933411bd2f49f9999008efa

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe
Filesize
276KB

MD5
01a35f38d72420e3ea25df8650c380d7

SHA1
d2c2bb5a17bc640f4e2a53f6502fb748bb97f8b8

SHA256
f606016c8d83705c34bd181ea517904a64860e69492f6e60f43f87efe7b2ec35

SHA512
bfdfae38d4048cee7717a65d3b24e071b82b5a5db55e58e743cd47052b40ed464b888be16aa422045dd1892752bc3afb9a4c872e7e1767bacdff5a760ca300b6

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe
Filesize
276KB

MD5
e90323b53b0d6c1b91fcbe472915b748

SHA1
480cc63247f7f0b64b5d95d806ec471165dbd087

SHA256
4df6e3845ea16dfdc17efb02f74ab1d238adc0cfa2fab75cafe604badc43abb1

SHA512
fe71256844ed1c78e7a80fad508ef95f6b9f3c9e990a8d4c90be3d8cb973eacc28e1624599fd9af069ee4a9856192714542ee6b838be4a63d61730aea595585a

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe
Filesize
276KB

MD5
4898ce9538bdf6e3f6e16370532702a0

SHA1
9676e510693348ea0fb5ae0125b2dcfebbfe11f6

SHA256
af7e38ed6a39141700e404cbe6b2b83333b557305664c98cdc4adbb5e1e0b8f3

SHA512
0f9f92c1e2d9d21578e27765fdff0ac83142c2956a55e1277ac0a8d62764016ec0644946d9bb3e3045bd76517214ca953ec0fb374894481bcbd295e66c9fbfe9

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe
Filesize
276KB

MD5
879a6adc2da8183f9854cd784a29dfdb

SHA1
3a991bcfafce30f20799b54318c7e4211d7e039c

SHA256
8f1f57482606ffb0989d2268f5d3acc44357473d93185883bb6c470f5b5275c4

SHA512
03ad7d1f02d5695a9c8da9db6b0d6c33b24a5b6989cd01b2cb4c772de96e98da079b515a121eee8d30492345ad061e46a6f74117cc5f4dcae771d714a0cf1ab9

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe
Filesize
276KB

MD5
40d180a8fce09cd0653dbdca31da0ff7

SHA1
eb99e82bbd5d766848f816396adc0cb12556d14b

SHA256
9e1ab1de913a328b870190a5802dcd986093b2a5bcdabbfda0f86b7eb69201ed

SHA512
f5d451587426777171e688618b0b9dc22cfc9bc84d15571969fb9d7e9dca3008615bf00c5e6e6a1829a51ef4d88942be0979c84fbef567b506e9d801fece0d37

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe
Filesize
276KB

MD5
4c82262266f498200c9afeb05c6ac448

SHA1
42771c41278e03055519e5e202ff441bddf2bca4

SHA256
3b9d5e884a481f258fdb4e7836daf37961d4a1cce71ff95870f3adff8c29ee50

SHA512
34bc524a9c70afb83d532f5bc6379eeacc08a47477b2af95bc334ffa58ffb11368b1794e3f7fd239db669fe1c1c4ffb7d789f5c55943889e1b7e0083b380e9ce

Download Submit
C:\Windows\SysWOW64\Nodiqp32.exe
Filesize
276KB

MD5
c838bebb02ea136f08c5e9e6c786155d

SHA1
a5cbd21aff07eb9a79177db151b01e65b9bac2b4

SHA256
20ad806cd095bd47b2bd84875d247b6e9c95ecf9a74cdaf4384dcf171545284e

SHA512
8e37c8274cadd880d691d590b2c4b3ebef6aa719fd7832a2003474323d495d40c5634255233868510062149512474d7b4223c03a5083d24e4ca62523395a5155

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe
Filesize
276KB

MD5
d705f01353cec10e4ca7358b59fe2245

SHA1
fdf3cb3ee397c3417572e87de389f512c440b57d

SHA256
5e888ff646a105aea504ebbbfa9be75ebadf0fe56bbd04725dfe1b005d0524a1

SHA512
0457148f208636dd90a894416e32d71cb96609c68c0cf0c0db35408ece14af3c8e215c0f21d8b46dc2a908e36bea094a9885dcf035e3e30ad36ea3def9a2b3fa

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe
Filesize
276KB

MD5
49899df676257e06026d78456a729756

SHA1
9858893f44322795e1c82f654e8b0a44932f17d8

SHA256
6106a984bcc0e77528470eed1022e242fdcfa146b8336371f21d2f81dbafe8c4

SHA512
49ca5b25b4a70b283f4e261017444ac651d25ba2307e57c102fc759c8f1fbd13ccbdeaba50da9411b6d323763ad89a82c4daa01529ce8003ec5989a8370b6625

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe
Filesize
276KB

MD5
7dd58bdbe8d3d171520b2db7a5e85e79

SHA1
3ca9724cf26f40534b92132fc42f22982cfb9804

SHA256
c7e1610f1df1ada600b2691156845a68628436f07fd3bced76cf573d7cab0078

SHA512
2d577d862f9d12de261e22f82b70b006ca2a6176b8ee9ab4b3361ae81b8b015e90d2123a4196a66b63d3c01d0af0e1e1ac7fc4cc77361e2a47eaaa37d97e62e1

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe
Filesize
276KB

MD5
ab894188d4109fa612c2587109d19346

SHA1
cfeae648a6c70467013cc66925c897c150f15ac1

SHA256
6eeea54e3e3c1a8cc80d251e113a609a0fb535764d57d6ea5cb95c021942cbb6

SHA512
cc6d9a9500eea4622fa4060402b29fd8fd4077e88f04a11ed3b3a0082c7a317cd2cd67ceb5322ed8489a850c03b96798db4c989d54370cfe0d5a951f9d9d7010

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe
Filesize
276KB

MD5
476e52aa14522e1d395b76af2a1aa5e9

SHA1
6527a799d8a92c41631ef5e65f9d7a776c21c6d0

SHA256
b09be2f258190724ffff121937f18104430a0641a978c10034002fbbb9b2c187

SHA512
27328c8aa15d7fb6c23e60c1757f5af02bcf46bd4c47c61738397a3f8b6ad809745e74ff372203803c6e25dd593d0e12b874fe45d034ae119a1858a784af2f4f

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe
Filesize
276KB

MD5
50da18506fc988332b5ccf18aa5c41f3

SHA1
3dbf696be905607a1d5bf55e4f1c85d55138e4f6

SHA256
e58ec7ceb15a7907c13b0352abdebf5f68fd56d90997642848b6447704685d96

SHA512
fb0be94d42ac1005b032c08d842ffc794f2ab4c775e41dc5fb5de28954bdec9e29cf89cfbd0e03fbe0f6edc11a1eb9ce096f7b5376450e02a5ece6541127d786

Download Submit
memory/464-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-872-0x0000000075DB0000-0x0000000075E2B000-memory.dmp

Filesize
492KB

Download
memory/628-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5292-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5336-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5424-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download