d74b991ee08d9ab2dc12630ee07380f4ffa2c1ebc12b05ab148aeed43691bc36

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe
Size

378KB
MD5

5595ee4e8e35cfa466ce01fbcd61a300
SHA1

d26ae72501712c2564d48f84c4eaabca6f72f0bb
SHA256

d74b991ee08d9ab2dc12630ee07380f4ffa2c1ebc12b05ab148aeed43691bc36
SHA512

672bd3d0845982b43db58e65c6f7ea47a3d459ec1f92fde910545f5a675cf406357bcace19cdad778676e78f60f1ccaff07565c034e272e35cb2b21e0ff70fdf
SSDEEP

6144:1ls0jprtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5V0lLn+Cwq:1qkRMsEat9pG4l+0K7WHT91M52vVAMqa

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lilanioo.exeLknjmkdo.exeEfikji32.exeEofinnkf.exeHimcoo32.exeImihfl32.exeJfffjqdf.exeLaopdgcg.exeMgidml32.exeMpdelajl.exeEqalmafo.exeGqfooodg.exeFbqefhpm.exeIapjlk32.exeKbapjafe.exeKphmie32.exeLiggbi32.exeMcpebmkb.exeEoifcnid.exeFcikolnh.exeGjjjle32.exeGcbnejem.exeKmgdgjek.exeKgfoan32.exeMpaifalo.exeGogbdl32.exeJbfpobpb.exeJdemhe32.exeKmlnbi32.exeKibnhjgj.exeHjmoibog.exeIjaida32.exeKdhbec32.exe5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exeElccfc32.exeFmmfmbhn.exeLgbnmm32.exeGiofnacd.exeJigollag.exeKknafn32.exeNnhfee32.exeGmkbnp32.exeIiibkn32.exeLmqgnhmp.exeHbanme32.exeKpccnefa.exeMncmjfmk.exeNgedij32.exeLkiqbl32.exeMajopeii.exeGfhqbe32.exeGameonno.exeIpnalhii.exeIjkljp32.exeLdohebqh.exeMjjmog32.exeNdidbn32.exeEjbkehcg.exeEoapbo32.exeIcljbg32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe

Malware Dropper & Backdoor - Berbew 47 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Dphifcoi.exe	family_berbew
C:\Windows\SysWOW64\Dfdbojmq.exe	family_berbew
C:\Windows\SysWOW64\Djpnohej.exe	family_berbew
C:\Windows\SysWOW64\Domfgpca.exe	family_berbew
C:\Windows\SysWOW64\Ejbkehcg.exe	family_berbew
C:\Windows\SysWOW64\Elagacbk.exe	family_berbew
C:\Windows\SysWOW64\Efikji32.exe	family_berbew
C:\Windows\SysWOW64\Elccfc32.exe	family_berbew
C:\Windows\SysWOW64\Eoapbo32.exe	family_berbew
C:\Windows\SysWOW64\Eqalmafo.exe	family_berbew
C:\Windows\SysWOW64\Ebbidj32.exe	family_berbew
C:\Windows\SysWOW64\Ehlaaddj.exe	family_berbew
C:\Windows\SysWOW64\Eofinnkf.exe	family_berbew
C:\Windows\SysWOW64\Efpajh32.exe	family_berbew
C:\Windows\SysWOW64\Emjjgbjp.exe	family_berbew
C:\Windows\SysWOW64\Eoifcnid.exe	family_berbew
C:\Windows\SysWOW64\Fmmfmbhn.exe	family_berbew
C:\Windows\SysWOW64\Fokbim32.exe	family_berbew
C:\Windows\SysWOW64\Fbioei32.exe	family_berbew
C:\Windows\SysWOW64\Fqkocpod.exe	family_berbew
C:\Windows\SysWOW64\Fcikolnh.exe	family_berbew
C:\Windows\SysWOW64\Fmapha32.exe	family_berbew
C:\Windows\SysWOW64\Fopldmcl.exe	family_berbew
C:\Windows\SysWOW64\Fjepaecb.exe	family_berbew
C:\Windows\SysWOW64\Fobiilai.exe	family_berbew
C:\Windows\SysWOW64\Fbqefhpm.exe	family_berbew
C:\Windows\SysWOW64\Fodeolof.exe	family_berbew
C:\Windows\SysWOW64\Gbcakg32.exe	family_berbew
C:\Windows\SysWOW64\Gjjjle32.exe	family_berbew
C:\Windows\SysWOW64\Gqdbiofi.exe	family_berbew
C:\Windows\SysWOW64\Gogbdl32.exe	family_berbew
C:\Windows\SysWOW64\Gcbnejem.exe	family_berbew
C:\Windows\SysWOW64\Gcekkjcj.exe	family_berbew
C:\Windows\SysWOW64\Hmklen32.exe	family_berbew
C:\Windows\SysWOW64\Ipldfi32.exe	family_berbew
C:\Windows\SysWOW64\Idacmfkj.exe	family_berbew
C:\Windows\SysWOW64\Jdhine32.exe	family_berbew
C:\Windows\SysWOW64\Jidbflcj.exe	family_berbew
C:\Windows\SysWOW64\Jkfkfohj.exe	family_berbew
C:\Windows\SysWOW64\Kacphh32.exe	family_berbew
C:\Windows\SysWOW64\Lmqgnhmp.exe	family_berbew
C:\Windows\SysWOW64\Lijdhiaa.exe	family_berbew
C:\Windows\SysWOW64\Lcdegnep.exe	family_berbew
C:\Windows\SysWOW64\Lknjmkdo.exe	family_berbew
C:\Windows\SysWOW64\Majopeii.exe	family_berbew
C:\Windows\SysWOW64\Mncmjfmk.exe	family_berbew
C:\Windows\SysWOW64\Nnhfee32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Dphifcoi.exeDfdbojmq.exeDjpnohej.exeDomfgpca.exeEjbkehcg.exeElagacbk.exeEfikji32.exeElccfc32.exeEoapbo32.exeEqalmafo.exeEbbidj32.exeEhlaaddj.exeEofinnkf.exeEfpajh32.exeEmjjgbjp.exeEoifcnid.exeFmmfmbhn.exeFokbim32.exeFbioei32.exeFqkocpod.exeFcikolnh.exeFmapha32.exeFopldmcl.exeFjepaecb.exeFobiilai.exeFbqefhpm.exeFodeolof.exeGbcakg32.exeGjjjle32.exeGqdbiofi.exeGogbdl32.exeGcbnejem.exeGfqjafdq.exeGiofnacd.exeGmkbnp32.exeGqfooodg.exeGcekkjcj.exeGqikdn32.exeGcggpj32.exeGmoliohh.exeGcidfi32.exeGfhqbe32.exeGjclbc32.exeGameonno.exeHclakimb.exeHfjmgdlf.exeHjfihc32.exeHmdedo32.exeHbanme32.exeHfljmdjc.exeHikfip32.exeHabnjm32.exeHcqjfh32.exeHfofbd32.exeHimcoo32.exeHadkpm32.exeHccglh32.exeHjmoibog.exeHmklen32.exeHbhdmd32.exeHjolnb32.exeHmmhjm32.exeIpldfi32.exeIjaida32.exe

pid	process
3360	Dphifcoi.exe
1148	Dfdbojmq.exe
396	Djpnohej.exe
3712	Domfgpca.exe
1236	Ejbkehcg.exe
2560	Elagacbk.exe
208	Efikji32.exe
3084	Elccfc32.exe
2064	Eoapbo32.exe
1088	Eqalmafo.exe
1156	Ebbidj32.exe
3760	Ehlaaddj.exe
8	Eofinnkf.exe
4672	Efpajh32.exe
2160	Emjjgbjp.exe
5044	Eoifcnid.exe
1636	Fmmfmbhn.exe
372	Fokbim32.exe
4492	Fbioei32.exe
2144	Fqkocpod.exe
3680	Fcikolnh.exe
4516	Fmapha32.exe
1884	Fopldmcl.exe
2520	Fjepaecb.exe
4768	Fobiilai.exe
4588	Fbqefhpm.exe
3456	Fodeolof.exe
3968	Gbcakg32.exe
1476	Gjjjle32.exe
2492	Gqdbiofi.exe
1936	Gogbdl32.exe
3684	Gcbnejem.exe
516	Gfqjafdq.exe
3720	Giofnacd.exe
5036	Gmkbnp32.exe
3700	Gqfooodg.exe
4308	Gcekkjcj.exe
3536	Gqikdn32.exe
4112	Gcggpj32.exe
4024	Gmoliohh.exe
3652	Gcidfi32.exe
4252	Gfhqbe32.exe
3196	Gjclbc32.exe
1876	Gameonno.exe
4140	Hclakimb.exe
748	Hfjmgdlf.exe
3592	Hjfihc32.exe
1548	Hmdedo32.exe
5016	Hbanme32.exe
840	Hfljmdjc.exe
3152	Hikfip32.exe
4700	Habnjm32.exe
2620	Hcqjfh32.exe
2260	Hfofbd32.exe
2488	Himcoo32.exe
2516	Hadkpm32.exe
1532	Hccglh32.exe
3228	Hjmoibog.exe
2648	Hmklen32.exe
4584	Hbhdmd32.exe
3256	Hjolnb32.exe
4648	Hmmhjm32.exe
692	Ipldfi32.exe
1756	Ijaida32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ejbkehcg.exeHfjmgdlf.exeLcmofolg.exeNgedij32.exeKdcijcke.exeLdohebqh.exeLaciofpa.exeMjhqjg32.exeNdidbn32.exeEhlaaddj.exeFbioei32.exeHjfihc32.exeLcdegnep.exeJmkdlkph.exeJfhbppbc.exeKgfoan32.exeMamleegg.exeLknjmkdo.exeMpaifalo.exeDomfgpca.exeEbbidj32.exeHjolnb32.exeLkiqbl32.exeMgidml32.exeHfljmdjc.exeIpnalhii.exeLaopdgcg.exeMciobn32.exeFqkocpod.exeGfhqbe32.exeLcbiao32.exeElccfc32.exeKpccnefa.exeLmqgnhmp.exeLklnhlfb.exeEoifcnid.exeGcidfi32.exeNjcpee32.exeNggqoj32.exeGogbdl32.exeHbanme32.exeNqklmpdd.exeEqalmafo.exeFjepaecb.exeGiofnacd.exeLkdggmlj.exeIjkljp32.exeJigollag.exeGbcakg32.exeGfqjafdq.exeHmdedo32.exeIiibkn32.exeMajopeii.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Fqkocpod.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Domfgpca.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Iedonm32.dll	Elccfc32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6384 6196 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
6384	6196	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Gfhqbe32.exeKbapjafe.exeLaciofpa.exeMjhqjg32.exeGiofnacd.exeHadkpm32.exeIapjlk32.exeMpaifalo.exeEmjjgbjp.exeLcbiao32.exeGjjjle32.exeKgmlkp32.exeMdkhapfj.exeGogbdl32.exeHjfihc32.exeLpocjdld.exeNdidbn32.exeFqkocpod.exeFopldmcl.exeGjclbc32.exeHcqjfh32.exeIcljbg32.exeMahbje32.exeNnhfee32.exeGmoliohh.exeHbhdmd32.exeLjnnch32.exeGqikdn32.exeHbanme32.exeJdemhe32.exeKbdmpqcb.exeKmlnbi32.exeLaopdgcg.exeLgbnmm32.exeNafokcol.exeHfjmgdlf.exeKgbefoji.exeLdohebqh.exeMgekbljc.exeJigollag.exeLmqgnhmp.exeNkjjij32.exeJfdida32.exeJmnaakne.exeLklnhlfb.exeHfofbd32.exeIfhiib32.exeIiibkn32.exeLcmofolg.exeMgghhlhq.exeMamleegg.exeMgidml32.exeEbbidj32.exeGcekkjcj.exeLijdhiaa.exeGcidfi32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exeDphifcoi.exeDfdbojmq.exeDjpnohej.exeDomfgpca.exeEjbkehcg.exeElagacbk.exeEfikji32.exeElccfc32.exeEoapbo32.exeEqalmafo.exeEbbidj32.exeEhlaaddj.exeEofinnkf.exeEfpajh32.exeEmjjgbjp.exeEoifcnid.exeFmmfmbhn.exeFokbim32.exeFbioei32.exeFqkocpod.exeFcikolnh.exe

description	pid	process	target process
PID 1032 wrote to memory of 3360	1032	5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe	Dphifcoi.exe
PID 1032 wrote to memory of 3360	1032	5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe	Dphifcoi.exe
PID 1032 wrote to memory of 3360	1032	5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe	Dphifcoi.exe
PID 3360 wrote to memory of 1148	3360	Dphifcoi.exe	Dfdbojmq.exe
PID 3360 wrote to memory of 1148	3360	Dphifcoi.exe	Dfdbojmq.exe
PID 3360 wrote to memory of 1148	3360	Dphifcoi.exe	Dfdbojmq.exe
PID 1148 wrote to memory of 396	1148	Dfdbojmq.exe	Djpnohej.exe
PID 1148 wrote to memory of 396	1148	Dfdbojmq.exe	Djpnohej.exe
PID 1148 wrote to memory of 396	1148	Dfdbojmq.exe	Djpnohej.exe
PID 396 wrote to memory of 3712	396	Djpnohej.exe	Domfgpca.exe
PID 396 wrote to memory of 3712	396	Djpnohej.exe	Domfgpca.exe
PID 396 wrote to memory of 3712	396	Djpnohej.exe	Domfgpca.exe
PID 3712 wrote to memory of 1236	3712	Domfgpca.exe	Ejbkehcg.exe
PID 3712 wrote to memory of 1236	3712	Domfgpca.exe	Ejbkehcg.exe
PID 3712 wrote to memory of 1236	3712	Domfgpca.exe	Ejbkehcg.exe
PID 1236 wrote to memory of 2560	1236	Ejbkehcg.exe	Elagacbk.exe
PID 1236 wrote to memory of 2560	1236	Ejbkehcg.exe	Elagacbk.exe
PID 1236 wrote to memory of 2560	1236	Ejbkehcg.exe	Elagacbk.exe
PID 2560 wrote to memory of 208	2560	Elagacbk.exe	Efikji32.exe
PID 2560 wrote to memory of 208	2560	Elagacbk.exe	Efikji32.exe
PID 2560 wrote to memory of 208	2560	Elagacbk.exe	Efikji32.exe
PID 208 wrote to memory of 3084	208	Efikji32.exe	Elccfc32.exe
PID 208 wrote to memory of 3084	208	Efikji32.exe	Elccfc32.exe
PID 208 wrote to memory of 3084	208	Efikji32.exe	Elccfc32.exe
PID 3084 wrote to memory of 2064	3084	Elccfc32.exe	Eoapbo32.exe
PID 3084 wrote to memory of 2064	3084	Elccfc32.exe	Eoapbo32.exe
PID 3084 wrote to memory of 2064	3084	Elccfc32.exe	Eoapbo32.exe
PID 2064 wrote to memory of 1088	2064	Eoapbo32.exe	Eqalmafo.exe
PID 2064 wrote to memory of 1088	2064	Eoapbo32.exe	Eqalmafo.exe
PID 2064 wrote to memory of 1088	2064	Eoapbo32.exe	Eqalmafo.exe
PID 1088 wrote to memory of 1156	1088	Eqalmafo.exe	Ebbidj32.exe
PID 1088 wrote to memory of 1156	1088	Eqalmafo.exe	Ebbidj32.exe
PID 1088 wrote to memory of 1156	1088	Eqalmafo.exe	Ebbidj32.exe
PID 1156 wrote to memory of 3760	1156	Ebbidj32.exe	Ehlaaddj.exe
PID 1156 wrote to memory of 3760	1156	Ebbidj32.exe	Ehlaaddj.exe
PID 1156 wrote to memory of 3760	1156	Ebbidj32.exe	Ehlaaddj.exe
PID 3760 wrote to memory of 8	3760	Ehlaaddj.exe	Eofinnkf.exe
PID 3760 wrote to memory of 8	3760	Ehlaaddj.exe	Eofinnkf.exe
PID 3760 wrote to memory of 8	3760	Ehlaaddj.exe	Eofinnkf.exe
PID 8 wrote to memory of 4672	8	Eofinnkf.exe	Efpajh32.exe
PID 8 wrote to memory of 4672	8	Eofinnkf.exe	Efpajh32.exe
PID 8 wrote to memory of 4672	8	Eofinnkf.exe	Efpajh32.exe
PID 4672 wrote to memory of 2160	4672	Efpajh32.exe	Emjjgbjp.exe
PID 4672 wrote to memory of 2160	4672	Efpajh32.exe	Emjjgbjp.exe
PID 4672 wrote to memory of 2160	4672	Efpajh32.exe	Emjjgbjp.exe
PID 2160 wrote to memory of 5044	2160	Emjjgbjp.exe	Eoifcnid.exe
PID 2160 wrote to memory of 5044	2160	Emjjgbjp.exe	Eoifcnid.exe
PID 2160 wrote to memory of 5044	2160	Emjjgbjp.exe	Eoifcnid.exe
PID 5044 wrote to memory of 1636	5044	Eoifcnid.exe	Fmmfmbhn.exe
PID 5044 wrote to memory of 1636	5044	Eoifcnid.exe	Fmmfmbhn.exe
PID 5044 wrote to memory of 1636	5044	Eoifcnid.exe	Fmmfmbhn.exe
PID 1636 wrote to memory of 372	1636	Fmmfmbhn.exe	Fokbim32.exe
PID 1636 wrote to memory of 372	1636	Fmmfmbhn.exe	Fokbim32.exe
PID 1636 wrote to memory of 372	1636	Fmmfmbhn.exe	Fokbim32.exe
PID 372 wrote to memory of 4492	372	Fokbim32.exe	Fbioei32.exe
PID 372 wrote to memory of 4492	372	Fokbim32.exe	Fbioei32.exe
PID 372 wrote to memory of 4492	372	Fokbim32.exe	Fbioei32.exe
PID 4492 wrote to memory of 2144	4492	Fbioei32.exe	Fqkocpod.exe
PID 4492 wrote to memory of 2144	4492	Fbioei32.exe	Fqkocpod.exe
PID 4492 wrote to memory of 2144	4492	Fbioei32.exe	Fqkocpod.exe
PID 2144 wrote to memory of 3680	2144	Fqkocpod.exe	Fcikolnh.exe
PID 2144 wrote to memory of 3680	2144	Fqkocpod.exe	Fcikolnh.exe
PID 2144 wrote to memory of 3680	2144	Fqkocpod.exe	Fcikolnh.exe
PID 3680 wrote to memory of 4516	3680	Fcikolnh.exe	Fmapha32.exe

C:\Users\Admin\AppData\Local\Temp\5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5595ee4e8e35cfa466ce01fbcd61a300_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\Dphifcoi.exe
C:\Windows\system32\Dphifcoi.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\Dfdbojmq.exe
C:\Windows\system32\Dfdbojmq.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\Djpnohej.exe
C:\Windows\system32\Djpnohej.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\Domfgpca.exe
C:\Windows\system32\Domfgpca.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\Ejbkehcg.exe
C:\Windows\system32\Ejbkehcg.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\Elagacbk.exe
C:\Windows\system32\Elagacbk.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\Efikji32.exe
C:\Windows\system32\Efikji32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\Elccfc32.exe
C:\Windows\system32\Elccfc32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\Eoapbo32.exe
C:\Windows\system32\Eoapbo32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\Eqalmafo.exe
C:\Windows\system32\Eqalmafo.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\Ebbidj32.exe
C:\Windows\system32\Ebbidj32.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\Ehlaaddj.exe
C:\Windows\system32\Ehlaaddj.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\Eofinnkf.exe
C:\Windows\system32\Eofinnkf.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\Efpajh32.exe
C:\Windows\system32\Efpajh32.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\Emjjgbjp.exe
C:\Windows\system32\Emjjgbjp.exe
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\Eoifcnid.exe
C:\Windows\system32\Eoifcnid.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\Fmmfmbhn.exe
C:\Windows\system32\Fmmfmbhn.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\Fokbim32.exe
C:\Windows\system32\Fokbim32.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\Fbioei32.exe
C:\Windows\system32\Fbioei32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\Fqkocpod.exe
C:\Windows\system32\Fqkocpod.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\Fcikolnh.exe
C:\Windows\system32\Fcikolnh.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\Fmapha32.exe
C:\Windows\system32\Fmapha32.exe
23⤵
- Executes dropped EXE
PID:4516

C:\Windows\SysWOW64\Fopldmcl.exe
C:\Windows\system32\Fopldmcl.exe
24⤵
- Executes dropped EXE
- Modifies registry class
PID:1884

C:\Windows\SysWOW64\Fjepaecb.exe
C:\Windows\system32\Fjepaecb.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520

C:\Windows\SysWOW64\Fobiilai.exe
C:\Windows\system32\Fobiilai.exe
26⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWOW64\Fbqefhpm.exe
C:\Windows\system32\Fbqefhpm.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\Fodeolof.exe
C:\Windows\system32\Fodeolof.exe
28⤵
- Executes dropped EXE
PID:3456

C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3968

C:\Windows\SysWOW64\Gjjjle32.exe
C:\Windows\system32\Gjjjle32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Gqdbiofi.exe
C:\Windows\system32\Gqdbiofi.exe
31⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\Gogbdl32.exe
C:\Windows\system32\Gogbdl32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1936

C:\Windows\SysWOW64\Gcbnejem.exe
C:\Windows\system32\Gcbnejem.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3684

C:\Windows\SysWOW64\Gfqjafdq.exe
C:\Windows\system32\Gfqjafdq.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:516

C:\Windows\SysWOW64\Giofnacd.exe
C:\Windows\system32\Giofnacd.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3720

C:\Windows\SysWOW64\Gmkbnp32.exe
C:\Windows\system32\Gmkbnp32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5036

C:\Windows\SysWOW64\Gqfooodg.exe
C:\Windows\system32\Gqfooodg.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3700

C:\Windows\SysWOW64\Gcekkjcj.exe
C:\Windows\system32\Gcekkjcj.exe
38⤵
- Executes dropped EXE
- Modifies registry class
PID:4308

C:\Windows\SysWOW64\Gqikdn32.exe
C:\Windows\system32\Gqikdn32.exe
39⤵
- Executes dropped EXE
- Modifies registry class
PID:3536

C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
40⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\Gmoliohh.exe
C:\Windows\system32\Gmoliohh.exe
41⤵
- Executes dropped EXE
- Modifies registry class
PID:4024

C:\Windows\SysWOW64\Gcidfi32.exe
C:\Windows\system32\Gcidfi32.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3652

C:\Windows\SysWOW64\Gfhqbe32.exe
C:\Windows\system32\Gfhqbe32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4252

C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:3196

C:\Windows\SysWOW64\Gameonno.exe
C:\Windows\system32\Gameonno.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
46⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\Hfjmgdlf.exe
C:\Windows\system32\Hfjmgdlf.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:748

C:\Windows\SysWOW64\Hjfihc32.exe
C:\Windows\system32\Hjfihc32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3592

C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548

C:\Windows\SysWOW64\Hbanme32.exe
C:\Windows\system32\Hbanme32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5016

C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840

C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
52⤵
- Executes dropped EXE
PID:3152

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
53⤵
- Executes dropped EXE
PID:4700

C:\Windows\SysWOW64\Hcqjfh32.exe
C:\Windows\system32\Hcqjfh32.exe
54⤵
- Executes dropped EXE
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:2260

C:\Windows\SysWOW64\Himcoo32.exe
C:\Windows\system32\Himcoo32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\Hadkpm32.exe
C:\Windows\system32\Hadkpm32.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:2516

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
58⤵
- Executes dropped EXE
PID:1532

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3228

C:\Windows\SysWOW64\Hmklen32.exe
C:\Windows\system32\Hmklen32.exe
60⤵
- Executes dropped EXE
PID:2648

C:\Windows\SysWOW64\Hbhdmd32.exe
C:\Windows\system32\Hbhdmd32.exe
61⤵
- Executes dropped EXE
- Modifies registry class
PID:4584

C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3256

C:\Windows\SysWOW64\Hmmhjm32.exe
C:\Windows\system32\Hmmhjm32.exe
63⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
64⤵
- Executes dropped EXE
PID:692

C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
66⤵
PID:2164

C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4364

C:\Windows\SysWOW64\Ifhiib32.exe
C:\Windows\system32\Ifhiib32.exe
68⤵
- Modifies registry class
PID:2824

C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
69⤵
PID:1228

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
70⤵
PID:2452

C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:952

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:972

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1440

C:\Windows\SysWOW64\Ibagcc32.exe
C:\Windows\system32\Ibagcc32.exe
74⤵
PID:408

C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
75⤵
PID:3236

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
76⤵
PID:3204

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1288

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4972

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
80⤵
PID:4224

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
81⤵
- Drops file in System32 directory
PID:1596

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2212

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
83⤵
- Modifies registry class
PID:2628

C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
84⤵
- Modifies registry class
PID:904

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
85⤵
PID:3932

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
87⤵
PID:768

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
88⤵
PID:3460

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
89⤵
- Drops file in System32 directory
PID:3976

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2728

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
91⤵
PID:5160

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
92⤵
PID:5212

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5252

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5304

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
95⤵
- Modifies registry class
PID:5348

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
97⤵
PID:5436

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
98⤵
- Modifies registry class
PID:5476

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
99⤵
PID:5524

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
100⤵
PID:5568

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
101⤵
PID:5612

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
103⤵
- Drops file in System32 directory
PID:5696

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
104⤵
- Modifies registry class
PID:5736

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5828

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
107⤵
PID:5872

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
108⤵
PID:5912

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
110⤵
PID:6020

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
111⤵
PID:6060

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:432

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
114⤵
PID:5204

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5336

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
116⤵
- Modifies registry class
PID:5384

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
117⤵
- Drops file in System32 directory
- Modifies registry class
PID:5500

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
118⤵
- Drops file in System32 directory
PID:5588

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5768

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
121⤵
PID:5836

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
122⤵
PID:5924

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
123⤵
PID:6004

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
124⤵
- Modifies registry class
PID:6068

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
125⤵
PID:5220

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5368

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
127⤵
- Drops file in System32 directory
- Modifies registry class
PID:5420

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5672

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
130⤵
- Drops file in System32 directory
- Modifies registry class
PID:5920

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
131⤵
PID:6008

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
132⤵
- Drops file in System32 directory
PID:5128

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
133⤵
- Drops file in System32 directory
- Modifies registry class
PID:5400

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
134⤵
- Modifies registry class
PID:5548

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5880

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6072

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
137⤵
- Modifies registry class
PID:5488

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
138⤵
- Drops file in System32 directory
PID:5748

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
139⤵
- Modifies registry class
PID:5972

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
140⤵
PID:5752

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5596

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
142⤵
PID:5288

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
143⤵
- Modifies registry class
PID:5372

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
144⤵
PID:6168

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
145⤵
- Drops file in System32 directory
- Modifies registry class
PID:6216

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
146⤵
- Modifies registry class
PID:6252

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6304

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
148⤵
- Drops file in System32 directory
- Modifies registry class
PID:6340

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6388

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6444

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6484

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
152⤵
PID:6528

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6568

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6608

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
155⤵
- Modifies registry class
PID:6652

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6696

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
157⤵
PID:6736

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
158⤵
- Modifies registry class
PID:6784

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
159⤵
PID:6828

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
160⤵
PID:6868

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
161⤵
- Drops file in System32 directory
PID:6924

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
162⤵
PID:6972

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7016

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
164⤵
- Drops file in System32 directory
PID:7060

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:7104

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
166⤵
- Drops file in System32 directory
PID:7164

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
167⤵
PID:6196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 408
168⤵
- Program crash
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6196 -ip 6196
1⤵
PID:6292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfdbojmq.exe
Filesize
378KB

MD5
1414f804ed157d3c293cae3a6fb53fe3

SHA1
034a5f9577095829a6701341575cc735375408cc

SHA256
f2d092e202f620b404e77de7ca0b7873fbcdaddf867ab4a5f8f0118139fe17ec

SHA512
d7ace4142d5e3ef0de369d603ca2bd0942682c8021b95fabc81cac73964d5b4e3892c49c49857e88d7508c50be54df832813825e7d5a75ec65a76a4358719df9

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe
Filesize
378KB

MD5
2d375b9793d537da468d4f563a2701c4

SHA1
fc6b04d0953b4f0c589596d8f6d58f6f427d13dc

SHA256
51a6f35c3b0f52b4f8e0296e162d62445261c319718f7010bf97cd5e7c76258e

SHA512
c526fb3147711b4a4cb65191bddddc81c126fa7bbdac8fd8bf93bfe6e65b43ec69416cdd47e9e404b7d2f69eb32339ceb8ae4ccfeb6fca2e2e1f0c8f6c4cb502

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe
Filesize
378KB

MD5
8972844e83b352a957352813d6e005cf

SHA1
51dfb4c519230975184b59e6877e706f5bc0b0d0

SHA256
6235ee9b4ed3afdaf931b05f130cbf8bd53a975e14075f8503dcfc643b18cab4

SHA512
4e9d77aa1a32564d16f66ad6ec19d3865e42590e58f24a7069a640d30f84441cb425974cffc9bb492b733b96e5e14bf5765e452a0ec26a0858f24d6ce42dfb99

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe
Filesize
378KB

MD5
9ae64ba550303e306ad9a224789d9434

SHA1
48c43d3a7638b649127804dda15b5b0a8779b08c

SHA256
119084657822a065876e110a17a22603c6543677a262bcc08dfb75acc2487b04

SHA512
55281fb25005786e4ebb41f00935a9ba74e96ab70d75c5e1ccff93e9f2583edc82cadecc2f7866b4cd3ed12540bf8cf59668a168aadf4b23826f0d5d75f75a2e

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe
Filesize
378KB

MD5
248ab3e430c7b30b572aa0e1a3c04179

SHA1
9da3a73f60d8877d184826fa875b3aad2376cea0

SHA256
4ba24d1a4b5885cadf17a0e982fdcebf7ca954192691a6fde6cb771814bae09a

SHA512
37238d5a1635e92c7a8fb0ac09a54849bd032eaed10d2c0630a42765c77aa659641143c3a0ce2d53b71c338c920d34d592dd437265af29e4e3e682451ebfae3c

Download Submit
C:\Windows\SysWOW64\Efikji32.exe
Filesize
378KB

MD5
6f1c31473380b86a6b412ee18864ffa4

SHA1
512c8f761dc0c6ed20c7ccc34b714a77052cb9d1

SHA256
692281bd6de6b0e3dccdc6d429e3aabce75a5d4ff51a8f3b3d3bc8e2b0bfe1cb

SHA512
7df46b62376797649c68f76297e8667101396ba2d3a2a4a78e02e511649893115ae93fd8347d0d3a419df906e86ba34132be9738ee3178ea34d3f3214ce0dc68

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe
Filesize
378KB

MD5
ea27d0de8795e4e0b9ed247a71af9977

SHA1
af8e2982d426c997f43cf83ba55c44630244719d

SHA256
7782029b38f7f66fc826114ec1b2934b6d8ff740b90f771dda0296a870b7d9cc

SHA512
a2f72fcaa002e406e2696c872be2e9e8ded9f1688647cc85620d5c3b772e787f50e5063f031aa0cb9b178b750d5124b047f6481a78c80f37429d549b6495f0dc

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe
Filesize
378KB

MD5
83e497611e98f01c7e0268c1497bb9b8

SHA1
45fad82f181618f926772a80b29f091ecaa14a42

SHA256
ef19cbc355b54f6f59d74dc8c442fc43b9ef3504570b133eb3c6756f0a95a379

SHA512
f72cf17a0e4745c4871cd5407bd01c2892a01d9924ae58b0c60cbdf288162c9732e17f2b02d78b41809d14a61ef5205ff47da019cb0638048926bac2eee61d06

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe
Filesize
378KB

MD5
909406d547f6c49ac046a6e620831eb2

SHA1
cd5dba082bc91aff57dbd06c5868a9903d59825f

SHA256
c20a320e5b046f196863dfa3c17aca570c4d17999b1dedc96cfe7894d774385b

SHA512
d1f73932038e837813ee9e5891e6cee9c9b174f7b60147b0e96caab316d4d344032f9d5c4a5ee86f3653e04cb5e90b8900b14388c6182c5f9be75863d6f6b3f4

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe
Filesize
378KB

MD5
c1d2bbbaf332d2901fc803e7dacb6228

SHA1
58a50198e691a4af3e60e8f38a36ff7e2a5d0e7a

SHA256
66b0e0e9a20e5331df665b68b684b2436279a1aeb187ce1eadf7f2b9a5602579

SHA512
3a7eb5b7dac915cffc3cb8ed620e56cbb451537f083f5950f8da3cb3df7e980fbf2626ffa0ead7d646858f3c564111da9ce983370639f7da5a05c84e9de43c8e

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe
Filesize
378KB

MD5
ac495d80ca818d33030b0e6daaf1b630

SHA1
a394a8cb2453960acdb7380eb3f07b438ac84158

SHA256
5d2682163600ab3812024556bd90234c02efbba34e178c4b16c80b738b88c764

SHA512
1ee3e834155804d6eacf44fb44ad1b3e69b5d2af66de5f72fa9ece411a9568d598167d95f8ecdb8f7eadd77c4dc3bda39e1a16c8a62f3331d2de4f7a422be6fb

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe
Filesize
378KB

MD5
bc4e32d400769c25e0c1ca9579721148

SHA1
89779d078b5dc5fc2d08868e4d52709c60c09911

SHA256
c64de34b1b1206593d56a08e5dd13e3d8726529622165235275c3a0c109ac211

SHA512
19c834155f08603e1fc8ec74b0fcb76de498f9ccab5f6acd410574b1677968e82717f5a3b52444ce873fdf5949e7159ca27958998f2e00139db517e4521124b0

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe
Filesize
378KB

MD5
8d8a18e03c44935cdd6948401e4bb953

SHA1
bd72cf6764a14f943076ea1d89c58a67e49b71be

SHA256
1b9cb670ea0643d0fe4eee57c3827ddd09d79015c99987eec7031298549ff120

SHA512
2239011cae7e5afec3a4e2a76a9bee130ea920760e49cb11ea4cf0441f2f06cb595872e6c8c699deb71d160cab65b2bc24a7d54d0827e5a006e594dcba1959e0

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe
Filesize
378KB

MD5
36566d0841636f47ebe447b8c81b1cf6

SHA1
a4f8b469f8653c47e4dca03b24f038cd66645818

SHA256
436b8938140c423ed1b8f733ca58376fa96bfe8787b0286d356935103b3fafd6

SHA512
b2195dd05241ecca23c55d793d1327c6ccafa794c65184bb39ad8c5d4ca23116655810fdc28ca1a892340dba75d42423b5a5b3457bf634e228d1d5e87d2585b8

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe
Filesize
378KB

MD5
8984f6c297e3476b20fa5501adbd2cdf

SHA1
cebfd7300b85d09f864234147f484bb18a029f22

SHA256
07565a6b3be988e54e886794eb69ee8013938a586e349855ad35079c5e19ab5f

SHA512
3d25b04b52b63568412a0fdad894aefc8703b3bbc3d8b248e57edf13d63dee3e2368927be1755aa0dd2b4f037f7115b3b699d47ca8807a37ec5a03277a544481

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe
Filesize
378KB

MD5
4f0c8fe515413eb05b07b6a9e474679d

SHA1
f138394786669a3402620991f44c739389503de3

SHA256
bb407e8638f417beb83fb9001d9ebf3aee7733e179225e44454e5f183939d0f3

SHA512
61fd86047ded37812bfda87362e108b8dda070c765411bdf03bf0d65021aca1b5d2c6bf4b834fc37bb06e968113f0063002728b826697b19de060a66ba75c039

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe
Filesize
378KB

MD5
67ca2041d181cd10d0129bd695289bbf

SHA1
4b7a7fe39253d7ea6b9466eebfada0fa5d8d7fb7

SHA256
06d824a6503e84931466eebb6080c8b5825fff99bf68f57bf495c5b48c98e029

SHA512
d59947d0a2e9b59323d2339c2c09ba4077918cd8572db322d2ea4871a28b1f15a4dea39dd382b99ef2b9cda713a4d36374688ff90274eb927d863f905cd0ce88

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe
Filesize
378KB

MD5
255a0b9530de1263b9019a102cf290a8

SHA1
329ea55e703c22e2c8d59d6b44d9350fbc3feb6a

SHA256
7e30000fafc67a885baacba01d3cee0884ae06ba0aea7836061e0f547df6e76d

SHA512
6c4bc67e9846962636eddaf5ea2254f95f44bf2940125df62b16871841e5cc189124a0d04615ed5197ca9fc42b263cb7ae7aaf8158c0e620ba4bd68a27da7f51

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe
Filesize
378KB

MD5
e6b1a1d635c14ef5d41ad25368f03c45

SHA1
69b272e1b63da4915134bbce5ff361f95dadf365

SHA256
8f89a10e34a348736f193956d6c6a1c4409dabd9cd982f1182ddc3d66a547d0b

SHA512
7ffc2f47a39b75f1b081fb4441993df76df7b734fb426bee52b13e8d15778b116955c6d73a1392be6feda365324f7cf450ce0f922e58b4572f78f47e4515b664

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe
Filesize
378KB

MD5
2db20be29013fb89c10ce15f87636e76

SHA1
a956602057288778650c31d104a493c2cd8e508d

SHA256
356f9663458b03d403b2c47296d4803b777ca4f6e9ddc318de0abc6ca3279feb

SHA512
cebe2ae891b1bc2c6ea44b87236175974d73e2779cbc68d4c9cd62c11afbcb49bdf46bf1b940533c5edf83a280e112a7262162f4da5a46b543793270473e94fd

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe
Filesize
378KB

MD5
7c26f82636e7e354fb76fca690ab8aa3

SHA1
a75b4e08b45f417f2e69b2b301e4bdab5037c49c

SHA256
42261548be3d1f22b224056ecf9679abc8062fb34b63c51580f0119904b77cd2

SHA512
7e9715edb651e23881ed4e51c20eea8a497e63bac2fbb69f838b585105f8d5bc093eedb7033704f4f29fee360af4e3bf1fedc9e0b06bb06e9028c8ac4cbcfd51

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe
Filesize
378KB

MD5
344adf1b0149976b69f9c6415746cf60

SHA1
41395658f6523d2870839140eab9ba7f19131376

SHA256
6b78150d49ae34e090be009080d60f7ca7c4d24d339c0a54f629845eef35b976

SHA512
78e4098e09a673b99a8ecc0ecf72ec754345943d577644462ac2676ac81e994f3f928250597a53af0948e725046f00a81cdeaa5fa4eff867732bca2e8343c319

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe
Filesize
378KB

MD5
80586628ec1ae9fdee3d182595116e3b

SHA1
f53863f58fe32bc8fa24acff5373755c587618c1

SHA256
327321c7546697521140c8b081374c2daac2a48c53ac14af0e58ecdd79d69699

SHA512
314c1d31c0b761b41a6caf8430a7e3d0b3c456bed3bd246a74a7f3f90afb2edfefd07ed203d1a116f5f0437bbd787f4811b357ad0d1844e2ff73cd9bc7958fed

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe
Filesize
378KB

MD5
9d84e7ca3e428fad2af640aff017042d

SHA1
2f6fbad12fb93ab71230a6a289f7d7bf6b49ad2f

SHA256
3985309492916a80c47f783e89a7dcd0a54e40d4d4f4b20b4d67bf248e9edd4e

SHA512
87ee13165530c2c7871bc76dee8b24fe35986cbd56eaefdc455e28c407a286405b6dc32949e6aa06d10d57541d647e018292d4a5a4f2288b046a694a8e8c579a

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe
Filesize
378KB

MD5
e360c73f36b4ebf8ce0ce1a38703bcfc

SHA1
8357b9c28b2378a96516ca09dd84f792dc3b3e92

SHA256
c5075850568a1d1c38b0abf84d4848b26c72b70b777db10c9b0d24f0e16d6d3c

SHA512
6dea015088cc742965496aa12366e4e435a06b7570eb7a4c8c647d7725fa0186dad4f00b4f3b1656cb7479123f5759d607bc54fc95d42bae32e44db74524d3d7

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe
Filesize
378KB

MD5
acfcfc4f20fe8933cca2077100044be1

SHA1
2c5acf2afcba93755c31a85d2889dd5f8d4db5ab

SHA256
3aaa8b71e82b283e7d1edbdd9031ab820ebb976286ddf51d021e599ec2ea7ea0

SHA512
53db56e41f01073f3d3c81bc3045ee7d92996558d46bbf1163e9da242511d0e0992328a458fe350bf262d92551848f01d87663269ea58a90a5f0f298efa6754f

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe
Filesize
378KB

MD5
af2dc09012c40f98ff02d4019da02a7d

SHA1
467aef7e2f8a6108bb628ab35a10b8caac24df18

SHA256
35218a5471dfa0eeeb5fe904dc8d8e498d4185ba904af4481d80e24f4a9999ef

SHA512
8a1b3c653621aedf7d5a9ac8144d28fb5ece9e7abfe7ba0109edb422d3f9b74cc68af79ea9219aeef14fe021617bac9f5538f7e08bf167e2c4ab95fbcd162a6b

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe
Filesize
378KB

MD5
b37a98c3783bdf18115b1cf10879db86

SHA1
6d2f9c3a5e4d13cfed2d762441f737a3ab00f4dd

SHA256
46ad88b311a4d6150077a19c0a7bd9d5cfa32dbbce846b7af12eea5aa03e4808

SHA512
70ef4032f9b79a9248817a0e3e2cdc481e13fd9db1901d6093242389c07900b2748eaa873f97c23a09908e1e620049e8e2f82abd89387e37efa7d5e92fe34850

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe
Filesize
378KB

MD5
0334e2e63a8d5570ced9e6b7674bcf95

SHA1
d0350d53e103905632287751dd8f28e6925eab04

SHA256
2e5c6fe96eff88746c0890f957e213eebe43f84b50996b4f3e6b11d53f368f26

SHA512
1684b1c0593264f20d0580c2adbfd7efc2c9345d7925a12319a79fa0e8fe28200da8402651045d8cecc436a6ac12c49be0e83008e0926e25d89f9e99f66525fa

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe
Filesize
378KB

MD5
c1646b2cd8dff62dd9ea106a51377ac4

SHA1
1dafe518dd8f29a243669b8d7169d64bc1757dac

SHA256
c591d060e9ef154fa135ceb10fbf6d7d9b511401d17a52294c34fd19a11094a8

SHA512
6ab0e60c1de8ad3229db654cf82a7cecb5ccb697e20d04cdc5c18d44419be21cc5240b4f7ffdff6780ff730b6553e263fa13747cb1ade754cf2136d7282e1e4c

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe
Filesize
378KB

MD5
b5d299c2a6ba8bc2b84dcfa529625a55

SHA1
14ee09f7e94fa4b3a244ae1b6678ecb158b52772

SHA256
085017d1242e06433d69ae63ac74dd3d9adf512ef9358eda20577e2b7b16a980

SHA512
afb837bc707a6351b9bb57b48e04a4c2b4362eae967cef96880c16f02e71c3a049c81baf09704164fa7ad1b9e79bf80af27ebe629c27bf3f379f4d0a8e2ce01d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe
Filesize
378KB

MD5
619088d15b0c39282e495b8c6edceee7

SHA1
159206b51c4231654c01599c934b6696dc6882d0

SHA256
a9bd4ffe82fe90261d7a8437fb4a5f011c5ae2875eb75dcc43f070a4f011b683

SHA512
375ae7892e1b1775c575aaeddcb43852bf8b12c0ca86a85db2d0a1d11299f14f9ac7734815ea890857bb68b275d4ef18b1e4ab51044639a5d9afbe76fe8dccb5

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe
Filesize
378KB

MD5
549da3be6d71a485e292b9fe0fef288d

SHA1
d04ac1989db0f39780c0f0ec9a06f41e314c4c3a

SHA256
8f10f7f1aa5821209653044b48af425a33d4336d47aeb21e64508d873432983f

SHA512
4874331f8daa7188c16330cf8ed1137326eaa630a5be2a3d3b4e046978b6cc59e4e0adf7322c6187b7b43f1ae5617d0aca32d50e16c871cd5d451c82cc1d6890

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe
Filesize
378KB

MD5
dc47db891babbe4008c03a450704e109

SHA1
e06bbdd378476c9db5d2da6fc8eb56d6efdf4458

SHA256
53e6d078ef5b0fb0111d0a0aa2fa28c26ac77b690564d1b3698dce0580f1302e

SHA512
254e3105575d57f11d9eb83fca82ca6713863aefb9eeb4bcc9a30f7ef883ba3a499f2f741b9906f1edbdfd95caca2283dcfd20a385cb818e4057d0cc98c5c399

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe
Filesize
378KB

MD5
304a987a5fea079d0f2c02cd2c88b56b

SHA1
a1de5b6dfd9ae2dd8c4ab2efc9fa5f5830eee7da

SHA256
a1971ec50375c0e80373d96f5ca95d4d09ab8812afb413cfaf94ca5d6324d4c0

SHA512
fa2a42b5a442dca4c7fdc3d12575522cca64253c1e4044cdca57512c2ce4399d7722e76b03998a2a56396447194bf5a01eeb182327407f98769e8db0798ea629

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe
Filesize
378KB

MD5
a6d1197073550932a8b6b8e2a953c828

SHA1
05b63968c9305b79336024db62fafe7015bcd4f1

SHA256
7b23fec91acd3d784bf3c8873a147b922c8b33dedbf1784b011a102934d992cd

SHA512
84fa1501d60f019c2ac59705913ce667d6281281d80ccd3970c5b073f56cdc35d92fbe877455b0c868ebf524b5d0e96c62fbcdc7b87a66f2a01536f49bebdb75

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
378KB

MD5
615412114c8d9658c809b1d0eff3f2ac

SHA1
b02398e82a7e0ff13ae86afdd6d24b19f551fd63

SHA256
766d86e4e0f62e2c1aceeada034361ba9cf65c2b30e1ba58582f5d095bdef49e

SHA512
57376b977d35847f815b4c18099b3b890e24e9c2389e4e4c3526c7628941961b115c8cb4e5ab09ca8d0f9ba460f1dd0e2e9a2bc3fdec4c260282401499d4e69d

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
Filesize
378KB

MD5
d8252deeeea6eda5b3c9061a747d57c5

SHA1
615d9d5478fca48e184389ee1cc1cde196a25c69

SHA256
d9a0ca75e174a2566f38801e40e8fb58c7d0fa22df91f28ecc51238d17905f22

SHA512
221e3639d151945e4556e0e6ca2cb0f8f7158d6584bdde37b01fcbd1fe13ccf4ce21fb75c3d18120ede3885d051262ca7a6a98ea5f40f0c9175be04cdbceab1a

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe
Filesize
378KB

MD5
60ee8c090ea3c2510817152f54de86b2

SHA1
3d10c9d4c0ab1a3b86e0955e14884af4bacca4bd

SHA256
d87780571b445d712bf51abbb85e9665467be4fc46bf81a6afb60f348ad9ef18

SHA512
6c27ad40c0dc6ca5ecba6954a7f64f8312bba02caf8d39359970e71159ab2304e013ff264a260b721e1bf3fb941fb3580e6803d73d9480a096f6d036763c0fe9

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
378KB

MD5
6fa69d2b1c9eb810e35f62ec83fe7de1

SHA1
14e953472960d0bcbd3337fdbb2f719d4a33d6da

SHA256
8bf217bdcc74d1f8aeadb07ec79481cb071ef62cf173f8e6e21b9048cf951d09

SHA512
c03038164475e34b5c0ca5216fafdc88e01cc1b9496a697ed01693b143f2e230fdd6b03b9699ad4b58a4cf40ce9d5b3bb3fe09d2796bf32c7ee39da6c9664b43

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe
Filesize
378KB

MD5
c29ba8a41b886857906781200344874e

SHA1
c22fee24738a3d67e5dda1cee5beb4b4bc6e9822

SHA256
0f5bf9a939f45846679252e1c5d94e645c38ef89116ee059576f653cb9628445

SHA512
7aa6044f56937f9bd3e5c585e45e9fe5af5b5f6a03ad4949043cc7d9be58812794410452b5557851d83a8e88cd86ebb0d43e59f1a4242f4d948b330fe323064b

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe
Filesize
378KB

MD5
3896becff16e9de8c89b8f627da6eae5

SHA1
61c9f3a22e8f1c3805a72bb25af28bb74f00195b

SHA256
a3a07efa9edce8f2a79f8c4b9cae49ee098a1af20b7a7271d683437dcc7523b2

SHA512
67f7ddb6737c2aaa9dfd86ef25196214442f4d306bb64e0ba6604f103bab8d25fb15654d168a495a964c076e6812ef887d3f61ad8d9b09a95887ca02c12a529d

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe
Filesize
378KB

MD5
b69d425dde9415e34a4d3272efd2a26d

SHA1
bc43ce16c02aed55fa35333624763334af25c763

SHA256
55d7447170570c100a667ca27621c978a0662e339538606de723ae1a8def825c

SHA512
fff8d0a9ac19565e0d0c5350877c3e6a6d9bb0908b8476723b4c1f9eba7b7f69d6423bf0cc71f5b3fc52be8a2c94d7800d2df74648a3b1cbc90c404213da012b

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
378KB

MD5
c433c2467c1f811d0691ea155b896969

SHA1
b0ce633ca58f9d273046bace70e942fd81f40143

SHA256
e91dbe0cc505a4d01eab76d5233a9c7bb97a822ac756a0946177d1ff5b425932

SHA512
d5640b258a05342224a7d3fcadb65389834862423b8c56d6aa8f1e3b164b53c07bfa2aefae52b9c544299c9b5dc73ffb2e0af6cdfeb073d654265d637d345f42

Download Submit
C:\Windows\SysWOW64\Majopeii.exe
Filesize
378KB

MD5
88f063e0b3bc4de063f23b71a9de6d27

SHA1
29fc173cef9eb0c9f090d50bce0ba3616d9a16ff

SHA256
4405667bc336aeb9b423da28e087112279296fef5197f877794a1d9713cb0f78

SHA512
455a30b93f57be93421bcc9c03ef4286d43dc67e42a797c244e60d99570614446268666dbab287762a8b851dc9f80e4a7f8b960a85120218d2397ca9813e3dd1

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe
Filesize
378KB

MD5
af127b34d90eb89c27032e01cde246e9

SHA1
03c9a36b69e83cf2b92c26031ab9a17f5d36ea66

SHA256
f147ea03b9e8ef789cc2ea3426cf0976a53c2d1dfbc540060b7568f6854fa985

SHA512
2b7ca55f8703efb87dcd5733b7ae950dd8c31f82c9ee8e7195fca05ef75d943cf2c5b63e4fad87fd0ee3f72969d7b065f9d9c99ff0e370dcda9726739d27ea8e

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
378KB

MD5
e3f9f8e4666324e2b10e306342fe9272

SHA1
420889707593c124cda13dcd9c5f7ed66dccf896

SHA256
8366cfcc72a4bae751fb7a2ecc1ce470d8b428d4398ff704be93751bd5040019

SHA512
e6dabdcb159dc9da83261196f5b5d0fba641e8ea45de22f59208f359ecdf7b11521f8d69c845539727db1d36e887c4e234c9d3eb741fcdb35b7ab595dc80a1ad

Download Submit
memory/8-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1032-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download