99da49ce1583f5a8c6c2239db8292fb6a59239003206ad0ad3e39cde81058e9c

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe
Size

128KB
MD5

0ed0eb3ea58b3e268fe16d3309cf9000
SHA1

9fbfc811e837e6dd20994aa38758aae89ca413e0
SHA256

99da49ce1583f5a8c6c2239db8292fb6a59239003206ad0ad3e39cde81058e9c
SHA512

7fba22d751222d391cefa4f4ff9df75dd0331906307ae832a3c9ff82ec3919e3c6d97d01110bcf5b3c4170a602d403561507845f8720861c04f426458ade42c5
SSDEEP

1536:NKKJtmQl2QSPaX5kzGdxGp9mnXSrhH0E8wgRQDkRfRa9HprmRfRJCLIXG:NKKJcQGPgkzrp9EilHr85eDk5wkpHxG

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hjmoibog.exeIpqnahgf.exeCamfbm32.exeDigkijmd.exeFjepaecb.exeFmclmabe.exeFcnejk32.exeHfjmgdlf.exeIapjlk32.exeJigollag.exeKdcijcke.exeKdhbec32.exeNkncdifl.exeNjljefql.exeDljqpd32.exeDllmfd32.exeEpmcab32.exeFflaff32.exeMcnhmm32.exeMpaifalo.exeDpjflb32.exeFcikolnh.exeIpldfi32.exeJmpngk32.exeFfggkgmk.exeGimjhafg.exeGpklpkio.exeHmioonpn.exeHippdo32.exeIiibkn32.exeLdmlpbbj.exeNnmopdep.exeHpgkkioa.exeMkbchk32.exeNgcgcjnc.exeLiggbi32.exeNjcpee32.exeElccfc32.exeJbhmdbnp.exeJpojcf32.exeKpepcedo.exeKaemnhla.exeKgdbkohf.exeCoagla32.exeEqfeha32.exeHihicplj.exeJdjfcecp.exeJmkdlkph.exeLalcng32.exeCapchmmb.exeEoifcnid.exeGogbdl32.exeHbckbepg.exeJjmhppqd.exeLgkhlnbn.exeEjbkehcg.exeEofinnkf.exeFfbnph32.exeIpnalhii.exeJangmibi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkijmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coagla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Capchmmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/2940-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Cpljkdig.exe	family_berbew
behavioral2/memory/4776-8-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Camfbm32.exe	family_berbew
behavioral2/memory/4732-16-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Cidncj32.exe	family_berbew
behavioral2/memory/4948-24-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Coagla32.exe	family_berbew
behavioral2/memory/664-40-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Capchmmb.exe	family_berbew
C:\Windows\SysWOW64\Digkijmd.exe	family_berbew
behavioral2/memory/2224-56-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1920-55-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dpacfd32.exe	family_berbew
behavioral2/memory/3064-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dlegeemh.exe	family_berbew
behavioral2/memory/5804-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4556-36-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Denlnk32.exe	family_berbew
behavioral2/memory/4764-79-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Cpofpdgd.exe	family_berbew
behavioral2/memory/5520-88-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dpcpkc32.exe	family_berbew
C:\Windows\SysWOW64\Dadlclim.exe	family_berbew
behavioral2/memory/1980-100-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Djlddi32.exe	family_berbew
behavioral2/memory/3632-105-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dljqpd32.exe	family_berbew
behavioral2/memory/4128-117-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dcdimopp.exe	family_berbew
behavioral2/memory/2376-124-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Debeijoc.exe	family_berbew
behavioral2/memory/2428-128-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dllmfd32.exe	family_berbew
behavioral2/memory/5584-140-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dokjbp32.exe	family_berbew
behavioral2/memory/3600-144-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dhcnke32.exe	family_berbew
behavioral2/memory/4624-152-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dpjflb32.exe	family_berbew
behavioral2/memory/964-160-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Dakbckbe.exe	family_berbew
behavioral2/memory/5820-172-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ejbkehcg.exe	family_berbew
behavioral2/memory/5828-180-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Elagacbk.exe	family_berbew
behavioral2/memory/2572-188-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Epmcab32.exe	family_berbew
behavioral2/memory/5772-192-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ejegjh32.exe	family_berbew
behavioral2/memory/5116-200-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Elccfc32.exe	family_berbew
behavioral2/memory/5032-212-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Eoapbo32.exe	family_berbew
behavioral2/memory/1232-219-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ebploj32.exe	family_berbew
behavioral2/memory/3768-229-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ejgdpg32.exe	family_berbew
behavioral2/memory/3784-235-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Eleplc32.exe	family_berbew
behavioral2/memory/3992-244-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Eodlho32.exe	family_berbew
behavioral2/memory/1332-248-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Efneehef.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Cpljkdig.exeCamfbm32.exeCidncj32.exeCpofpdgd.exeCoagla32.exeCapchmmb.exeDigkijmd.exeDlegeemh.exeDpacfd32.exeDenlnk32.exeDpcpkc32.exeDadlclim.exeDjlddi32.exeDljqpd32.exeDcdimopp.exeDebeijoc.exeDllmfd32.exeDokjbp32.exeDhcnke32.exeDpjflb32.exeDakbckbe.exeEjbkehcg.exeElagacbk.exeEpmcab32.exeEjegjh32.exeElccfc32.exeEoapbo32.exeEbploj32.exeEjgdpg32.exeEleplc32.exeEodlho32.exeEfneehef.exeEjjqeg32.exeElhmablc.exeEofinnkf.exeEfpajh32.exeEhonfc32.exeEqfeha32.exeEoifcnid.exeFfbnph32.exeFhajlc32.exeFqhbmqqg.exeFokbim32.exeFbioei32.exeFicgacna.exeFmocba32.exeFomonm32.exeFcikolnh.exeFfggkgmk.exeFqmlhpla.exeFckhdk32.exeFjepaecb.exeFmclmabe.exeFcnejk32.exeFflaff32.exeFijmbb32.exeFqaeco32.exeFodeolof.exeGbcakg32.exeGimjhafg.exeGmhfhp32.exeGogbdl32.exeGfqjafdq.exeGiofnacd.exe

pid	process
4776	Cpljkdig.exe
4732	Camfbm32.exe
4948	Cidncj32.exe
4556	Cpofpdgd.exe
664	Coagla32.exe
1920	Capchmmb.exe
2224	Digkijmd.exe
3064	Dlegeemh.exe
5804	Dpacfd32.exe
4764	Denlnk32.exe
5520	Dpcpkc32.exe
1980	Dadlclim.exe
3632	Djlddi32.exe
4128	Dljqpd32.exe
2376	Dcdimopp.exe
2428	Debeijoc.exe
5584	Dllmfd32.exe
3600	Dokjbp32.exe
4624	Dhcnke32.exe
964	Dpjflb32.exe
5820	Dakbckbe.exe
5828	Ejbkehcg.exe
2572	Elagacbk.exe
5772	Epmcab32.exe
5116	Ejegjh32.exe
5032	Elccfc32.exe
1232	Eoapbo32.exe
3768	Ebploj32.exe
3784	Ejgdpg32.exe
3992	Eleplc32.exe
1332	Eodlho32.exe
2656	Efneehef.exe
5372	Ejjqeg32.exe
2892	Elhmablc.exe
1744	Eofinnkf.exe
4580	Efpajh32.exe
4528	Ehonfc32.exe
2952	Eqfeha32.exe
5080	Eoifcnid.exe
3160	Ffbnph32.exe
5944	Fhajlc32.exe
876	Fqhbmqqg.exe
3684	Fokbim32.exe
4920	Fbioei32.exe
5092	Ficgacna.exe
2696	Fmocba32.exe
5852	Fomonm32.exe
2576	Fcikolnh.exe
1436	Ffggkgmk.exe
2408	Fqmlhpla.exe
5128	Fckhdk32.exe
2816	Fjepaecb.exe
5052	Fmclmabe.exe
4476	Fcnejk32.exe
4448	Fflaff32.exe
424	Fijmbb32.exe
2064	Fqaeco32.exe
4360	Fodeolof.exe
884	Gbcakg32.exe
6084	Gimjhafg.exe
5912	Gmhfhp32.exe
4232	Gogbdl32.exe
5656	Gfqjafdq.exe
3924	Giofnacd.exe

Drops file in System32 directory 64 IoCs

Processes:

Ifjfnb32.exeJbhmdbnp.exeJpojcf32.exeKdhbec32.exeLgikfn32.exeNgedij32.exeHibljoco.exeIpldfi32.exeMgidml32.exeKkihknfg.exeKipabjil.exeLalcng32.exeMahbje32.exeGiofnacd.exeEjbkehcg.exeEpmcab32.exeFmocba32.exeHpbaqj32.exeIiibkn32.exeLiggbi32.exeDlegeemh.exeDadlclim.exeNjogjfoj.exeNddkgonp.exeMnocof32.exeMdpalp32.exeFjepaecb.exeFmclmabe.exeGjclbc32.exeGmaioo32.exeHihicplj.exeHpenfjad.exeCpljkdig.exeEjgdpg32.exeNqklmpdd.exeKbapjafe.exeNkjjij32.exeFqmlhpla.exeHclakimb.exeIfmcdblq.exeLiekmj32.exeNjljefql.exeCoagla32.exeFomonm32.exeNjcpee32.exeKgdbkohf.exeMpmokb32.exeMjhqjg32.exeMpaifalo.exeDcdimopp.exeKgbefoji.exeIjaida32.exeDhcnke32.exeGcggpj32.exeKaemnhla.exeNnolfdcn.exeJjpeepnb.exeJdhine32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Ejegjh32.exe	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	Dlegeemh.exe
File opened for modification	C:\Windows\SysWOW64\Djlddi32.exe	Dadlclim.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Camfbm32.exe	Cpljkdig.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jfifijhb.dll	Coagla32.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Dpjflb32.exe	Dhcnke32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6972 6592 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
6972	6592	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Jdmcidam.exeLijdhiaa.exeIfmcdblq.exeNnmopdep.exeEfneehef.exeFfbnph32.exeFodeolof.exeGjclbc32.exeCpofpdgd.exeFmclmabe.exeHfljmdjc.exeKbdmpqcb.exeKkihknfg.exeMcpebmkb.exeNacbfdao.exeElccfc32.exeFmocba32.exeFckhdk32.exeJbhmdbnp.exeDadlclim.exeGbcakg32.exeIcljbg32.exeFijmbb32.exeGmhfhp32.exeHihicplj.exeLgikfn32.exeDjlddi32.exeEjjqeg32.exeEofinnkf.exeFokbim32.exeLiggbi32.exeMpdelajl.exeNjljefql.exeEjegjh32.exeEbploj32.exeMcnhmm32.exeHbeghene.exeJpgdbg32.exe0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exeGogbdl32.exeEjgdpg32.exeIpldfi32.exeMkbchk32.exeNqfbaq32.exeDhcnke32.exeEleplc32.exeFfggkgmk.exeMpmokb32.exeEhonfc32.exeIinlemia.exeKdopod32.exeLdkojb32.exeCidncj32.exeDlegeemh.exeIbjqcd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djlddi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkccjejn.dll"	0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllceb32.dll"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmiambh.dll"	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exeCpljkdig.exeCamfbm32.exeCidncj32.exeCpofpdgd.exeCoagla32.exeCapchmmb.exeDigkijmd.exeDlegeemh.exeDpacfd32.exeDenlnk32.exeDpcpkc32.exeDadlclim.exeDjlddi32.exeDljqpd32.exeDcdimopp.exeDebeijoc.exeDllmfd32.exeDokjbp32.exeDhcnke32.exeDpjflb32.exeDakbckbe.exe

description	pid	process	target process
PID 2940 wrote to memory of 4776	2940	0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe	Cpljkdig.exe
PID 2940 wrote to memory of 4776	2940	0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe	Cpljkdig.exe
PID 2940 wrote to memory of 4776	2940	0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe	Cpljkdig.exe
PID 4776 wrote to memory of 4732	4776	Cpljkdig.exe	Camfbm32.exe
PID 4776 wrote to memory of 4732	4776	Cpljkdig.exe	Camfbm32.exe
PID 4776 wrote to memory of 4732	4776	Cpljkdig.exe	Camfbm32.exe
PID 4732 wrote to memory of 4948	4732	Camfbm32.exe	Cidncj32.exe
PID 4732 wrote to memory of 4948	4732	Camfbm32.exe	Cidncj32.exe
PID 4732 wrote to memory of 4948	4732	Camfbm32.exe	Cidncj32.exe
PID 4948 wrote to memory of 4556	4948	Cidncj32.exe	Cpofpdgd.exe
PID 4948 wrote to memory of 4556	4948	Cidncj32.exe	Cpofpdgd.exe
PID 4948 wrote to memory of 4556	4948	Cidncj32.exe	Cpofpdgd.exe
PID 4556 wrote to memory of 664	4556	Cpofpdgd.exe	Coagla32.exe
PID 4556 wrote to memory of 664	4556	Cpofpdgd.exe	Coagla32.exe
PID 4556 wrote to memory of 664	4556	Cpofpdgd.exe	Coagla32.exe
PID 664 wrote to memory of 1920	664	Coagla32.exe	Capchmmb.exe
PID 664 wrote to memory of 1920	664	Coagla32.exe	Capchmmb.exe
PID 664 wrote to memory of 1920	664	Coagla32.exe	Capchmmb.exe
PID 1920 wrote to memory of 2224	1920	Capchmmb.exe	Digkijmd.exe
PID 1920 wrote to memory of 2224	1920	Capchmmb.exe	Digkijmd.exe
PID 1920 wrote to memory of 2224	1920	Capchmmb.exe	Digkijmd.exe
PID 2224 wrote to memory of 3064	2224	Digkijmd.exe	Dlegeemh.exe
PID 2224 wrote to memory of 3064	2224	Digkijmd.exe	Dlegeemh.exe
PID 2224 wrote to memory of 3064	2224	Digkijmd.exe	Dlegeemh.exe
PID 3064 wrote to memory of 5804	3064	Dlegeemh.exe	Dpacfd32.exe
PID 3064 wrote to memory of 5804	3064	Dlegeemh.exe	Dpacfd32.exe
PID 3064 wrote to memory of 5804	3064	Dlegeemh.exe	Dpacfd32.exe
PID 5804 wrote to memory of 4764	5804	Dpacfd32.exe	Denlnk32.exe
PID 5804 wrote to memory of 4764	5804	Dpacfd32.exe	Denlnk32.exe
PID 5804 wrote to memory of 4764	5804	Dpacfd32.exe	Denlnk32.exe
PID 4764 wrote to memory of 5520	4764	Denlnk32.exe	Dpcpkc32.exe
PID 4764 wrote to memory of 5520	4764	Denlnk32.exe	Dpcpkc32.exe
PID 4764 wrote to memory of 5520	4764	Denlnk32.exe	Dpcpkc32.exe
PID 5520 wrote to memory of 1980	5520	Dpcpkc32.exe	Dadlclim.exe
PID 5520 wrote to memory of 1980	5520	Dpcpkc32.exe	Dadlclim.exe
PID 5520 wrote to memory of 1980	5520	Dpcpkc32.exe	Dadlclim.exe
PID 1980 wrote to memory of 3632	1980	Dadlclim.exe	Djlddi32.exe
PID 1980 wrote to memory of 3632	1980	Dadlclim.exe	Djlddi32.exe
PID 1980 wrote to memory of 3632	1980	Dadlclim.exe	Djlddi32.exe
PID 3632 wrote to memory of 4128	3632	Djlddi32.exe	Dljqpd32.exe
PID 3632 wrote to memory of 4128	3632	Djlddi32.exe	Dljqpd32.exe
PID 3632 wrote to memory of 4128	3632	Djlddi32.exe	Dljqpd32.exe
PID 4128 wrote to memory of 2376	4128	Dljqpd32.exe	Dcdimopp.exe
PID 4128 wrote to memory of 2376	4128	Dljqpd32.exe	Dcdimopp.exe
PID 4128 wrote to memory of 2376	4128	Dljqpd32.exe	Dcdimopp.exe
PID 2376 wrote to memory of 2428	2376	Dcdimopp.exe	Debeijoc.exe
PID 2376 wrote to memory of 2428	2376	Dcdimopp.exe	Debeijoc.exe
PID 2376 wrote to memory of 2428	2376	Dcdimopp.exe	Debeijoc.exe
PID 2428 wrote to memory of 5584	2428	Debeijoc.exe	Dllmfd32.exe
PID 2428 wrote to memory of 5584	2428	Debeijoc.exe	Dllmfd32.exe
PID 2428 wrote to memory of 5584	2428	Debeijoc.exe	Dllmfd32.exe
PID 5584 wrote to memory of 3600	5584	Dllmfd32.exe	Dokjbp32.exe
PID 5584 wrote to memory of 3600	5584	Dllmfd32.exe	Dokjbp32.exe
PID 5584 wrote to memory of 3600	5584	Dllmfd32.exe	Dokjbp32.exe
PID 3600 wrote to memory of 4624	3600	Dokjbp32.exe	Dhcnke32.exe
PID 3600 wrote to memory of 4624	3600	Dokjbp32.exe	Dhcnke32.exe
PID 3600 wrote to memory of 4624	3600	Dokjbp32.exe	Dhcnke32.exe
PID 4624 wrote to memory of 964	4624	Dhcnke32.exe	Dpjflb32.exe
PID 4624 wrote to memory of 964	4624	Dhcnke32.exe	Dpjflb32.exe
PID 4624 wrote to memory of 964	4624	Dhcnke32.exe	Dpjflb32.exe
PID 964 wrote to memory of 5820	964	Dpjflb32.exe	Dakbckbe.exe
PID 964 wrote to memory of 5820	964	Dpjflb32.exe	Dakbckbe.exe
PID 964 wrote to memory of 5820	964	Dpjflb32.exe	Dakbckbe.exe
PID 5820 wrote to memory of 5828	5820	Dakbckbe.exe	Ejbkehcg.exe

C:\Users\Admin\AppData\Local\Temp\0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ed0eb3ea58b3e268fe16d3309cf9000_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\Cpljkdig.exe
C:\Windows\system32\Cpljkdig.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\Camfbm32.exe
C:\Windows\system32\Camfbm32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\Cidncj32.exe
C:\Windows\system32\Cidncj32.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\Cpofpdgd.exe
C:\Windows\system32\Cpofpdgd.exe
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\Coagla32.exe
C:\Windows\system32\Coagla32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\Capchmmb.exe
C:\Windows\system32\Capchmmb.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\Digkijmd.exe
C:\Windows\system32\Digkijmd.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\Dlegeemh.exe
C:\Windows\system32\Dlegeemh.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\Dpacfd32.exe
C:\Windows\system32\Dpacfd32.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5804

C:\Windows\SysWOW64\Denlnk32.exe
C:\Windows\system32\Denlnk32.exe
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\Dpcpkc32.exe
C:\Windows\system32\Dpcpkc32.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5520

C:\Windows\SysWOW64\Dadlclim.exe
C:\Windows\system32\Dadlclim.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\Djlddi32.exe
C:\Windows\system32\Djlddi32.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\Dljqpd32.exe
C:\Windows\system32\Dljqpd32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\Dcdimopp.exe
C:\Windows\system32\Dcdimopp.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\Debeijoc.exe
C:\Windows\system32\Debeijoc.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\Dllmfd32.exe
C:\Windows\system32\Dllmfd32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5584

C:\Windows\SysWOW64\Dokjbp32.exe
C:\Windows\system32\Dokjbp32.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\Dhcnke32.exe
C:\Windows\system32\Dhcnke32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\Dpjflb32.exe
C:\Windows\system32\Dpjflb32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\Dakbckbe.exe
C:\Windows\system32\Dakbckbe.exe
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5820

C:\Windows\SysWOW64\Ejbkehcg.exe
C:\Windows\system32\Ejbkehcg.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5828

C:\Windows\SysWOW64\Elagacbk.exe
C:\Windows\system32\Elagacbk.exe
24⤵
- Executes dropped EXE
PID:2572

C:\Windows\SysWOW64\Epmcab32.exe
C:\Windows\system32\Epmcab32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5772

C:\Windows\SysWOW64\Ejegjh32.exe
C:\Windows\system32\Ejegjh32.exe
26⤵
- Executes dropped EXE
- Modifies registry class
PID:5116

C:\Windows\SysWOW64\Elccfc32.exe
C:\Windows\system32\Elccfc32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5032

C:\Windows\SysWOW64\Eoapbo32.exe
C:\Windows\system32\Eoapbo32.exe
28⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\Ebploj32.exe
C:\Windows\system32\Ebploj32.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:3768

C:\Windows\SysWOW64\Ejgdpg32.exe
C:\Windows\system32\Ejgdpg32.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3784

C:\Windows\SysWOW64\Eleplc32.exe
C:\Windows\system32\Eleplc32.exe
31⤵
- Executes dropped EXE
- Modifies registry class
PID:3992

C:\Windows\SysWOW64\Eodlho32.exe
C:\Windows\system32\Eodlho32.exe
32⤵
- Executes dropped EXE
PID:1332

C:\Windows\SysWOW64\Efneehef.exe
C:\Windows\system32\Efneehef.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:2656

C:\Windows\SysWOW64\Ejjqeg32.exe
C:\Windows\system32\Ejjqeg32.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:5372

C:\Windows\SysWOW64\Elhmablc.exe
C:\Windows\system32\Elhmablc.exe
35⤵
- Executes dropped EXE
PID:2892

C:\Windows\SysWOW64\Eofinnkf.exe
C:\Windows\system32\Eofinnkf.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1744

C:\Windows\SysWOW64\Efpajh32.exe
C:\Windows\system32\Efpajh32.exe
37⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWOW64\Ehonfc32.exe
C:\Windows\system32\Ehonfc32.exe
38⤵
- Executes dropped EXE
- Modifies registry class
PID:4528

C:\Windows\SysWOW64\Eqfeha32.exe
C:\Windows\system32\Eqfeha32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952

C:\Windows\SysWOW64\Eoifcnid.exe
C:\Windows\system32\Eoifcnid.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080

C:\Windows\SysWOW64\Ffbnph32.exe
C:\Windows\system32\Ffbnph32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3160

C:\Windows\SysWOW64\Fhajlc32.exe
C:\Windows\system32\Fhajlc32.exe
42⤵
- Executes dropped EXE
PID:5944

C:\Windows\SysWOW64\Fqhbmqqg.exe
C:\Windows\system32\Fqhbmqqg.exe
43⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\Fokbim32.exe
C:\Windows\system32\Fokbim32.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:3684

C:\Windows\SysWOW64\Fbioei32.exe
C:\Windows\system32\Fbioei32.exe
45⤵
- Executes dropped EXE
PID:4920

C:\Windows\SysWOW64\Ficgacna.exe
C:\Windows\system32\Ficgacna.exe
46⤵
- Executes dropped EXE
PID:5092

C:\Windows\SysWOW64\Fmocba32.exe
C:\Windows\system32\Fmocba32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696

C:\Windows\SysWOW64\Fomonm32.exe
C:\Windows\system32\Fomonm32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5852

C:\Windows\SysWOW64\Fcikolnh.exe
C:\Windows\system32\Fcikolnh.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\Ffggkgmk.exe
C:\Windows\system32\Ffggkgmk.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1436

C:\Windows\SysWOW64\Fqmlhpla.exe
C:\Windows\system32\Fqmlhpla.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408

C:\Windows\SysWOW64\Fckhdk32.exe
C:\Windows\system32\Fckhdk32.exe
52⤵
- Executes dropped EXE
- Modifies registry class
PID:5128

C:\Windows\SysWOW64\Fjepaecb.exe
C:\Windows\system32\Fjepaecb.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2816

C:\Windows\SysWOW64\Fmclmabe.exe
C:\Windows\system32\Fmclmabe.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5052

C:\Windows\SysWOW64\Fcnejk32.exe
C:\Windows\system32\Fcnejk32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\Fflaff32.exe
C:\Windows\system32\Fflaff32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\Fijmbb32.exe
C:\Windows\system32\Fijmbb32.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:424

C:\Windows\SysWOW64\Fqaeco32.exe
C:\Windows\system32\Fqaeco32.exe
58⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWOW64\Fodeolof.exe
C:\Windows\system32\Fodeolof.exe
59⤵
- Executes dropped EXE
- Modifies registry class
PID:4360

C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
60⤵
- Executes dropped EXE
- Modifies registry class
PID:884

C:\Windows\SysWOW64\Gimjhafg.exe
C:\Windows\system32\Gimjhafg.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:6084

C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
62⤵
- Executes dropped EXE
- Modifies registry class
PID:5912

C:\Windows\SysWOW64\Gogbdl32.exe
C:\Windows\system32\Gogbdl32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4232

C:\Windows\SysWOW64\Gfqjafdq.exe
C:\Windows\system32\Gfqjafdq.exe
64⤵
- Executes dropped EXE
PID:5656

C:\Windows\SysWOW64\Giofnacd.exe
C:\Windows\system32\Giofnacd.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3924

C:\Windows\SysWOW64\Goiojk32.exe
C:\Windows\system32\Goiojk32.exe
66⤵
PID:5624

C:\Windows\SysWOW64\Gfcgge32.exe
C:\Windows\system32\Gfcgge32.exe
67⤵
PID:2992

C:\Windows\SysWOW64\Gmmocpjk.exe
C:\Windows\system32\Gmmocpjk.exe
68⤵
PID:3592

C:\Windows\SysWOW64\Gpklpkio.exe
C:\Windows\system32\Gpklpkio.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4372

C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
70⤵
- Drops file in System32 directory
PID:6104

C:\Windows\SysWOW64\Gqkhjn32.exe
C:\Windows\system32\Gqkhjn32.exe
71⤵
PID:4596

C:\Windows\SysWOW64\Gbldaffp.exe
C:\Windows\system32\Gbldaffp.exe
72⤵
PID:4364

C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
73⤵
- Drops file in System32 directory
- Modifies registry class
PID:5936

C:\Windows\SysWOW64\Gmaioo32.exe
C:\Windows\system32\Gmaioo32.exe
74⤵
- Drops file in System32 directory
PID:5764

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
75⤵
- Drops file in System32 directory
PID:2700

C:\Windows\SysWOW64\Hfjmgdlf.exe
C:\Windows\system32\Hfjmgdlf.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620

C:\Windows\SysWOW64\Hihicplj.exe
C:\Windows\system32\Hihicplj.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:912

C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
78⤵
- Drops file in System32 directory
PID:5376

C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
79⤵
- Modifies registry class
PID:1000

C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
80⤵
PID:2712

C:\Windows\SysWOW64\Hpenfjad.exe
C:\Windows\system32\Hpenfjad.exe
81⤵
- Drops file in System32 directory
PID:6068

C:\Windows\SysWOW64\Hbckbepg.exe
C:\Windows\system32\Hbckbepg.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568

C:\Windows\SysWOW64\Hmioonpn.exe
C:\Windows\system32\Hmioonpn.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368

C:\Windows\SysWOW64\Hpgkkioa.exe
C:\Windows\system32\Hpgkkioa.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3972

C:\Windows\SysWOW64\Hbeghene.exe
C:\Windows\system32\Hbeghene.exe
85⤵
- Modifies registry class
PID:3520

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:752

C:\Windows\SysWOW64\Hippdo32.exe
C:\Windows\system32\Hippdo32.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180

C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
88⤵
- Drops file in System32 directory
PID:5036

C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5416

C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
90⤵
- Modifies registry class
PID:2220

C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
91⤵
- Drops file in System32 directory
PID:5296

C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
92⤵
PID:4508

C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736

C:\Windows\SysWOW64\Icjmmg32.exe
C:\Windows\system32\Icjmmg32.exe
94⤵
PID:1104

C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
95⤵
PID:5264

C:\Windows\SysWOW64\Imbaemhc.exe
C:\Windows\system32\Imbaemhc.exe
96⤵
PID:5708

C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732

C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
98⤵
- Modifies registry class
PID:5076

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
99⤵
- Drops file in System32 directory
PID:1956

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:692

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124

C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
102⤵
PID:5596

C:\Windows\SysWOW64\Ifmcdblq.exe
C:\Windows\system32\Ifmcdblq.exe
103⤵
- Drops file in System32 directory
- Modifies registry class
PID:3380

C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
104⤵
PID:3812

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
105⤵
PID:5488

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
106⤵
- Modifies registry class
PID:5636

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
107⤵
PID:1832

C:\Windows\SysWOW64\Jpgdbg32.exe
C:\Windows\system32\Jpgdbg32.exe
108⤵
- Modifies registry class
PID:5064

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
109⤵
PID:1496

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4352

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
112⤵
PID:4188

C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5768

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
114⤵
- Drops file in System32 directory
PID:1940

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
115⤵
PID:3828

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
116⤵
- Drops file in System32 directory
PID:2628

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
117⤵
PID:4756

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4148

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:404

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
121⤵
PID:5668

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
124⤵
- Modifies registry class
PID:5664

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
125⤵
PID:2168

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
126⤵
PID:2208

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
127⤵
- Modifies registry class
PID:5672

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
128⤵
- Drops file in System32 directory
PID:2964

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
129⤵
- Drops file in System32 directory
- Modifies registry class
PID:5112

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
130⤵
PID:4492

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
132⤵
- Modifies registry class
PID:4244

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
133⤵
PID:4036

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
134⤵
PID:3356

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2008

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
137⤵
- Drops file in System32 directory
PID:3480

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
138⤵
- Drops file in System32 directory
PID:4908

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
139⤵
PID:3176

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
140⤵
PID:4952

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1252

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6160

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
143⤵
- Drops file in System32 directory
PID:6200

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6232

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
145⤵
- Modifies registry class
PID:6280

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
146⤵
- Drops file in System32 directory
- Modifies registry class
PID:6316

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6356

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
148⤵
PID:6404

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6448

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6492

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
151⤵
- Modifies registry class
PID:6540

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
152⤵
PID:6584

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
153⤵
PID:6632

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
154⤵
PID:6672

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
155⤵
PID:6716

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
156⤵
PID:6760

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
157⤵
- Drops file in System32 directory
PID:6800

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
158⤵
- Drops file in System32 directory
PID:6848

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
159⤵
- Drops file in System32 directory
- Modifies registry class
PID:6892

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6936

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
161⤵
PID:6976

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
162⤵
PID:7016

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7056

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
164⤵
- Drops file in System32 directory
PID:7096

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
165⤵
- Drops file in System32 directory
PID:7144

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6172

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
167⤵
- Modifies registry class
PID:6240

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
168⤵
PID:6312

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
169⤵
PID:6400

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
170⤵
- Modifies registry class
PID:6440

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
171⤵
- Drops file in System32 directory
PID:6524

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
172⤵
PID:6564

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
173⤵
- Drops file in System32 directory
PID:6664

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6728

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
175⤵
- Modifies registry class
PID:6796

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
176⤵
- Modifies registry class
PID:6868

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
177⤵
PID:6928

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
178⤵
PID:7024

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
179⤵
- Drops file in System32 directory
PID:7104

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
180⤵
PID:7156

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
181⤵
- Drops file in System32 directory
PID:6224

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6352

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6436

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6532

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
185⤵
- Drops file in System32 directory
PID:6640

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
186⤵
PID:6768

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
187⤵
- Drops file in System32 directory
PID:6888

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7008

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
189⤵
- Drops file in System32 directory
PID:7080

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
190⤵
PID:940

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
191⤵
PID:6416

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
192⤵
PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 408
193⤵
- Program crash
PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6592 -ip 6592
1⤵
PID:6856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe
Filesize
128KB

MD5
89bf015d287a6e964cbbf170091a8439

SHA1
9ae2778a27585a766ebd3c8bacc0ae9f94d3b255

SHA256
73015b553a384a9a70fed63ad67e1d640cd22682699e662812df9f5ba06383e4

SHA512
51b6599d1e12b9212089cf0f6621f9be28cc2c6263e4e21db8bb3a0dc71f48590d6675168eb699469d5acd346597afa24b040c225b124847197a75e23a9be983

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe
Filesize
128KB

MD5
a43ee3816ea0fca99432f09f1c79026f

SHA1
dac0c0702d46aeea5ed61a94d3b10eaee5eb0238

SHA256
6c6055780c84d24d2b0f385e4cbeae60ae46625a466fccc3ab932dfb35cb0299

SHA512
79977e4ffa3fc74c7c7f89ea8766e213582322e3adead3ec96bc3a9369a8c745a231dd6592aeb52dd6d3ec68ef90ff98c5dbfb7e4448bda3c046a8f1693d36be

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe
Filesize
128KB

MD5
df5eff0e1cdf0fe2bca01f03ca900a8b

SHA1
fcc60d111e61c7a335ff9667a9ed728f0d6ad4c9

SHA256
e8033790af7a81d429990a44bc1ad26cae402597d3d762a67a47b1ec739f1d11

SHA512
b1adbcd047ac61e75812c56b1588fce625bdda9628df5255b24b91706527ba8700598c92bad741fefe66ad7f51b79e612401a92cf7a00301535e345745b2b378

Download Submit
C:\Windows\SysWOW64\Coagla32.exe
Filesize
128KB

MD5
d1a2234dabf3b62a9ec95871aef9b10b

SHA1
0e30cc19640cf0ae88c90419858ea7e38fd0ec9d

SHA256
6847b8bb73ee8e274c2f3a55172225785fe7e19373b389e1e2055a27bf22547e

SHA512
3cb728bdee721de263ca8fa2836163438b346680a07a65c1f485c795682ef2db21ffdf94e27e3b547829962218fd0cc91043bfd46298879c544411728d71bdfb

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe
Filesize
128KB

MD5
55ae7470f76a10618ebbbc722ef8b829

SHA1
45fcd09cf0b2c6e0fa0e440d91c48e3ce66b0fd0

SHA256
363f4288e0d8334687989e21677449f01329249ad9471ffb6e3d3f8855382752

SHA512
1c4d8eba82900c2bf3413a5e43a4ea8e7d8c740d5240a35d5bc54fdb9bdd2122c2f51e3b6f30983882e01ee5c896750bc1ce79ad659734e90bd6595c793b5dec

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe
Filesize
128KB

MD5
7db2a22e8dc4b7f90f8d90c6e7c63d09

SHA1
bd417ecc9b70b46ee11f558cb50e7a381f104134

SHA256
17d09ce27ec809596c8ffedc4e2d98cc19d6190a78db60dd90de7628a4a166d7

SHA512
5f7efebbbe0a184b900e5f848cb43fd3b96f024c5eb122de6e379e30b213ef2dbc77a29305b7768ea4eba3d10fabc72254fbd568082ca70b3257475eda2078b9

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe
Filesize
128KB

MD5
253397f928ab5eacf195b7ade855d262

SHA1
a62c57061610e81c24475f7866c81fe6fdd708c9

SHA256
ca2830bdd554911d036ebc75a6be7a669c478eeb4ec1a9a6bc1a078a3c3f3e14

SHA512
2876d4c6b90fd226d2068f8f09ae952a4c4181d1f376177388ce35db0e4abf0245dbc4ce4942b754d2e0fd41b4dab7a2ec112d4d3378b19c637a74ccba4d409e

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe
Filesize
128KB

MD5
a2ec4662c233b9a92266385701cfaaee

SHA1
1bd5e1901b26270bfc6be6dac064b46ebe2d1072

SHA256
9dbcdd42b07820a4bc25b826d02917ce58bdace31f64f2c7b5c088e206d720b0

SHA512
708d8bdd429cccf06b7b775aeb0203cb4d8beed84948ce4586e91b78add5629fa2c58bce70bea7c5c7018f194dfdcae5a143243ed2eec457aed8a4771a02e5f4

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe
Filesize
128KB

MD5
c886b536511bcffa24d1039beb1b6988

SHA1
fdfcc223ccac64502cc906969e6192ccd9172d0f

SHA256
f64711d780e2429a6904203d0b3a2004211ba7cc14219ebc7fb947cbdbbc2dac

SHA512
34ed63fc78437b27f3d1cd0b74fbcd9b41165c924e57c78ad6127cf2336541071f0d7f804cabbd5f048b5306361f886f7b3084a58ed79434069e90ad6cb0b07c

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe
Filesize
128KB

MD5
b749a33add016467e6cb5bcfd6bf1d40

SHA1
1ea3b7f2b0df4f451f3bda93480bda1c6570ce52

SHA256
34ba98b30f9f139e30be39e7e71bcbf29ba7e3b2aad10f9cab1610881154ffad

SHA512
1723ca47fe0c53d5b867960a74d8173588acfb4a7bfcff882f11314fdb404bb7c4c252a5063234343336e22fb22ef63821cfffd13845d60464bf44b573b60ae3

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe
Filesize
128KB

MD5
86fe90952acd7f54af6efbf1eeacf764

SHA1
0f10aa3f833cdef641ff18110d44f2aa2a1958f8

SHA256
90c57136329a1714fb4a607da3fa4a9e736849434aa6ef927e7985ab84d9a8c2

SHA512
f73dfd962a6929a564784bfbf07f441c64fefa958c0238e7102344dd5578155bcb4c6351e2835d4f10677a62c978bee265b9ac5c41fb81a6087e325b7868fd51

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe
Filesize
128KB

MD5
df773b473f478fb2c559ee7c356803e0

SHA1
02b2e912e3e28ac080e37df1c21f08470eb10507

SHA256
517e427218b2f9111cdb78bd7a18e9c9435e523c238718153463526dd26beba0

SHA512
4b942b2e837baf79fc37480e8f67e10561d35c621297374152646a0897b77ff86a3ebc2a7217d8411052cc977b7d407e4015d6024a04785700b2f5ab0d6a8050

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe
Filesize
128KB

MD5
b3d3cb550c97e2d0693ee40104f295f1

SHA1
5b09a9fb572c5923d6fa22ed32c8c016be0f4e64

SHA256
1e9ba6f74ebbe0e463e4cce726a3cc660ae4f57bde4f8f549924c5ece9c560b0

SHA512
bf8e75f65b215af5ace0bb51ff3c0e9a0805ed5207d60d42a5af86e7bbcf6c2dfa197f42c8df65bfe25fb9698456c08e32128595ccde83d9caf0d144627e90e9

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe
Filesize
128KB

MD5
2edc12baca1504590065361ca1a773f8

SHA1
ab6f56eb02253a9d1ccd5a8cb40f14c1cad8353e

SHA256
a937d6b721ab14efa36f25963b231a7c98e9a1cfe90f8bc3135f7e5b77fb0ae9

SHA512
675f0483df66e289c6d23f0eb13f239201ffb9f3b0d5ddc836e78071c4c0ef212bead0286eb101a9a4251d4af978e7fffa935b1a090586a3f46ba722c5828d24

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe
Filesize
128KB

MD5
ecff23feff4cdcc4e8623d2c1cd709aa

SHA1
47ae8140990e277b2f90853ff4b5d51e71e0fb8d

SHA256
7fc94d3335b9960615db36b4587bcf1f619b22481e16b649098f47a5a2ee8552

SHA512
f7681d14d928bc493c75f5fb9cc4e8dba82c0f8f95e33ac782afd619616a1432deef2271c5f0c457f53c32b2e351e4b454ba75c892d1e19f3c461c30a5a97b71

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe
Filesize
128KB

MD5
b603892232b22c61bc12697c677a15b3

SHA1
1408bdb51508cfb15f437fb8046f5ff0febbdd9c

SHA256
7d9e71eeb78b2ce4736dd4a151f53249414287fbdff5fae3b2d5994aa70003fc

SHA512
5645655cf4a9fd95382a5d8ce43eaff6f3e82ce9faa732345ee971a982b1f9cdb334fcff875823651a3de4adfe17b803e82fc2e3ccd5202f67f1c28e4c51254e

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe
Filesize
128KB

MD5
21c19f1652f928e77339415e202bd419

SHA1
df542db72ca0c81ee95d73454426685cfd35916c

SHA256
ecb3b3fc7944f94a4110530edbda71d436f332fda867dd5caaebf7bf91e8fe6b

SHA512
93e7b4d81193dad85ccf7fae1e2ce3c4de877b8f6c323f31866e80793e5d015250274aa62364002e251af41176aecfb59f17e9095d97ab76efa6f83e3640338b

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe
Filesize
128KB

MD5
80281f0031946d0dd6358464f9618840

SHA1
5c6cba7d93f0eb88046c1c9d2b5d71d2048b8dc9

SHA256
0292938a190e84a71876e06bfd7eeb46b4b895a27bf5d5472d5981f2cec8d8f8

SHA512
033e787cd4294a7c47b8078837f7b24f975e4d31c841ff00f2b6d7f543035f5e17e71695387369a6fb3abbe625195eb49837535520ff423dbc07cd648ca528b4

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe
Filesize
128KB

MD5
bcf706072d956ce6738dc0d36051870c

SHA1
c36b7cac48be241717618902256b5e27c91f70c9

SHA256
3d3e384a22339ed552722805d12c2b31f9da45d2f4c172c638a406e4234e5ed9

SHA512
b10fd602bfd5ba09af2f79a38632fe4ba30d5052cfdeac018f991d4f1560ac05e9733d407b1131092022558445bae6a6319c12cd2ebda577db4778e36a815f2d

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe
Filesize
128KB

MD5
f9c942e2bbb0fb1f95bec77016217074

SHA1
ac84d353cc0f06849d809fbea90b5deabb628c2c

SHA256
974a7898005588c5ba6a4a4092eb1349bdc010d49234a18198a40b7a7477cdb0

SHA512
e5cd6092d3539d2b6e586304ef3abf9e50a40fe0eea7f740e0b3b3536b66488add70af8ad4db36cdc986a9aafdbb2dd1f49b4cfb790068eab1f496852382a6ae

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe
Filesize
128KB

MD5
19782627a468a8293428b59b68fde9d1

SHA1
18b8ddd6fed9e3552e8d83d01c9b0f6825ea9289

SHA256
b1be1d144040f43410f527a9736bd9bc2bbf6a08d6010683b6590986a4806d80

SHA512
1e0737a4ef0832a8634a3bd0f949e4564b65cb87680140d5e25bbe1cb93812111f019fe7e04c4c2b2175a4b61018f394a4f64164263190e690abec7b7b646222

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe
Filesize
128KB

MD5
3548dce96b3c98b3131cd26f8ca93f31

SHA1
a3c82b8acefab19e4a1e9d2d7f033c2bf9be72e5

SHA256
9c377d44ee68ed1f88499447f57f6ffbe405329d37d2bd7265454be009b35577

SHA512
df1c2268a4d240c5b2500ff85cc7e6e9a22a53d502c9338c66ed85a7f47234e7c7d4c7ca2dfb3306eb3d38466e6719163e6a2112b9f2d5146baa5f47dd9a1dc5

Download Submit
C:\Windows\SysWOW64\Efneehef.exe
Filesize
128KB

MD5
c01e0a50738d17c919b409e42a1754e1

SHA1
e9efaf1ed3cf41fbb03ca7769aba730278b9194d

SHA256
adf0620951efcb09dcb629c6dbef47c016431803d7977fcd75672318ba36fbe8

SHA512
0142607922272f723369a45c395f57b796ae96eaa5878a3568fcb3ba4934209f0bae9be8d1774896bcfa1f39ea692b79e2e38605d0ab7a6d4cd8d78d686489bd

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe
Filesize
128KB

MD5
d368996137f15e389e1e7a72db1f9bfb

SHA1
aa7861dc0d57a6ed0487747c341525dda32dc02b

SHA256
6df0f79e621e529abf8ab5c3aef42ddb4fb80e6aa2a80f3b253746bc134ad3fe

SHA512
783bf2a51d4b5cae711b38cbd198f8b5426c38547a2658b3e6356ae09dba28d1f75f1757efadbe0b292c42570b15d1fd6c328f23464902b9d58bcf43790cba6f

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe
Filesize
128KB

MD5
a5ebb3dbdb54cee59baddcb9f3cfce3e

SHA1
cf67a619a25f646b99195a605a6bef20b766a190

SHA256
9f971eaf804561cbaf7381ff2f675b8f8ced2cb2303dfd3c42bee351dac94049

SHA512
aa6d09c7d628dabd4c9636aa8bd355dd4e4d5b91d8f0776e6c3f2594e476f66b1b98ab90c4ebf4c8ffddf0d6e59bf36f4f69a1b305bba011f307e53fab7c2a7a

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe
Filesize
128KB

MD5
219ebb4d1e1dbb77a46f639e555499d8

SHA1
ac9d403e7c59b2019629698ecbe7e9660b73911d

SHA256
a88861c71c478aab4f19c0a17edb8fffad89a5bec2c1d4d6cf7dae8fbe48d775

SHA512
47cb5750d6cdc807820dca6a141e9b3189ab5309a3d93d6e1629273dea80fc6b056eb24d7517a75bb4889ff00295d0b29370428b53df610066689e58815ca9f6

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe
Filesize
128KB

MD5
7a7942615724c2c2df7821c27b422050

SHA1
9ee80fc3f0516c249d057a0d95f4e80231501a74

SHA256
a00a91801f9088e6424d5150362bfd680fc0ddf74a642c79c39675655783f70d

SHA512
f146e88dc0f1d64e92733388c63debf1567ab1e15294ce39025209e9fa4f66a2aae9a44b12ac92196ffd2a7bc6664d850a34d6dc1738a32c7146b049878cfaba

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe
Filesize
128KB

MD5
286782386b7b214d148b62577d2c48f8

SHA1
ba81a0c2b46a193d143f8297187f0f945f991aba

SHA256
e865ea1cb3c20aabbd234a524e1c460eda202de5b702897384a76988879ec196

SHA512
3fb314afaacd9fdd3dcbad181992b526308262fd77514a140bf3bd86ee023f8ea1034a0a5dbc44548e9a13b8fb0139eb6ea551459df7f2696a25c5d9b4c370d0

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe
Filesize
128KB

MD5
f7955cd2b011a89df71d6c6b2e5c12d1

SHA1
b272903b4e581f3cdfd415eec15a21722bc2dc26

SHA256
c110339d80b1d1d580d92b4f4c645d6b363c9c4c6adf655ec305a939924cfb24

SHA512
70736c3519396f86efc394263a8d12440371b9b8442f92d967c85bee30a9f43a589a6464cbaba3595417c7a2e168ecacb3b5ee4a8c18555541a4478fbb9b56ea

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe
Filesize
128KB

MD5
c91cdf501a88098e46be0cb5ca10a495

SHA1
30957b6ba45e4848c8389c20dd668ed4bf568c06

SHA256
bea223fbcd452f753d05c92d6fbdcde97b9ee5b2b2544b4747412f96d78bf9f7

SHA512
72f8a89836cd488062756bb78416a9c687de5fde98f1358c40655397fec9f6937da43dd1c2904119fc10b06df468ac83dc3cba7285c61781a97fe3945d32bdcd

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe
Filesize
128KB

MD5
758ed51e01dd814eb7982087103d2efa

SHA1
2131b05846278b2dd61ae036b14a7aeed1a6eb7c

SHA256
d98832a22c04b35cac9222e5a77426aeb47e9d1e44879314ba3f559f99b527cb

SHA512
6a24efa76ab3883da8766709be4750fe0b2dcf5f0f6d194e6aff121313110d539459a631b02f4bc48361d6d358fde4a9c275738cb06af5f5fff73697951aaba6

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe
Filesize
128KB

MD5
39674d69f485826386bf234b7597d1bb

SHA1
94b3316f552da0bb9239f8ba494517bfcb8fe8fe

SHA256
c04969393534817c861cd05527092db7d095f612f4aba23a85781a0337db893a

SHA512
65b679db88e1d76b5897ac1e4da6e922c70d6f49aa762f63144c8f1c69f4b125c35171364f0b3dadc4f93dadf0dbe620f9abb1d2664912083af59b8abce52550

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe
Filesize
128KB

MD5
8c3a46c5903bfe00c43e7e43c336608f

SHA1
0ffb11282c83e64c5a8e2a44bc86d7f6e7adb4cf

SHA256
71b7336ac7f67b64e0d624884b86cbd39303c184743f2c14906272323375dbfe

SHA512
04c1b6254a55bdb704f9b46c1fb1ea1fb4fd9cce943d17bb0fc8caec01d45c47a1b4456db5672b9c5dcfda0f7153f1bf2bcb9db86c17da4bae64796b0ffb987e

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe
Filesize
128KB

MD5
1647f10ab4c99d635e1daa56497777ef

SHA1
249ea5e3beb37845414df7128645ddf5be3d4515

SHA256
fce88ea9a41daa15d275053445df185e71edba41a29f2185adb3958ffdabff52

SHA512
5af66ff0500914617405e51b21c87d8430abb8d998f2faa5e551dcf03e2da2da7d4a31ccb5bf684ddd61402b5eca9422ce358684f3741b2064e92f0f25133249

Download Submit
C:\Windows\SysWOW64\Iindogea.dll
Filesize
7KB

MD5
befbe91204d05793e3526ccca4f8e0b9

SHA1
518e91a7f891c50161c5bf230213f0b3459aa469

SHA256
5d7735bf95bb13eefd8c11e99a69762c2ebf700c7be837a9852667b8a41de55e

SHA512
0bf95873eb2feae48a8ffd7ab43f4ac058733014f8d1da1b2461f48edc548f1c53a2ba139e78aa7fe7760ff93281c71dc2924bc3c4ba86ca5b3ea1355b7dde9b

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe
Filesize
128KB

MD5
609039e3140c6c031d3eb745b772c4af

SHA1
4d16609ea1c8495f54a474cc8d3519d726c647d4

SHA256
69742609d6ae331e3cad8f829b4792e909127c736d80bb057849188444bde394

SHA512
01cb178fc853e3198ccea710bf02989e6c8c41111738f18f8b8a19b57583fd913a6611ee3463b4a1a55a8e136d017100611558f48bac33b12088a9cd06b8c6a5

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe
Filesize
128KB

MD5
ce1db7c05e7541f6391342e838362b0b

SHA1
e4c19afcf56161712f32a6b9b6e715ee8f21e6ec

SHA256
5f447fa7faf8f4526d760b950b854312dd99e8e2c38f1f84382d93a638b6139c

SHA512
c3db84e77fd71aa4824905afee6cfcfc16a0df6831932ce306e83d30c709970c71212a138dc11c8653e3c38222d6d23ba1a18ab557da8308d958c20666ca9cec

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
128KB

MD5
a0de878c2a4aa48426fc470c1a417449

SHA1
b9956bb0744afb9971360361fdaef269521a5eff

SHA256
8f1f8655104c5bd4e392b786ecce82aaf29b91ef1c911cc891bd455ff690a181

SHA512
0489b23db50220f2acd8b5b2839ba3de3df10dfd01650bb52104cbd6e882f6deb9e807c4667bf81c75e1e4cc18578647e39b1adcd57e1f98d56129d6379b4407

Download Submit
memory/424-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-582-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/912-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-536-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1744-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-563-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2428-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2568-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2572-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2656-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-510-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-543-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-550-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3160-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3592-470-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3620-518-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3784-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-452-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-570-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4372-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5128-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5372-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5376-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5520-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5584-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5624-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5656-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5764-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5772-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5804-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5820-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5828-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5852-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5912-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5936-500-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5944-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6068-548-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6084-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6104-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download