e527a44bf89d0c998f4d5a0a36ce040133f735e14118a383593c9bc5c2decaed

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe
Size

161KB
MD5

33efafc2055436b75e1b12bdd300dc20
SHA1

d77141d07c91f84ba2128c8662986b170911ef89
SHA256

e527a44bf89d0c998f4d5a0a36ce040133f735e14118a383593c9bc5c2decaed
SHA512

d75099528f25ba55d2e9eb24688e94d6238ede1a6eeaca41f72bf6c082f986c9034cc10d907465af9e5c0f73cb34bc8fce46fffc866e7b04cb2151fb8b443bab
SSDEEP

3072:9+9XMCDCQ3j4EJSHkUVwtCJXeex7rrIRZK8K8/kv:o9XMe3AkUVwtmeetrIyR

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ppahmb32.exePiocecgj.exeCocjiehd.exeOjfcdnjc.exePfandnla.exeEkljpm32.exeFqdbdbna.exeMcabej32.exeLqojclne.exeAfcmfe32.exeCcppmc32.exeFdkdibjp.exeKdmlkfjb.exeLcjldk32.exeOmalpc32.exePpnenlka.exeDnljkk32.exeEdfknb32.exeHjdedepg.exeNcaklhdi.exeKhiofk32.exeCgiohbfi.exeKkpnga32.exeMlifnphl.exeDkcndeen.exeHppeim32.exeObnnnc32.exeMjcngpjh.exeFgcjfbed.exeIlkhog32.exeJjgkab32.exeMcoepkdo.exePmjhlklg.exeEqncnj32.exeEgbken32.exeGacepg32.exeLplfcf32.exeMhckcgpj.exeDglkoeio.exeGglfbkin.exeLefkkg32.exeNchhfild.exeNdnnianm.exeOoangh32.exeHecjke32.exeIhbponja.exeKomhll32.exeMcbpjg32.exeEqiibjlj.exeFilapfbo.exeDkkaiphj.exeAeopfl32.exeBpkdjofm.exeLlngbabj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdedepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcjfbed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dglkoeio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihbponja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Komhll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqiibjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Filapfbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe

Malware Dropper & Backdoor - Berbew 54 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Komhll32.exe	family_berbew
C:\Windows\SysWOW64\Koaagkcb.exe	family_berbew
C:\Windows\SysWOW64\Ljqhkckn.exe	family_berbew
C:\Windows\SysWOW64\Lqojclne.exe	family_berbew
C:\Windows\SysWOW64\Mcbpjg32.exe	family_berbew
C:\Windows\SysWOW64\Mjcngpjh.exe	family_berbew
C:\Windows\SysWOW64\Ncqlkemc.exe	family_berbew
C:\Windows\SysWOW64\Ngqagcag.exe	family_berbew
C:\Windows\SysWOW64\Ojfcdnjc.exe	family_berbew
C:\Windows\SysWOW64\Pfandnla.exe	family_berbew
C:\Windows\SysWOW64\Ppahmb32.exe	family_berbew
C:\Windows\SysWOW64\Aaenbd32.exe	family_berbew
C:\Windows\SysWOW64\Akblfj32.exe	family_berbew
C:\Windows\SysWOW64\Bdojjo32.exe	family_berbew
C:\Windows\SysWOW64\Bphgeo32.exe	family_berbew
C:\Windows\SysWOW64\Bpkdjofm.exe	family_berbew
C:\Windows\SysWOW64\Cponen32.exe	family_berbew
C:\Windows\SysWOW64\Cocjiehd.exe	family_berbew
C:\Windows\SysWOW64\Cpfcfmlp.exe	family_berbew
C:\Windows\SysWOW64\Dojqjdbl.exe	family_berbew
C:\Windows\SysWOW64\Dkcndeen.exe	family_berbew
C:\Windows\SysWOW64\Dglkoeio.exe	family_berbew
C:\Windows\SysWOW64\Eqdpgk32.exe	family_berbew
C:\Windows\SysWOW64\Eqiibjlj.exe	family_berbew
C:\Windows\SysWOW64\Eqncnj32.exe	family_berbew
C:\Windows\SysWOW64\Fkfcqb32.exe	family_berbew
C:\Windows\SysWOW64\Filapfbo.exe	family_berbew
C:\Windows\SysWOW64\Fgcjfbed.exe	family_berbew
C:\Windows\SysWOW64\Fgcjfbed.exe	family_berbew
C:\Windows\SysWOW64\Gnblnlhl.exe	family_berbew
C:\Windows\SysWOW64\Gacepg32.exe	family_berbew
C:\Windows\SysWOW64\Gbbajjlp.exe	family_berbew
C:\Windows\SysWOW64\Hecjke32.exe	family_berbew
C:\Windows\SysWOW64\Ieagmcmq.exe	family_berbew
C:\Windows\SysWOW64\Khiofk32.exe	family_berbew
C:\Windows\SysWOW64\Lplfcf32.exe	family_berbew
C:\Windows\SysWOW64\Nfihbk32.exe	family_berbew
C:\Windows\SysWOW64\Pqbala32.exe	family_berbew
C:\Windows\SysWOW64\Dnljkk32.exe	family_berbew
C:\Windows\SysWOW64\Eajlhg32.exe	family_berbew
C:\Windows\SysWOW64\Fkjfakng.exe	family_berbew
C:\Windows\SysWOW64\Gglfbkin.exe	family_berbew
C:\Windows\SysWOW64\Iencmm32.exe	family_berbew
C:\Windows\SysWOW64\Jjgkab32.exe	family_berbew
C:\Windows\SysWOW64\Jlidpe32.exe	family_berbew
C:\Windows\SysWOW64\Koimbpbc.exe	family_berbew
C:\Windows\SysWOW64\Kdmlkfjb.exe	family_berbew
C:\Windows\SysWOW64\Moalil32.exe	family_berbew
C:\Windows\SysWOW64\Nchhfild.exe	family_berbew
C:\Windows\SysWOW64\Ndnnianm.exe	family_berbew
C:\Windows\SysWOW64\Okolfj32.exe	family_berbew
C:\Windows\SysWOW64\Ooangh32.exe	family_berbew
C:\Windows\SysWOW64\Pmjhlklg.exe	family_berbew
C:\Windows\SysWOW64\Pehjfm32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Komhll32.exeKoaagkcb.exeLjqhkckn.exeLqojclne.exeMcbpjg32.exeMjcngpjh.exeNcqlkemc.exeNgqagcag.exeOjfcdnjc.exePfandnla.exePpahmb32.exeAaenbd32.exeAkblfj32.exeBdojjo32.exeBphgeo32.exeBpkdjofm.exeCponen32.exeCocjiehd.exeCpfcfmlp.exeDojqjdbl.exeDkcndeen.exeDglkoeio.exeEqdpgk32.exeEqiibjlj.exeEqncnj32.exeFkfcqb32.exeFilapfbo.exeFgcjfbed.exeGnblnlhl.exeGacepg32.exeGbbajjlp.exeHecjke32.exeHbihjifh.exeHppeim32.exeInebjihf.exeIeagmcmq.exeIhbponja.exeJhifomdj.exeJpegkj32.exeKiphjo32.exeKhiofk32.exeLplfcf32.exeMfnhfm32.exeMbgeqmjp.exeMhckcgpj.exeNfihbk32.exeNmhijd32.exeOfegni32.exeOmalpc32.exePqbala32.exePiocecgj.exePpnenlka.exeAmikgpcc.exeAfcmfe32.exeAbmjqe32.exeBmdkcnie.exeBmidnm32.exeCgfbbb32.exeCgiohbfi.exeCcppmc32.exeCacmpj32.exeDkkaiphj.exeDnljkk32.exeDkedonpo.exe

pid	process
2412	Komhll32.exe
1080	Koaagkcb.exe
3408	Ljqhkckn.exe
2120	Lqojclne.exe
3932	Mcbpjg32.exe
4760	Mjcngpjh.exe
4568	Ncqlkemc.exe
4644	Ngqagcag.exe
3068	Ojfcdnjc.exe
2528	Pfandnla.exe
2176	Ppahmb32.exe
5012	Aaenbd32.exe
2324	Akblfj32.exe
3856	Bdojjo32.exe
4152	Bphgeo32.exe
2808	Bpkdjofm.exe
4920	Cponen32.exe
216	Cocjiehd.exe
4376	Cpfcfmlp.exe
2300	Dojqjdbl.exe
3336	Dkcndeen.exe
4020	Dglkoeio.exe
4956	Eqdpgk32.exe
3476	Eqiibjlj.exe
4284	Eqncnj32.exe
3812	Fkfcqb32.exe
2060	Filapfbo.exe
4948	Fgcjfbed.exe
3832	Gnblnlhl.exe
1712	Gacepg32.exe
3504	Gbbajjlp.exe
1244	Hecjke32.exe
2336	Hbihjifh.exe
2096	Hppeim32.exe
2256	Inebjihf.exe
4324	Ieagmcmq.exe
3020	Ihbponja.exe
1240	Jhifomdj.exe
2212	Jpegkj32.exe
2756	Kiphjo32.exe
1488	Khiofk32.exe
2932	Lplfcf32.exe
3404	Mfnhfm32.exe
4816	Mbgeqmjp.exe
2592	Mhckcgpj.exe
1964	Nfihbk32.exe
4484	Nmhijd32.exe
2872	Ofegni32.exe
1512	Omalpc32.exe
4216	Pqbala32.exe
4680	Piocecgj.exe
2660	Ppnenlka.exe
2192	Amikgpcc.exe
2692	Afcmfe32.exe
4656	Abmjqe32.exe
5112	Bmdkcnie.exe
1744	Bmidnm32.exe
3432	Cgfbbb32.exe
1916	Cgiohbfi.exe
3956	Ccppmc32.exe
4988	Cacmpj32.exe
4772	Dkkaiphj.exe
2960	Dnljkk32.exe
3112	Dkedonpo.exe

Drops file in System32 directory 64 IoCs

Processes:

Bpkdjofm.exeDkcndeen.exeJhifomdj.exeGgepalof.exeLefkkg32.exeMlifnphl.exe33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exeOjfcdnjc.exeJpegkj32.exeHeepfn32.exeHjdedepg.exeKhfkfedn.exeAfcmfe32.exeEkljpm32.exeIlkhog32.exeGbbajjlp.exeAmikgpcc.exeDkkaiphj.exeLbebilli.exeAaenbd32.exePiocecgj.exeFdkdibjp.exeFjocbhbo.exePehjfm32.exeAcppddig.exeNcqlkemc.exeAkblfj32.exeEqiibjlj.exeGacepg32.exeDnljkk32.exeKiphjo32.exeGcnnllcg.exeFkfcqb32.exeMhckcgpj.exeCcppmc32.exeEajlhg32.exeObfhmd32.exeNgqagcag.exeKhkdad32.exeOkolfj32.exePmjhlklg.exeHppeim32.exeAbmjqe32.exeNchhfild.exeMhpgca32.exeDojqjdbl.exeGnblnlhl.exeIhbponja.exeOmalpc32.exeLacijjgi.exeLklnconj.exeNcaklhdi.exeBphgeo32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Olaafabl.dll	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Dglkoeio.exe	Dkcndeen.exe
File created	C:\Windows\SysWOW64\Jpegkj32.exe	Jhifomdj.exe
File created	C:\Windows\SysWOW64\Gggmgk32.exe	Ggepalof.exe
File created	C:\Windows\SysWOW64\Jmgdeb32.dll	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Komhll32.exe	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Kiphjo32.exe	Jpegkj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjdedepg.exe	Heepfn32.exe
File created	C:\Windows\SysWOW64\Hjfbjdnd.exe	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Pfandnla.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Abmjqe32.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Hecjke32.exe	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Afcmfe32.exe	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Gggmgk32.exe	Ggepalof.exe
File created	C:\Windows\SysWOW64\Hmfchehg.dll	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Piocecgj.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Ogeigbeb.dll	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Ncqlkemc.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Fpmfmgnc.dll	Eqiibjlj.exe
File created	C:\Windows\SysWOW64\Cnnjancb.dll	Gacepg32.exe
File created	C:\Windows\SysWOW64\Hlkbkddd.dll	Piocecgj.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Gpcpel32.dll	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Glbqbe32.dll	Gcnnllcg.exe
File created	C:\Windows\SysWOW64\Lcjldk32.exe	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Filapfbo.exe	Fkfcqb32.exe
File opened for modification	C:\Windows\SysWOW64\Filapfbo.exe	Fkfcqb32.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Mhckcgpj.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Khkdad32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Okolfj32.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Hppeim32.exe
File created	C:\Windows\SysWOW64\Njlmnj32.dll	Hppeim32.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Gglfbkin.exe	Gcnnllcg.exe
File created	C:\Windows\SysWOW64\Gnggfhnm.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Ffmnibme.dll	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Ndjaei32.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Gacepg32.exe	Gnblnlhl.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Ihbponja.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbala32.exe	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Obfhmd32.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bphgeo32.exe

Modifies registry class 64 IoCs

Processes:

Dojqjdbl.exeEdfknb32.exeNcaklhdi.exeObfhmd32.exePmmeak32.exeAcppddig.exeObnnnc32.exePilpfm32.exe33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exeNcqlkemc.exeJpegkj32.exeOfegni32.exeOmalpc32.exeCgfbbb32.exeQelcamcj.exeLqojclne.exeAbmjqe32.exeKhfkfedn.exeMfnhfm32.exeAfcmfe32.exeCcppmc32.exeFkjfakng.exeHjdedepg.exeBphgeo32.exeHbihjifh.exePiocecgj.exeEajlhg32.exeFqdbdbna.exeCpfcfmlp.exeEqiibjlj.exeEgbken32.exeLefkkg32.exeIeagmcmq.exeJhifomdj.exeLplfcf32.exeGgccllai.exeLacijjgi.exeLjqhkckn.exeCponen32.exeKhiofk32.exeIdhiii32.exeLlngbabj.exeLbebilli.exePfandnla.exeAaenbd32.exeMbgeqmjp.exeFqbeoc32.exeHjfbjdnd.exeJlidpe32.exeIencmm32.exeKhkdad32.exeMcbpjg32.exeBdojjo32.exeGggmgk32.exeMoalil32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpjlk32.dll"	Lqojclne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjdedepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hbihjifh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmfmgnc.dll"	Eqiibjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll"	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idhiii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjfbjdnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll"	Mcbpjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll"	Moalil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exeKomhll32.exeKoaagkcb.exeLjqhkckn.exeLqojclne.exeMcbpjg32.exeMjcngpjh.exeNcqlkemc.exeNgqagcag.exeOjfcdnjc.exePfandnla.exePpahmb32.exeAaenbd32.exeAkblfj32.exeBdojjo32.exeBphgeo32.exeBpkdjofm.exeCponen32.exeCocjiehd.exeCpfcfmlp.exeDojqjdbl.exeDkcndeen.exe

description	pid	process	target process
PID 4900 wrote to memory of 2412	4900	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe	Komhll32.exe
PID 4900 wrote to memory of 2412	4900	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe	Komhll32.exe
PID 4900 wrote to memory of 2412	4900	33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe	Komhll32.exe
PID 2412 wrote to memory of 1080	2412	Komhll32.exe	Koaagkcb.exe
PID 2412 wrote to memory of 1080	2412	Komhll32.exe	Koaagkcb.exe
PID 2412 wrote to memory of 1080	2412	Komhll32.exe	Koaagkcb.exe
PID 1080 wrote to memory of 3408	1080	Koaagkcb.exe	Ljqhkckn.exe
PID 1080 wrote to memory of 3408	1080	Koaagkcb.exe	Ljqhkckn.exe
PID 1080 wrote to memory of 3408	1080	Koaagkcb.exe	Ljqhkckn.exe
PID 3408 wrote to memory of 2120	3408	Ljqhkckn.exe	Lqojclne.exe
PID 3408 wrote to memory of 2120	3408	Ljqhkckn.exe	Lqojclne.exe
PID 3408 wrote to memory of 2120	3408	Ljqhkckn.exe	Lqojclne.exe
PID 2120 wrote to memory of 3932	2120	Lqojclne.exe	Mcbpjg32.exe
PID 2120 wrote to memory of 3932	2120	Lqojclne.exe	Mcbpjg32.exe
PID 2120 wrote to memory of 3932	2120	Lqojclne.exe	Mcbpjg32.exe
PID 3932 wrote to memory of 4760	3932	Mcbpjg32.exe	Mjcngpjh.exe
PID 3932 wrote to memory of 4760	3932	Mcbpjg32.exe	Mjcngpjh.exe
PID 3932 wrote to memory of 4760	3932	Mcbpjg32.exe	Mjcngpjh.exe
PID 4760 wrote to memory of 4568	4760	Mjcngpjh.exe	Ncqlkemc.exe
PID 4760 wrote to memory of 4568	4760	Mjcngpjh.exe	Ncqlkemc.exe
PID 4760 wrote to memory of 4568	4760	Mjcngpjh.exe	Ncqlkemc.exe
PID 4568 wrote to memory of 4644	4568	Ncqlkemc.exe	Ngqagcag.exe
PID 4568 wrote to memory of 4644	4568	Ncqlkemc.exe	Ngqagcag.exe
PID 4568 wrote to memory of 4644	4568	Ncqlkemc.exe	Ngqagcag.exe
PID 4644 wrote to memory of 3068	4644	Ngqagcag.exe	Ojfcdnjc.exe
PID 4644 wrote to memory of 3068	4644	Ngqagcag.exe	Ojfcdnjc.exe
PID 4644 wrote to memory of 3068	4644	Ngqagcag.exe	Ojfcdnjc.exe
PID 3068 wrote to memory of 2528	3068	Ojfcdnjc.exe	Pfandnla.exe
PID 3068 wrote to memory of 2528	3068	Ojfcdnjc.exe	Pfandnla.exe
PID 3068 wrote to memory of 2528	3068	Ojfcdnjc.exe	Pfandnla.exe
PID 2528 wrote to memory of 2176	2528	Pfandnla.exe	Ppahmb32.exe
PID 2528 wrote to memory of 2176	2528	Pfandnla.exe	Ppahmb32.exe
PID 2528 wrote to memory of 2176	2528	Pfandnla.exe	Ppahmb32.exe
PID 2176 wrote to memory of 5012	2176	Ppahmb32.exe	Aaenbd32.exe
PID 2176 wrote to memory of 5012	2176	Ppahmb32.exe	Aaenbd32.exe
PID 2176 wrote to memory of 5012	2176	Ppahmb32.exe	Aaenbd32.exe
PID 5012 wrote to memory of 2324	5012	Aaenbd32.exe	Akblfj32.exe
PID 5012 wrote to memory of 2324	5012	Aaenbd32.exe	Akblfj32.exe
PID 5012 wrote to memory of 2324	5012	Aaenbd32.exe	Akblfj32.exe
PID 2324 wrote to memory of 3856	2324	Akblfj32.exe	Bdojjo32.exe
PID 2324 wrote to memory of 3856	2324	Akblfj32.exe	Bdojjo32.exe
PID 2324 wrote to memory of 3856	2324	Akblfj32.exe	Bdojjo32.exe
PID 3856 wrote to memory of 4152	3856	Bdojjo32.exe	Bphgeo32.exe
PID 3856 wrote to memory of 4152	3856	Bdojjo32.exe	Bphgeo32.exe
PID 3856 wrote to memory of 4152	3856	Bdojjo32.exe	Bphgeo32.exe
PID 4152 wrote to memory of 2808	4152	Bphgeo32.exe	Bpkdjofm.exe
PID 4152 wrote to memory of 2808	4152	Bphgeo32.exe	Bpkdjofm.exe
PID 4152 wrote to memory of 2808	4152	Bphgeo32.exe	Bpkdjofm.exe
PID 2808 wrote to memory of 4920	2808	Bpkdjofm.exe	Cponen32.exe
PID 2808 wrote to memory of 4920	2808	Bpkdjofm.exe	Cponen32.exe
PID 2808 wrote to memory of 4920	2808	Bpkdjofm.exe	Cponen32.exe
PID 4920 wrote to memory of 216	4920	Cponen32.exe	Cocjiehd.exe
PID 4920 wrote to memory of 216	4920	Cponen32.exe	Cocjiehd.exe
PID 4920 wrote to memory of 216	4920	Cponen32.exe	Cocjiehd.exe
PID 216 wrote to memory of 4376	216	Cocjiehd.exe	Cpfcfmlp.exe
PID 216 wrote to memory of 4376	216	Cocjiehd.exe	Cpfcfmlp.exe
PID 216 wrote to memory of 4376	216	Cocjiehd.exe	Cpfcfmlp.exe
PID 4376 wrote to memory of 2300	4376	Cpfcfmlp.exe	Dojqjdbl.exe
PID 4376 wrote to memory of 2300	4376	Cpfcfmlp.exe	Dojqjdbl.exe
PID 4376 wrote to memory of 2300	4376	Cpfcfmlp.exe	Dojqjdbl.exe
PID 2300 wrote to memory of 3336	2300	Dojqjdbl.exe	Dkcndeen.exe
PID 2300 wrote to memory of 3336	2300	Dojqjdbl.exe	Dkcndeen.exe
PID 2300 wrote to memory of 3336	2300	Dojqjdbl.exe	Dkcndeen.exe
PID 3336 wrote to memory of 4020	3336	Dkcndeen.exe	Dglkoeio.exe

C:\Users\Admin\AppData\Local\Temp\33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33efafc2055436b75e1b12bdd300dc20_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\Komhll32.exe
C:\Windows\system32\Komhll32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\Koaagkcb.exe
C:\Windows\system32\Koaagkcb.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\Lqojclne.exe
C:\Windows\system32\Lqojclne.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\Mcbpjg32.exe
C:\Windows\system32\Mcbpjg32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\Mjcngpjh.exe
C:\Windows\system32\Mjcngpjh.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\Ncqlkemc.exe
C:\Windows\system32\Ncqlkemc.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\Ngqagcag.exe
C:\Windows\system32\Ngqagcag.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\Pfandnla.exe
C:\Windows\system32\Pfandnla.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\Ppahmb32.exe
C:\Windows\system32\Ppahmb32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\Aaenbd32.exe
C:\Windows\system32\Aaenbd32.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\Akblfj32.exe
C:\Windows\system32\Akblfj32.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\Bdojjo32.exe
C:\Windows\system32\Bdojjo32.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\Bphgeo32.exe
C:\Windows\system32\Bphgeo32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\Bpkdjofm.exe
C:\Windows\system32\Bpkdjofm.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\Cponen32.exe
C:\Windows\system32\Cponen32.exe
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\Cocjiehd.exe
C:\Windows\system32\Cocjiehd.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\Cpfcfmlp.exe
C:\Windows\system32\Cpfcfmlp.exe
20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\Dkcndeen.exe
C:\Windows\system32\Dkcndeen.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\Dglkoeio.exe
C:\Windows\system32\Dglkoeio.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020

C:\Windows\SysWOW64\Eqdpgk32.exe
C:\Windows\system32\Eqdpgk32.exe
24⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWOW64\Eqiibjlj.exe
C:\Windows\system32\Eqiibjlj.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3476

C:\Windows\SysWOW64\Eqncnj32.exe
C:\Windows\system32\Eqncnj32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4284

C:\Windows\SysWOW64\Fkfcqb32.exe
C:\Windows\system32\Fkfcqb32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3812

C:\Windows\SysWOW64\Filapfbo.exe
C:\Windows\system32\Filapfbo.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\Fgcjfbed.exe
C:\Windows\system32\Fgcjfbed.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4948

C:\Windows\SysWOW64\Gnblnlhl.exe
C:\Windows\system32\Gnblnlhl.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3832

C:\Windows\SysWOW64\Gacepg32.exe
C:\Windows\system32\Gacepg32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1712

C:\Windows\SysWOW64\Gbbajjlp.exe
C:\Windows\system32\Gbbajjlp.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3504

C:\Windows\SysWOW64\Hecjke32.exe
C:\Windows\system32\Hecjke32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1244

C:\Windows\SysWOW64\Hbihjifh.exe
C:\Windows\system32\Hbihjifh.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:2336

C:\Windows\SysWOW64\Hppeim32.exe
C:\Windows\system32\Hppeim32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2096

C:\Windows\SysWOW64\Inebjihf.exe
C:\Windows\system32\Inebjihf.exe
36⤵
- Executes dropped EXE
PID:2256

C:\Windows\SysWOW64\Ieagmcmq.exe
C:\Windows\system32\Ieagmcmq.exe
37⤵
- Executes dropped EXE
- Modifies registry class
PID:4324

C:\Windows\SysWOW64\Ihbponja.exe
C:\Windows\system32\Ihbponja.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3020

C:\Windows\SysWOW64\Jhifomdj.exe
C:\Windows\system32\Jhifomdj.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1240

C:\Windows\SysWOW64\Jpegkj32.exe
C:\Windows\system32\Jpegkj32.exe
40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2212

C:\Windows\SysWOW64\Kiphjo32.exe
C:\Windows\system32\Kiphjo32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756

C:\Windows\SysWOW64\Khiofk32.exe
C:\Windows\system32\Khiofk32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\Lplfcf32.exe
C:\Windows\system32\Lplfcf32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\Mfnhfm32.exe
C:\Windows\system32\Mfnhfm32.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:3404

C:\Windows\SysWOW64\Mbgeqmjp.exe
C:\Windows\system32\Mbgeqmjp.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:4816

C:\Windows\SysWOW64\Mhckcgpj.exe
C:\Windows\system32\Mhckcgpj.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2592

C:\Windows\SysWOW64\Nfihbk32.exe
C:\Windows\system32\Nfihbk32.exe
47⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\Nmhijd32.exe
C:\Windows\system32\Nmhijd32.exe
48⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\Ofegni32.exe
C:\Windows\system32\Ofegni32.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:2872

C:\Windows\SysWOW64\Omalpc32.exe
C:\Windows\system32\Omalpc32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1512

C:\Windows\SysWOW64\Pqbala32.exe
C:\Windows\system32\Pqbala32.exe
51⤵
- Executes dropped EXE
PID:4216

C:\Windows\SysWOW64\Piocecgj.exe
C:\Windows\system32\Piocecgj.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4680

C:\Windows\SysWOW64\Ppnenlka.exe
C:\Windows\system32\Ppnenlka.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660

C:\Windows\SysWOW64\Amikgpcc.exe
C:\Windows\system32\Amikgpcc.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192

C:\Windows\SysWOW64\Afcmfe32.exe
C:\Windows\system32\Afcmfe32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692

C:\Windows\SysWOW64\Abmjqe32.exe
C:\Windows\system32\Abmjqe32.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4656

C:\Windows\SysWOW64\Bmdkcnie.exe
C:\Windows\system32\Bmdkcnie.exe
57⤵
- Executes dropped EXE
PID:5112

C:\Windows\SysWOW64\Bmidnm32.exe
C:\Windows\system32\Bmidnm32.exe
58⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\Cgfbbb32.exe
C:\Windows\system32\Cgfbbb32.exe
59⤵
- Executes dropped EXE
- Modifies registry class
PID:3432

C:\Windows\SysWOW64\Cgiohbfi.exe
C:\Windows\system32\Cgiohbfi.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916

C:\Windows\SysWOW64\Ccppmc32.exe
C:\Windows\system32\Ccppmc32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3956

C:\Windows\SysWOW64\Cacmpj32.exe
C:\Windows\system32\Cacmpj32.exe
62⤵
- Executes dropped EXE
PID:4988

C:\Windows\SysWOW64\Dkkaiphj.exe
C:\Windows\system32\Dkkaiphj.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4772

C:\Windows\SysWOW64\Dnljkk32.exe
C:\Windows\system32\Dnljkk32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2960

C:\Windows\SysWOW64\Dkedonpo.exe
C:\Windows\system32\Dkedonpo.exe
65⤵
- Executes dropped EXE
PID:3112

C:\Windows\SysWOW64\Epdime32.exe
C:\Windows\system32\Epdime32.exe
66⤵
PID:1948

C:\Windows\SysWOW64\Ekljpm32.exe
C:\Windows\system32\Ekljpm32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2972

C:\Windows\SysWOW64\Egbken32.exe
C:\Windows\system32\Egbken32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5124

C:\Windows\SysWOW64\Edfknb32.exe
C:\Windows\system32\Edfknb32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5168

C:\Windows\SysWOW64\Eajlhg32.exe
C:\Windows\system32\Eajlhg32.exe
70⤵
- Drops file in System32 directory
- Modifies registry class
PID:5208

C:\Windows\SysWOW64\Fdkdibjp.exe
C:\Windows\system32\Fdkdibjp.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5252

C:\Windows\SysWOW64\Fqbeoc32.exe
C:\Windows\system32\Fqbeoc32.exe
72⤵
- Modifies registry class
PID:5296

C:\Windows\SysWOW64\Fqdbdbna.exe
C:\Windows\system32\Fqdbdbna.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5344

C:\Windows\SysWOW64\Fkjfakng.exe
C:\Windows\system32\Fkjfakng.exe
74⤵
- Modifies registry class
PID:5388

C:\Windows\SysWOW64\Fjocbhbo.exe
C:\Windows\system32\Fjocbhbo.exe
75⤵
- Drops file in System32 directory
PID:5440

C:\Windows\SysWOW64\Ggccllai.exe
C:\Windows\system32\Ggccllai.exe
76⤵
- Modifies registry class
PID:5508

C:\Windows\SysWOW64\Ggepalof.exe
C:\Windows\system32\Ggepalof.exe
77⤵
- Drops file in System32 directory
PID:5556

C:\Windows\SysWOW64\Gggmgk32.exe
C:\Windows\system32\Gggmgk32.exe
78⤵
- Modifies registry class
PID:5600

C:\Windows\SysWOW64\Gcnnllcg.exe
C:\Windows\system32\Gcnnllcg.exe
79⤵
- Drops file in System32 directory
PID:5644

C:\Windows\SysWOW64\Gglfbkin.exe
C:\Windows\system32\Gglfbkin.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688

C:\Windows\SysWOW64\Heepfn32.exe
C:\Windows\system32\Heepfn32.exe
81⤵
- Drops file in System32 directory
PID:5736

C:\Windows\SysWOW64\Hjdedepg.exe
C:\Windows\system32\Hjdedepg.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5784

C:\Windows\SysWOW64\Hjfbjdnd.exe
C:\Windows\system32\Hjfbjdnd.exe
83⤵
- Modifies registry class
PID:5828

C:\Windows\SysWOW64\Iencmm32.exe
C:\Windows\system32\Iencmm32.exe
84⤵
- Modifies registry class
PID:5872

C:\Windows\SysWOW64\Ilkhog32.exe
C:\Windows\system32\Ilkhog32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5916

C:\Windows\SysWOW64\Idhiii32.exe
C:\Windows\system32\Idhiii32.exe
86⤵
- Modifies registry class
PID:5960

C:\Windows\SysWOW64\Jaljbmkd.exe
C:\Windows\system32\Jaljbmkd.exe
87⤵
PID:6004

C:\Windows\SysWOW64\Jjgkab32.exe
C:\Windows\system32\Jjgkab32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048

C:\Windows\SysWOW64\Jlfhke32.exe
C:\Windows\system32\Jlfhke32.exe
89⤵
PID:6092

C:\Windows\SysWOW64\Jlidpe32.exe
C:\Windows\system32\Jlidpe32.exe
90⤵
- Modifies registry class
PID:6140

C:\Windows\SysWOW64\Koimbpbc.exe
C:\Windows\system32\Koimbpbc.exe
91⤵
PID:5164

C:\Windows\SysWOW64\Kkpnga32.exe
C:\Windows\system32\Kkpnga32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236

C:\Windows\SysWOW64\Kkbkmqed.exe
C:\Windows\system32\Kkbkmqed.exe
93⤵
PID:5308

C:\Windows\SysWOW64\Khfkfedn.exe
C:\Windows\system32\Khfkfedn.exe
94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5380

C:\Windows\SysWOW64\Kdmlkfjb.exe
C:\Windows\system32\Kdmlkfjb.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452

C:\Windows\SysWOW64\Khkdad32.exe
C:\Windows\system32\Khkdad32.exe
96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5540

C:\Windows\SysWOW64\Lacijjgi.exe
C:\Windows\system32\Lacijjgi.exe
97⤵
- Drops file in System32 directory
- Modifies registry class
PID:5636

C:\Windows\SysWOW64\Lklnconj.exe
C:\Windows\system32\Lklnconj.exe
98⤵
- Drops file in System32 directory
PID:5772

C:\Windows\SysWOW64\Lbebilli.exe
C:\Windows\system32\Lbebilli.exe
99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5844

C:\Windows\SysWOW64\Llngbabj.exe
C:\Windows\system32\Llngbabj.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5988

C:\Windows\SysWOW64\Lefkkg32.exe
C:\Windows\system32\Lefkkg32.exe
101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6056

C:\Windows\SysWOW64\Lcjldk32.exe
C:\Windows\system32\Lcjldk32.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344

C:\Windows\SysWOW64\Moalil32.exe
C:\Windows\system32\Moalil32.exe
103⤵
- Modifies registry class
PID:5280

C:\Windows\SysWOW64\Mcoepkdo.exe
C:\Windows\system32\Mcoepkdo.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428

C:\Windows\SysWOW64\Mcabej32.exe
C:\Windows\system32\Mcabej32.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568

C:\Windows\SysWOW64\Mlifnphl.exe
C:\Windows\system32\Mlifnphl.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5776

C:\Windows\SysWOW64\Mhpgca32.exe
C:\Windows\system32\Mhpgca32.exe
107⤵
- Drops file in System32 directory
PID:5976

C:\Windows\SysWOW64\Nchhfild.exe
C:\Windows\system32\Nchhfild.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6128

C:\Windows\SysWOW64\Nkeipk32.exe
C:\Windows\system32\Nkeipk32.exe
109⤵
PID:4552

C:\Windows\SysWOW64\Ndnnianm.exe
C:\Windows\system32\Ndnnianm.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372

C:\Windows\SysWOW64\Ncaklhdi.exe
C:\Windows\system32\Ncaklhdi.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5624

C:\Windows\SysWOW64\Obfhmd32.exe
C:\Windows\system32\Obfhmd32.exe
112⤵
- Drops file in System32 directory
- Modifies registry class
PID:5952

C:\Windows\SysWOW64\Okolfj32.exe
C:\Windows\system32\Okolfj32.exe
113⤵
- Drops file in System32 directory
PID:5024

C:\Windows\SysWOW64\Ochamg32.exe
C:\Windows\system32\Ochamg32.exe
114⤵
PID:1996

C:\Windows\SysWOW64\Obnnnc32.exe
C:\Windows\system32\Obnnnc32.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5968

C:\Windows\SysWOW64\Ooangh32.exe
C:\Windows\system32\Ooangh32.exe
116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396

C:\Windows\SysWOW64\Pilpfm32.exe
C:\Windows\system32\Pilpfm32.exe
117⤵
- Modifies registry class
PID:6040

C:\Windows\SysWOW64\Pmjhlklg.exe
C:\Windows\system32\Pmjhlklg.exe
118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4424

C:\Windows\SysWOW64\Pmmeak32.exe
C:\Windows\system32\Pmmeak32.exe
119⤵
- Modifies registry class
PID:6060

C:\Windows\SysWOW64\Pehjfm32.exe
C:\Windows\system32\Pehjfm32.exe
120⤵
- Drops file in System32 directory
PID:6156

C:\Windows\SysWOW64\Qifbll32.exe
C:\Windows\system32\Qifbll32.exe
121⤵
PID:6204

C:\Windows\SysWOW64\Qelcamcj.exe
C:\Windows\system32\Qelcamcj.exe
122⤵
- Modifies registry class
PID:6248

C:\Windows\SysWOW64\Aeopfl32.exe
C:\Windows\system32\Aeopfl32.exe
123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6292

C:\Windows\SysWOW64\Acppddig.exe
C:\Windows\system32\Acppddig.exe
124⤵
- Drops file in System32 directory
- Modifies registry class
PID:6336

C:\Windows\SysWOW64\Amhdmi32.exe
C:\Windows\system32\Amhdmi32.exe
125⤵
PID:6380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:6568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe
Filesize
161KB

MD5
1016ce1afe977b04dec002c31d240ed2

SHA1
6c3109d11c7a68e87518907d2f49c5a91b7829b9

SHA256
f7ee3455e004092e0b87432263c206e399ec601bd2ebe27732b736ced7cf20c3

SHA512
745abf6754ce02a7317b10110f2b1bc1673e957b5a86621d6a4f843af79655e96294efa6b4751c126b416f17d04912132548839ddf4f742d5d1232c03eed3bf9

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe
Filesize
161KB

MD5
dbaae08185a5ca5b7b5821688e74a5e3

SHA1
02821d4e20426eea0c6586d6569f31b43b68dfdf

SHA256
58719f2cdc68e6406da6910f7ef64ed795053e514cacb18493702258181adfbf

SHA512
eb5277ebc7a4f8db9e6e52c84eaeb0814eff08814f1230adbe81579326528667ca5c08a242b12386429698fc2704b2bae2b0f2fb076ae1d775496f7b19b798ec

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe
Filesize
161KB

MD5
0640fe514c0c5668849b7f869d089db7

SHA1
158ba9315528d354396c67fcd4043d83970ef71a

SHA256
42f765d93e72ab9ec84f8893de73c5e2ccf8394287ac0271474a079b5a94f854

SHA512
cafc940ca4d96415a60e425667a64906e87899dabba1e6f588a3173b43fe6246401359945899a042722d8d2a8edb5a771532b436d14fe8123e9a16e654df39cc

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe
Filesize
161KB

MD5
fd156daf996fbb394ae1db29fca52b11

SHA1
9289ea0c5a176b9b157e9871f81db04e1b95969f

SHA256
c3979853417431e5436bdce19ca3611f9d83e1048e155a0ceb686d1b196eaf04

SHA512
5feb5e353c3c07dc84444d15c569073c9580f1d53d57f324d6db21a881220cf00732f7fcd4c55d56a7c563caae9011a6c2ed9fffaf122ce524a0a906e54ff6b8

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe
Filesize
161KB

MD5
0812c0bda2f635f8c13f256d1e74a586

SHA1
91ce02f0f4877af16954d4fb85ee70e9462fec0c

SHA256
18657f35c77a5c48ccaaf911d9d1a12fce1992d1507d67e7298c991da3d9b870

SHA512
8a354ffc3b61448ed17f9244bb209cf998664d5c5d2b4c8859be6047577a6818586600adc7ccf20a3f43b537a8388a31ca63e265f5fbb40145387aa15fc68c53

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe
Filesize
161KB

MD5
a7d73b5c72546429c5834e1bf690d925

SHA1
03182a7695e171c2a80479672d45dc7c5336c561

SHA256
3fac59e3217954a348a88e0b3bdeacfb1dbd020211b8b0521a0082ba2d88b583

SHA512
01750656327bab0746c9556bd4b468d0c7206e353ccc797b30a15340b7c998b98b552457628af6738154e63c1f50b8a99c950632a7d07f3ba1f8ce9bd5cbc4ee

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe
Filesize
161KB

MD5
7951820ad67113c2c61d8924772e8363

SHA1
8c5cf22a9aba3f295e35c88ed76d0b77ebce8f91

SHA256
78142976b4d594e05a818a05a027b784a5c5062cf8a594a084094299f7666919

SHA512
9fc89cfb0cceccc3cec795360e51c692551798e3de40af8a725c5f8e58ee3705e702bb51a161ecb69d60f344a1b72f16d4ab9928ef7f661000b78a179c9e911d

Download Submit
C:\Windows\SysWOW64\Cponen32.exe
Filesize
161KB

MD5
be1da72bc39b292fa08677094426ae5e

SHA1
2647e171acbe80cf55092fe52fd157d0a1a5b825

SHA256
7a031faf83654c49983d04f448ebe8bf0686833f598b3ebf18ac4ccb305d3ebc

SHA512
e8825a4beaa4ed4071fe2fde7de575f8ca4b9da6c18e87e12199dd3268431f431ccfd2ce68d7bbbd34dbaf21c42913f5958750d3c8df9cc29ebbb0c93dcbb8cb

Download Submit
C:\Windows\SysWOW64\Dglkoeio.exe
Filesize
161KB

MD5
364697829428ab471f490ab108831779

SHA1
ddb61a580f066f0ae42be4a440c57d0bd6995184

SHA256
50aa1298e9bea60d3c0191ecbf5050e37f384ded4e66ad22d803cdb7d2b85c96

SHA512
a822313077d9c0a380e6ecd4a78a61d850cd5597dbc799dfe36c1802c2e68902f25286e4be8ff173d200244fa0abeeda5f620988a78fbbf18172f0c36376201e

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe
Filesize
161KB

MD5
2a480c07ef4448e31d177940dd09cf31

SHA1
a6fa2cf4265105b60278074d527fe35af381f7af

SHA256
13bd7133b8cf0af7ad3a8807dce55fffea7c56e66e5df1381051a97590144176

SHA512
f3924dcd23cbca6df83672bedcbfbf09235f359d5885f140445f526cf5363947263d48381b64acdd5d5d699ca84a826e4fc33a0da8ee0776877c594b6f4043e8

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe
Filesize
161KB

MD5
e340b81837925420edaf4d5b0bbb46dc

SHA1
905274334ec299a8e497d21e896207f9d513e27f

SHA256
e2a16b75e705cdc8fa1361ef1ec6a256b8d3863baf81c54513acc7617406d8a7

SHA512
f3465e1b0a7f6ef86413f9a4aff073840240b93f938ea485742093995b0a9aa3e7d6f77fc932aeab659874c0dd48f8d41a486a21c8746a459ceed5225826e8b1

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe
Filesize
161KB

MD5
3865905157b8dc0b8706628b6cd37c29

SHA1
7d36ca29cf435bd639a2032771e26df0d67bc79f

SHA256
aa18fba38fc5c45454dd2d913a331e2b1c725ac046bde23a4aa9ea631e3724b1

SHA512
c7444e896894da2a3ec882da88924a9d62997d67cd10c0b50d212aa26729b349180cbf5bb25f417c644d60e46cb3a1724f7ddc34df45bc82071b33a133e844cc

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe
Filesize
161KB

MD5
2e39f784d5295002f4608f23432d1050

SHA1
1ac19ab12ff8c30ee976aba5bd46edb56f4b18cf

SHA256
19ef58aad667cd5edb9d9998c4640b10bf6ea7fecf81a822d78b29bdddb2bb62

SHA512
8bac9e33d6f8143c747c0e4ea1ceb9575a7016dc61759f7f3c83ee21fea4d633ce344089eb226feb3aa79144e2b060f1d0eddd2ea438fbe8efc90dec77a25e4f

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe
Filesize
161KB

MD5
96948cc66dc63c063f66e8c495f42208

SHA1
c3d6e615b7fb631d76fc180d886a1978ca564f96

SHA256
8fe52d8e5e6aa4d1aa7e2cfb42296295c3a5349c3f5a7f4b42469a5c6e25f577

SHA512
32347e8c9b1e13657e2bd996690f48def182ce90c794487f882d6d4670bf067ead202fd9ce903d3e2e6ffd200fa647cc119b11d0652f81594448bd5a47908c60

Download Submit
C:\Windows\SysWOW64\Eqiibjlj.exe
Filesize
161KB

MD5
ec4743f311ec0b1b0ad49a4a11437699

SHA1
36b4a712bb094f3f759bdb39c0bbe5b4e0059697

SHA256
3ff6c859ad0537efc013ca5fab786d65d3561b6e70ea3c0f6bbb5cf53783038a

SHA512
410f39a38247880cb782ede9dedfe698129627c437921c780b21ab33da843443afebf25cddf50edac69b39f53259f9cbc3579bbda041df380c7d67da93dc4512

Download Submit
C:\Windows\SysWOW64\Eqncnj32.exe
Filesize
161KB

MD5
2c58ee2182ccdee448e75091f758b893

SHA1
9e62e03fe0a44c221ff9d6542b880c449845cd5c

SHA256
1e7ea4522504d12078670f2131279b2b99028ca9b16cfd3e6e09c6dff33f3104

SHA512
38c87dde216f5f5e5cf80d26091e9cf88c5fcbc4d9e1fe8c7c41d05be82c98f4f542b039403d9d5bce2d3a82f5c999f73c7ccbe73549d0dcfe1052f2ea983753

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Fgcjfbed.exe
Filesize
161KB

MD5
0758034d8a5ce764bdcd66fe24593843

SHA1
311ad60d073d9be981bddf98dfa09641c7f304de

SHA256
7c939496f58df531b30d73e873529dc4d13d9c164a129312905a388d66c7a1d8

SHA512
7c8fedd7f6c2597bb02da74f9c3aefdaf7cd39d4356265bd85e9b51417492cd369dd38b8447f7db88febd95525f389c4f92796ea650d72947c726395d7b1971b

Download Submit
C:\Windows\SysWOW64\Fgcjfbed.exe
Filesize
161KB

MD5
9c38f69c3a52e5aa64b8c81e50511d76

SHA1
156378cecd2c95f20264dbdf077a701e8a4ca5f2

SHA256
81563724a382240b132fbfb749d16cf29ffb8a86556240b731b6ac6120dc8c18

SHA512
967a51d9f4cbd52175e8af9af8556bfd7c24ec8f4c29a92b155c9f3ef0b22ffd47327774d0b552813e551d3196a0649d9f877e02bae8e6779c43c97d14deb376

Download Submit
C:\Windows\SysWOW64\Filapfbo.exe
Filesize
161KB

MD5
f41b001b43993d13f72f7fa95a1c7cdc

SHA1
490c61d814b9f12df2400d531212f82816451d74

SHA256
83c906398e7e75ae394ff4e69be4263c4f001cf1ddb9670dff33d5e212d7137a

SHA512
d664e09467460f75a348e39638d0be23f6354b339cffe736be729bdf737053cfcff16f99b0fe2db4a3712e0f9924eb941109594cb726f4dd66c14fb77695f7c6

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe
Filesize
161KB

MD5
71d14c850e7e9e507277ec961b218395

SHA1
1c17ec0a6f76aae5af06fa29328a2d173e6a775f

SHA256
b97fcf8175d6c10c2912553e677abd051edd2a25a212eb0e1a3e7690b3420b93

SHA512
a816f4126acd27d211151c917f40624cfa7d5058540802c79abe135af0f03ddbf107cf23510f63a10ec422e8898644f1488834c0bdc95e1f59c602450489d1df

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe
Filesize
161KB

MD5
e7483c16c145a1333a962ac71ab87a92

SHA1
fc39c06dc912307eddcf4c744ef2741e12adf3b0

SHA256
b1e4083514161bdb159a6e69c0e7bf30e51153aa974b45735331cee4206114e3

SHA512
f1e7dde6c527557c076b0df3a65a0efe0482229d14fc70b88ac6cec9f6af42f35c473d24b2266e5f14c2fdab5c7a5fa22cb7266664f7dabcacbc6c9a99a22e9e

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe
Filesize
161KB

MD5
cc622282095617db83ff096b046fdafc

SHA1
512ae3f54d148c96530acb3cf8be429ef1d1dd64

SHA256
3fc96dfa7ce010dc8120c61da3c4b849c72b19f6758e9da1b357cbd10988679a

SHA512
e792ddcbcf4b492249617019bd3d30a528c2f197f3aedd41229d66fac8d9c13e697ac3c052c2c225654f4bfab2edbb76ca585de8b2ed80bb0f62a4388e8715be

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe
Filesize
161KB

MD5
3c88060eea009354d01bacb9db4ee568

SHA1
1757f66612aa5b3ba2553694a5c820539a3d340d

SHA256
0d1c72650bbed71f0615c2ada37552d5e6af9696e100047a906ac226f8d0eb95

SHA512
eefe78f6d845e476d01e53e9c61b3568af18be9d3cb56171f9315275a898735234f00e98c4916091afc3ee91bce0259b2cb3853fa6950ad0f2a12e6ac26d9fdc

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe
Filesize
161KB

MD5
964be0435e5e4fed15b476a12a532fe3

SHA1
b00216c6259bfea57d0f22a24611fae7f92ccbca

SHA256
122c1ab11dbc9b7868fbf4e5009c751ec01fd1fdb55b8db2903739d493cbb552

SHA512
21804cf6fee7141613547e9c95d32324b632b50c613fc5ea0275f5341481c109f355b417068f83f741e7a7209f19e1130330fcd4754d7ca733a620d4c243278e

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe
Filesize
161KB

MD5
b29fc1775fbca73dd01a3318c9a7def7

SHA1
adca26cf8f474ba604061dd879ce68b1ab3d5ec9

SHA256
9673f9437093e34434340f97d152974ec0278689c2ce083e378a8b5377fe9485

SHA512
a1e203700516b4e59ebbea19d51fddac28f38c8a6c98c6ce5c1803f9c1b8dd7454acabb462b1f2c96e8314f2c4b3bd9829b33936ecaa74d8ceca9d2a7a1e6d2c

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe
Filesize
161KB

MD5
50e833c6d45ca3dbe3c7512f7a0a6912

SHA1
53d8ed342f732afd56bdc0f1f478426f04632edb

SHA256
afee7c988e785e041c74b1eebb3cc0cf558f761ce2ed5d8d282ff4de4d2ac4d8

SHA512
a72a02fe0cd4aa2616ac85d4652a018f9d4a665ee193250799e1f0abe10adabcb61b0c15f85226d09937d222e38876f9a722841552ca20c0e72b9106a7dcd1ab

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe
Filesize
161KB

MD5
0de4c77ac0ba45ccc4c5236b2093e814

SHA1
d93015f2398273c0437007c98b9dffd08c6e3447

SHA256
3e3b4c3f0a7a6475baf90a64400e705f84fa0a2a319682ec6e797a2a1dddcac4

SHA512
4954e547bb73e4071b6608d01997ccf058876376ec24a97ba63f15c6f63af83a8c13ce623c26a2d06935aa5fed786d718bf917e7243ffd9a434e9973540358e4

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe
Filesize
161KB

MD5
e3c680a4fb23baf93a4441113868e95b

SHA1
c6dba4ccd4e6b504732ae989bde34893f81fe325

SHA256
407e6b3bb74156374da4757b654c95c8b1092b09c968daeb85ab265dbf1584e3

SHA512
5ccc6966e5fb66da1edd6110525e26b1b6671ce97b64c5442dd9a588083be4a39b162601d44c6f94ca097f5fbd93180e8e88b8eab7c684bbab79d17258186337

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe
Filesize
161KB

MD5
795939ecbcf18b21d116d558f1c7ea22

SHA1
6c8d59caa6a5710427d63caddddd503da0b5737b

SHA256
9507d2b97b1b3c0bc93437f9c61a3197044191bb71803d5103e9ff869ef153d4

SHA512
5b03269c682af78245a3ab7a9afe5a44b2a266a5f86e15274053ad844083548b10b40383c30a5a500880e50e611181de8b7983dfa689b2e17202457fbd9863ae

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe
Filesize
161KB

MD5
b98b1f1f8b0583fb6e23b625c028800d

SHA1
ec497310975f8b9619d11da3844765d4177e517e

SHA256
4c7c24442e16d6b78de483823dfe66a4959b26ea1222229baa0aff151a3d57a9

SHA512
a455425746bcc7861fe30648b686a8debcc3e43ea02f769c575b00f42c035876a53dbf84650d6a8581c04ff4a651a1aa1714789963276a37cd72264d645368db

Download Submit
C:\Windows\SysWOW64\Jmpjlk32.dll
Filesize
7KB

MD5
b4d5d38179f5eaa27dea603a448c0bd7

SHA1
b2fd8d14ef9b42949beb445c0bddb92d10492b9c

SHA256
38da997878432902e3d9acf62e59a4068ec855be9dd497c47225b060d62c0339

SHA512
4ac9e0579bff2048769fef969516a3371240f5a12fb4180eea2b7990c1d26968f164cf229119dff76732f8aded2f98c43b88fe2b3c9b681a2516782189e32f1d

Download Submit
C:\Windows\SysWOW64\Kdmlkfjb.exe
Filesize
161KB

MD5
7205aa54db0564aaec490379a415d0c3

SHA1
e0f0b3d8fe1b7e647f823527e5b01ec4bdab4fe7

SHA256
307bbbb09f86653e0fb25e523fa6778303c1b49193e46932194c7b2d7a21def9

SHA512
51205204887f09e248bcec7094e87bdee666e58d6a47e6d7fcf21bf4a65cd0e3f5eac059fb33463c56c95b68eba338c92bd3c3dcb79b6841665d9e872d82cdda

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe
Filesize
161KB

MD5
2c543e41ab281509079c3162c79a23aa

SHA1
c12f6487e5c881cb36e0d499e373c6a15b2f1cd7

SHA256
ff03c5cb4f91b60dd11bfd558963441a92d14cb261d7ba63fd98fee506d54ce4

SHA512
dbf62c6746f82da8341d4ecef29dbbae4ba2665bb7a038a212fbebc8370820b853bd6511b86952064fd56a7f4871fecda6ebbba70d48637fcc742d4cd769cb1c

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe
Filesize
161KB

MD5
9ddc794145caa4935560187cfedd0e06

SHA1
ce09ca403af56677874d9caac31ee30347e93a0b

SHA256
7697278605e3391db4e6da81586692ad1c84c89aae21ac15a5e8941505a25ff5

SHA512
10b9964f603da0638c852da3d9cca99c99762fee25269713791b4e6dbbc390cdcef09c465b6e74f07c51c476d7e17ce5447c349da05ce76f260ba56b91ff3bb1

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe
Filesize
161KB

MD5
3c9f9545974f786b5c89c43d89294333

SHA1
1030999e800bd1877ca2a1996c967adc2882926e

SHA256
f607e684b1c4e60613a6fc5b00adb03bf03886ed5e66428ad5324e4cc9277fd4

SHA512
b290220c845a686fb5157e0e072b9fc4609113ee8bfabf9abbf42fd3eaf3b8d7b717b7dc62667464fa1a2f4de5e1f21fda35e2de15608c2d84f103b435097e2c

Download Submit
C:\Windows\SysWOW64\Komhll32.exe
Filesize
161KB

MD5
3cde1d69982ac4d3bb4db18303358445

SHA1
a9be0f23cc88404875ba2a0531d3eec1de763ac2

SHA256
5c731eb652206589386f338aabcf4c2363588225a79086239d4f2e0729b4ed3a

SHA512
ddb177739c508499e816f112440dbd8686fd27dd0f0aed2e308c7e99ad058ed8ccaf7fe2a1c98018dab4d460159f67fc5184b78cdb473a689d456e608b2d0907

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe
Filesize
161KB

MD5
a78615d370a3df6cfb7673b504374ebe

SHA1
4cfca8ab6d5e03e2716846b4d5b8a837a61cf5e9

SHA256
f772afc6d4b00d775add721bf89bb24b367ad6f5b7a88bfed66bf3094f5f7ce8

SHA512
7ada5a1f4bf1a0801a109b11078b15b0c603fc0832f7016cd3ef3423af5a18fac5f8edea66c04c6de188a1bc3144dcb99f4c2446c4896f7bec77613b47f456e0

Download Submit
C:\Windows\SysWOW64\Lplfcf32.exe
Filesize
161KB

MD5
03ea317cbbb64af2d074084d34590938

SHA1
031da84805c046ed4f161c2f4a130bae3bdb523f

SHA256
de2578f82cf2ca57bc79a23f9de350c36fdd613a124c6e362d33d3cf41564b04

SHA512
aa2bf4913763ee00c38d2c16f445a717f096762bdd374d82618ce4f1bb739743cac35fefc5192a162348d19d9aab48f026d0faf60ddf70d1bee1394e5b814e71

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe
Filesize
161KB

MD5
211ca56c10ce057f03e10a919e52793f

SHA1
8abbc2b2663b1b4c7833def4f32148e8f3872215

SHA256
a8d4a7017ca51ca4f6ceacd2e43788fd2cb8469418787404bce38a71c59cb3cd

SHA512
68fd1447194adde5ea100af37523565c6c7b49b58d33cbded03ae7f78f235855b6a46007ba74fd777c1b12924b5571cb28c2f19bbc8109a64548fec507577241

Download Submit
C:\Windows\SysWOW64\Mcbpjg32.exe
Filesize
161KB

MD5
2b37cfc8bccc5ba846f160a11731434e

SHA1
6e32e94015b36c2933fc3710f7e08631c1e1f8f7

SHA256
a9e94f9492f0558be7e37e53df4c1c41c453e2f0532006a6f7610f125d020a97

SHA512
26deb12868c24e851c78c09ddf3c5329d946e9fdfa820561bc220a72e4e595e6c55137707b1610e46a4a845b323454bc614256951b5e757d7a713d3c17fe9b56

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe
Filesize
161KB

MD5
6113c54f379392689ec397d185e40a98

SHA1
c1122b234984bec5933d1c42535d37c50adf8abf

SHA256
5e3eac4895bdea89a860e3bfdc092e7295e02237f994ab1448b924d6fcef562c

SHA512
81824f46e5e96c3452310893d0b73f5d062fb85aa03483e915e53cb5585be32e1a84e52d28f20c36eaa67581424fc0ad413d9d844a12773e36db419468fe743f

Download Submit
C:\Windows\SysWOW64\Moalil32.exe
Filesize
161KB

MD5
3a0cdc79a46fd9c0df77875a194ebb66

SHA1
42d4cd7eec0df8eb8981b1b7d1582b42b493226f

SHA256
829c7ad9a9cbe10199f0629082abe74d78d1c75a9a627bca63b35a7eac53ec9e

SHA512
613ce293a1247866c234bbbc4b3e481a0b0396947f422f02c00027cca87e5c4b3ac797c9054c02bcea76a0b6bc593accbf1450db5e4e6aea127f3bf579716b59

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe
Filesize
161KB

MD5
a74ce3240ab2de6d8c8cfeb5c5f49aed

SHA1
d33271a06ddc653bf403ee639584c5dd3f22dca2

SHA256
4a79405016971503cbb9ed877a1af6e2dabd6678e884ac5d7e441a29e74d1c54

SHA512
dff127dbd30e1bf45e12e66dcbf9ccd908b54bc77260535bcf6f96e28b540a9bcc8eb520202b3c5e04fbf1d8e5b4c03bb8d8e3fd8c1f09d8d2ee888ca00b3cb3

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe
Filesize
161KB

MD5
a45628edd5224a8d49b39f29a0ab450d

SHA1
14fdb368e3883c015e441fef80d8c2631fe45c6a

SHA256
5136afcf2e5ebe3c86282c9a30b4b8431c877a1dfc5c3eaa929ce2e128b459a1

SHA512
7529231308a0d35a9da91bb4605a4dab264727573ceaf424ba45a9482a42e0af5eec40122238c387cccf94b01169235692e28ee140aac1dabde6665104aa2deb

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe
Filesize
161KB

MD5
09c248e2e7f1244614dcffc39acd221a

SHA1
fe7fcb70bdf6537c49a4e73ca2852d2c1050677f

SHA256
5f03f3b8bafc41029e7f3cdb1d5945aed99c0ea996ed61b3fb9d5021402e49a9

SHA512
a9ffa35566f6ae6548ee66eb7fd894564711d2d4fb5a2e626bd905ad4c8a322591384931f3e5e294243bc3bf74845d9ce7b32e0e4cd646a9eaa7b3c9c5b162d8

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe
Filesize
161KB

MD5
61c79fdedc3cad00db755b60ac308f8d

SHA1
6ac4864128f7c011bb1e0f8090928f4a9efa3c05

SHA256
3c9012e9669cdd215cced5a9b8b66e622c5f3eb8b21df017e08e82696dbb1a98

SHA512
ad04e8b30f3ee49d4d1c704a5159ae1d1bc806d19fd3dbb445eb499b5933d6f5f1c628382a7dcacbe819ba349e10e6c6fb34809be4bb6eff6d570cd47eb17c33

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe
Filesize
161KB

MD5
b486dfc88b635c1ca711bfc9d122c432

SHA1
de61b589896a25d6d68dc7d09f4ff8002d94d28b

SHA256
9f581c712eb046938edf2f0569f8389148032a716538f24581a5d1749147fddf

SHA512
7897686c8683c39b02252ba48cff3b3edc02090438bad01cdee1c0f9ecaf0d84b401205360414d206a84318933d01f0c59fea516d8c618a07e410d54197b2117

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe
Filesize
161KB

MD5
8f3cace6754f81c918fc072e6c42137b

SHA1
68bcd0ffca0a63208d392a546ff6a052c98572dd

SHA256
76c24de0281e205c92ca18a90ce31af1e7561fde4052f9d1f7f3b1c378b16785

SHA512
e728f3eb36e2db0bb99a39afa0859be64e5080fbbf6223235362fc844e31b9a9839cf8ccbb42f411bfc99b5d26fbbbe7de4562011015aae2e035c0a1e5629461

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe
Filesize
161KB

MD5
1f35c56633d84d4e9150b2ad00934721

SHA1
0739cda31dc5f29f1f9fc0083471261625357f8c

SHA256
8ba04ba7ee50920d8f63c4c053b40f59089a93bb97f6533189866ea500714695

SHA512
f2717515cb9f0acc91a3be77f49fb2374f640fae9a9a29f82721391091b252ffe0ce99056e9b3649e87449980cebde82f96429ccf273bc8696368a17dddcd5e3

Download Submit
C:\Windows\SysWOW64\Ooangh32.exe
Filesize
161KB

MD5
b22ccbae41020401b865666a7a08d6e5

SHA1
6542d6afa6725fa0db79cff6b3174e0ef5aadf36

SHA256
5b55ca0ec622707c013871a21c59b20996d7b79a77da995fb0e3b84e67b68fe1

SHA512
8c34efe0b08620c66f4326f86acc0b50cd391c387e5f4554fcd5fe3d62cafadf1e636acf3d7adda2008fc83b9ba1076be6bd88086126127f077073b36d55243c

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe
Filesize
161KB

MD5
19d4204180760e42f441efa977c77386

SHA1
9411b8134143efe0e4cdff239516e81d6ca78448

SHA256
e4e787d6f457c4aa91ef74008429a01bb848dbdf3a16265ffce02d8f1d689015

SHA512
86193e568317ee222eee9cb7e9263706ca7976cf92f95340a0b0060641efaa58e7ce91c4e6e63f7d53df3fcff50079458d7a54d57ce2d989acbb705dd9d9a5db

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe
Filesize
161KB

MD5
f5e35cadbfe6166c44b3e203eec8f0eb

SHA1
60b28ffd158a17d04dbcca62a55526f2e70b0f4d

SHA256
79414da8630db4e4f123439b39883b25bfe7b71dfb54332c846dc3cd19c3ff3e

SHA512
e60023e518c36d471f1f605e08a9951a7ccdb4eb80fc8064ad9923fbb2d5584f7496055428b1b2452705da93a077f76a903455984d4e6db5b88d4e1dfd6d96e0

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe
Filesize
161KB

MD5
8a58fc8f6b299a6e40c19fb0bfe038aa

SHA1
448065a90c2445582389b9e51617360b35a34ed7

SHA256
6d648f2d5b8b8b902e23dca5768560808881c930bfaa3aa50ee06ba709bacbfd

SHA512
9010222de11c0a3191b9b4f856622786f28ec7baf43feb065fe89185dc2d6ec583e83538ddee205bb5853ec36db94c43a51a81dfb83563a8a6dab9aa3feb7bb9

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe
Filesize
161KB

MD5
58ba33a9462c7f1f2f5c1c1712ced9cc

SHA1
761cdf721e96afcec90c6ca5e31249ed4d3813c7

SHA256
c69832c5c9637886da20e5fe3fd07f7d8ae1952f95474b7f52d55c93ab40f622

SHA512
50f9db2f9a833fff90428e5df28c71ece08469297d69e69040bbeb587b3bab71f395731d52e9a80c8dabb63220a04fb1687cfe91a346cb0d05d888cabe2d5277

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe
Filesize
161KB

MD5
e7f92f76744627cac712ea28674d7ab4

SHA1
d76d7d803f44117518f26743897d89eb7b3eb4ab

SHA256
f9b90c08ca18daab7246448a37467b2f8641f79141297c79d64eb6f82308d600

SHA512
5334d37ab327baf56e0a94f31ac524aef659306f5a722b46127f652988028ea8e147ddd0185e90820bc4fcafe1e3ee96947ad123ee2acc5027b6cf578d4171ec

Download Submit
memory/216-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/216-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1240-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1244-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1244-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1488-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1488-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1512-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1964-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2528-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2528-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2756-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2756-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3408-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3408-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3476-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3476-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3856-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3856-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4020-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4020-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4216-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4484-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download