gozi | 2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb

Analysis

max time kernel
140s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe
Size

163KB
MD5

d15f8c4fbcbc2179b5ff9a4a7a756e20
SHA1

75f6f97650583e00737f4104d5f224b2612696da
SHA256

2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb
SHA512

f983bfbd8af6ed14e1e4d2bda7eb6646845a63902447ebe61ec6735935625dd57f5e8df748aceba4264f8d8fa057b230290bacfb62d4b2adda1727a4f4a056c8
SSDEEP

3072:nYqFvumbaFKtaJGyqDyltOrWKDBr+yJb:Yqp7cJaDyLOf

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cggimh32.exeDgjoif32.exeDoccpcja.exeIpbaol32.exeAbhqefpg.exeFcpakn32.exeNnojho32.exeLjpaqmgb.exeMlljnf32.exeBapgdm32.exeEqkondfl.exePjdpelnc.exeIialhaad.exeMofmobmo.exeBdlfjh32.exeFkcpql32.exePfagighf.exeEaaiahei.exeFooclapd.exeHbihjifh.exeQbajeg32.exeAidehpea.exeGjaphgpl.exeKjgeedch.exeKamjda32.exeOokoaokf.exeCpfmlghd.exeMfchlbfd.exeJpgdai32.exeNoppeaed.exeNcbafoge.exeOfgdcipq.exeGegkpf32.exeIojkeh32.exePbcncibp.exeEdaaccbj.exeDncpkjoc.exeGaqhjggp.exeEjlnfjbd.exeLfgipd32.exeBbaclegm.exe2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exeNjjmni32.exeBdmmeo32.exeLchfib32.exeLckboblp.exeKofkbk32.exeBnlhncgi.exePcegclgp.exeAbmjqe32.exeEafbmgad.exeFcneeo32.exeFqdbdbna.exeOfckhj32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjoif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccpcja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abhqefpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjgeedch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqhjggp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcegclgp.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Jiglnf32.exeKjblje32.exeKjgeedch.exeKofkbk32.exeLlmhaold.exeLfgipd32.exeLggejg32.exeMjjkaabc.exeMfchlbfd.exeNnojho32.exeNpbceggm.exeNjjdho32.exeOjajin32.exeOghghb32.exeOfmdio32.exePjkmomfn.exePaiogf32.exePjdpelnc.exeQpcecb32.exeAkblfj32.exeBdmmeo32.exeBacjdbch.exeBnlhncgi.exeCggimh32.exeCdmfllhn.exeCdpcal32.exeCgqlcg32.exeDhphmj32.exeDakikoom.exeDgjoif32.exeDoccpcja.exeEhndnh32.exeEqlfhjig.exeEbkbbmqj.exeFooclapd.exeFndpmndl.exeFbbicl32.exeFkmjaa32.exeFgcjfbed.exeGegkpf32.exeGanldgib.exeGaqhjggp.exeGijmad32.exeGbbajjlp.exeHpfbcn32.exeHajkqfoe.exeHbihjifh.exeHnphoj32.exeHbnaeh32.exeIpbaol32.exeIafkld32.exeIojkeh32.exeIialhaad.exeJlbejloe.exeJbojlfdp.exeJbagbebm.exeJbccge32.exeJpgdai32.exeKakmna32.exeKamjda32.exeKapfiqoj.exeKpqggh32.exeKpccmhdg.exeLljdai32.exe

pid	process
4564	Jiglnf32.exe
2680	Kjblje32.exe
1988	Kjgeedch.exe
3708	Kofkbk32.exe
660	Llmhaold.exe
4380	Lfgipd32.exe
1956	Lggejg32.exe
5072	Mjjkaabc.exe
2472	Mfchlbfd.exe
1692	Nnojho32.exe
4940	Npbceggm.exe
1688	Njjdho32.exe
1964	Ojajin32.exe
2168	Oghghb32.exe
2944	Ofmdio32.exe
4312	Pjkmomfn.exe
1360	Paiogf32.exe
1468	Pjdpelnc.exe
2308	Qpcecb32.exe
1620	Akblfj32.exe
2336	Bdmmeo32.exe
720	Bacjdbch.exe
2152	Bnlhncgi.exe
5008	Cggimh32.exe
2156	Cdmfllhn.exe
4668	Cdpcal32.exe
568	Cgqlcg32.exe
3572	Dhphmj32.exe
1444	Dakikoom.exe
2268	Dgjoif32.exe
5020	Doccpcja.exe
1436	Ehndnh32.exe
4620	Eqlfhjig.exe
416	Ebkbbmqj.exe
1492	Fooclapd.exe
2084	Fndpmndl.exe
3472	Fbbicl32.exe
4836	Fkmjaa32.exe
4840	Fgcjfbed.exe
4592	Gegkpf32.exe
2652	Ganldgib.exe
1332	Gaqhjggp.exe
1476	Gijmad32.exe
3100	Gbbajjlp.exe
2248	Hpfbcn32.exe
5012	Hajkqfoe.exe
4212	Hbihjifh.exe
3888	Hnphoj32.exe
4408	Hbnaeh32.exe
4184	Ipbaol32.exe
1652	Iafkld32.exe
456	Iojkeh32.exe
4296	Iialhaad.exe
616	Jlbejloe.exe
1268	Jbojlfdp.exe
3424	Jbagbebm.exe
3032	Jbccge32.exe
4576	Jpgdai32.exe
1016	Kakmna32.exe
2648	Kamjda32.exe
4728	Kapfiqoj.exe
4456	Kpqggh32.exe
1248	Kpccmhdg.exe
4700	Lljdai32.exe

Drops file in System32 directory 64 IoCs

Processes:

Kamjda32.exeAbhqefpg.exeFcneeo32.exeJbccge32.exePcegclgp.exePjkmomfn.exeGegkpf32.exeNoppeaed.exeEafbmgad.exeIpbaol32.exeFcpakn32.exeFbbicl32.exeFdbkja32.exeHbihjifh.exeBapgdm32.exeLljdai32.exeLckboblp.exeKpccmhdg.exeAidehpea.exeOghghb32.exeCibain32.exeFbfkceca.exeEhndnh32.exeFooclapd.exeGkalbj32.exeHajkqfoe.exeQbajeg32.exeKjblje32.exeBnlhncgi.exeBbaclegm.exeGjaphgpl.exeLggejg32.exeOfjqihnn.exeCggimh32.exeMlljnf32.exeCdhffg32.exeCdpcal32.exeCgqlcg32.exeDdfbgelh.exeIialhaad.exeLjpaqmgb.exeBdlfjh32.exeBdmmeo32.exeFndpmndl.exeQpcecb32.exeIojkeh32.exeLpochfji.exeKapfiqoj.exeLchfib32.exeDhphmj32.exeQclmck32.exeLlmhaold.exeNpbceggm.exeHbnaeh32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Leboon32.dll	Kamjda32.exe
File created	C:\Windows\SysWOW64\Amnebo32.exe	Abhqefpg.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jbccge32.exe
File created	C:\Windows\SysWOW64\Mpagaf32.dll	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Ganldgib.exe	Gegkpf32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Noppeaed.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Eafbmgad.exe
File opened for modification	C:\Windows\SysWOW64\Iafkld32.exe	Ipbaol32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Fkmjaa32.exe	Fbbicl32.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hbihjifh.exe
File opened for modification	C:\Windows\SysWOW64\Amnebo32.exe	Abhqefpg.exe
File opened for modification	C:\Windows\SysWOW64\Bbaclegm.exe	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpgmhg32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Mjpnkbfj.dll	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Lljdai32.exe	Kpccmhdg.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Aidehpea.exe
File created	C:\Windows\SysWOW64\Ofmdio32.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Ofmdio32.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Eqlfhjig.exe	Ehndnh32.exe
File created	C:\Windows\SysWOW64\Lhpapf32.dll	Fooclapd.exe
File created	C:\Windows\SysWOW64\Gdiakp32.exe	Gkalbj32.exe
File created	C:\Windows\SysWOW64\Hbihjifh.exe	Hajkqfoe.exe
File opened for modification	C:\Windows\SysWOW64\Apggckbf.exe	Qbajeg32.exe
File created	C:\Windows\SysWOW64\Aablof32.dll	Kjblje32.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Nodeaima.dll	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqlfhjig.exe	Ehndnh32.exe
File created	C:\Windows\SysWOW64\Fljhbbae.dll	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Baampdgc.dll	Fbbicl32.exe
File created	C:\Windows\SysWOW64\Mbibfm32.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Mlkhbi32.dll	Ipbaol32.exe
File created	C:\Windows\SysWOW64\Mlbmonhi.dll	Fndpmndl.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Ofjqihnn.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Iialhaad.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Jlbejloe.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Caecnh32.dll	Lpochfji.exe
File opened for modification	C:\Windows\SysWOW64\Kpqggh32.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Amcpgoem.dll	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Dakikoom.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Fndpmndl.exe	Fooclapd.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Qbajeg32.exe	Qclmck32.exe
File opened for modification	C:\Windows\SysWOW64\Lfgipd32.exe	Llmhaold.exe
File created	C:\Windows\SysWOW64\Bgemej32.dll	Npbceggm.exe
File opened for modification	C:\Windows\SysWOW64\Ipbaol32.exe	Hbnaeh32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6220 5672 WerFault.exe Gbmadd32.exe

pid	pid_target	process	target process
6220	5672	WerFault.exe	Gbmadd32.exe

Modifies registry class 64 IoCs

Processes:

Lpochfji.exeBfaigclq.exeDnqcfjae.exePaiogf32.exeGaqhjggp.exeKpccmhdg.exeApggckbf.exeFdbkja32.exeBacjdbch.exeEhndnh32.exeIojkeh32.exeLckboblp.exeGjaphgpl.exeLfgipd32.exeEqlfhjig.exeIafkld32.exeEaaiahei.exeNpbceggm.exeBdmmeo32.exeFooclapd.exeKapfiqoj.exeLlmhaold.exeDncpkjoc.exeEafbmgad.exeNnojho32.exeJlbejloe.exeLljdai32.exeDdfbgelh.exeQpcecb32.exeFbbicl32.exeKamjda32.exeNciopppp.exeGanldgib.exeHbihjifh.exeJbagbebm.exeJbccge32.exeOfckhj32.exeCibain32.exeEkqckmfb.exeNoppeaed.exeAbhqefpg.exeFndpmndl.exeLpgmhg32.exe2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exeDgjoif32.exeGbbajjlp.exeFkcpql32.exeOjajin32.exeIialhaad.exeJpgdai32.exeBdlfjh32.exeOfjqihnn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehndnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmimp32.dll"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcjq32.dll"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll"	Llmhaold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjliff32.dll"	Lljdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgni32.dll"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll"	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll"	Kamjda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll"	Ganldgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hbihjifh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbmonhi.dll"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjoif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpapf32.dll"	Fooclapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fooclapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkqqe32.dll"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofjqihnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exeJiglnf32.exeKjblje32.exeKjgeedch.exeKofkbk32.exeLlmhaold.exeLfgipd32.exeLggejg32.exeMjjkaabc.exeMfchlbfd.exeNnojho32.exeNpbceggm.exeNjjdho32.exeOjajin32.exeOghghb32.exeOfmdio32.exePjkmomfn.exePaiogf32.exePjdpelnc.exeQpcecb32.exeAkblfj32.exeBdmmeo32.exe

description	pid	process	target process
PID 380 wrote to memory of 4564	380	2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe	Jiglnf32.exe
PID 380 wrote to memory of 4564	380	2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe	Jiglnf32.exe
PID 380 wrote to memory of 4564	380	2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe	Jiglnf32.exe
PID 4564 wrote to memory of 2680	4564	Jiglnf32.exe	Kjblje32.exe
PID 4564 wrote to memory of 2680	4564	Jiglnf32.exe	Kjblje32.exe
PID 4564 wrote to memory of 2680	4564	Jiglnf32.exe	Kjblje32.exe
PID 2680 wrote to memory of 1988	2680	Kjblje32.exe	Kjgeedch.exe
PID 2680 wrote to memory of 1988	2680	Kjblje32.exe	Kjgeedch.exe
PID 2680 wrote to memory of 1988	2680	Kjblje32.exe	Kjgeedch.exe
PID 1988 wrote to memory of 3708	1988	Kjgeedch.exe	Kofkbk32.exe
PID 1988 wrote to memory of 3708	1988	Kjgeedch.exe	Kofkbk32.exe
PID 1988 wrote to memory of 3708	1988	Kjgeedch.exe	Kofkbk32.exe
PID 3708 wrote to memory of 660	3708	Kofkbk32.exe	Llmhaold.exe
PID 3708 wrote to memory of 660	3708	Kofkbk32.exe	Llmhaold.exe
PID 3708 wrote to memory of 660	3708	Kofkbk32.exe	Llmhaold.exe
PID 660 wrote to memory of 4380	660	Llmhaold.exe	Lfgipd32.exe
PID 660 wrote to memory of 4380	660	Llmhaold.exe	Lfgipd32.exe
PID 660 wrote to memory of 4380	660	Llmhaold.exe	Lfgipd32.exe
PID 4380 wrote to memory of 1956	4380	Lfgipd32.exe	Lggejg32.exe
PID 4380 wrote to memory of 1956	4380	Lfgipd32.exe	Lggejg32.exe
PID 4380 wrote to memory of 1956	4380	Lfgipd32.exe	Lggejg32.exe
PID 1956 wrote to memory of 5072	1956	Lggejg32.exe	Mjjkaabc.exe
PID 1956 wrote to memory of 5072	1956	Lggejg32.exe	Mjjkaabc.exe
PID 1956 wrote to memory of 5072	1956	Lggejg32.exe	Mjjkaabc.exe
PID 5072 wrote to memory of 2472	5072	Mjjkaabc.exe	Mfchlbfd.exe
PID 5072 wrote to memory of 2472	5072	Mjjkaabc.exe	Mfchlbfd.exe
PID 5072 wrote to memory of 2472	5072	Mjjkaabc.exe	Mfchlbfd.exe
PID 2472 wrote to memory of 1692	2472	Mfchlbfd.exe	Nnojho32.exe
PID 2472 wrote to memory of 1692	2472	Mfchlbfd.exe	Nnojho32.exe
PID 2472 wrote to memory of 1692	2472	Mfchlbfd.exe	Nnojho32.exe
PID 1692 wrote to memory of 4940	1692	Nnojho32.exe	Npbceggm.exe
PID 1692 wrote to memory of 4940	1692	Nnojho32.exe	Npbceggm.exe
PID 1692 wrote to memory of 4940	1692	Nnojho32.exe	Npbceggm.exe
PID 4940 wrote to memory of 1688	4940	Npbceggm.exe	Njjdho32.exe
PID 4940 wrote to memory of 1688	4940	Npbceggm.exe	Njjdho32.exe
PID 4940 wrote to memory of 1688	4940	Npbceggm.exe	Njjdho32.exe
PID 1688 wrote to memory of 1964	1688	Njjdho32.exe	Ojajin32.exe
PID 1688 wrote to memory of 1964	1688	Njjdho32.exe	Ojajin32.exe
PID 1688 wrote to memory of 1964	1688	Njjdho32.exe	Ojajin32.exe
PID 1964 wrote to memory of 2168	1964	Ojajin32.exe	Oghghb32.exe
PID 1964 wrote to memory of 2168	1964	Ojajin32.exe	Oghghb32.exe
PID 1964 wrote to memory of 2168	1964	Ojajin32.exe	Oghghb32.exe
PID 2168 wrote to memory of 2944	2168	Oghghb32.exe	Ofmdio32.exe
PID 2168 wrote to memory of 2944	2168	Oghghb32.exe	Ofmdio32.exe
PID 2168 wrote to memory of 2944	2168	Oghghb32.exe	Ofmdio32.exe
PID 2944 wrote to memory of 4312	2944	Ofmdio32.exe	Pjkmomfn.exe
PID 2944 wrote to memory of 4312	2944	Ofmdio32.exe	Pjkmomfn.exe
PID 2944 wrote to memory of 4312	2944	Ofmdio32.exe	Pjkmomfn.exe
PID 4312 wrote to memory of 1360	4312	Pjkmomfn.exe	Paiogf32.exe
PID 4312 wrote to memory of 1360	4312	Pjkmomfn.exe	Paiogf32.exe
PID 4312 wrote to memory of 1360	4312	Pjkmomfn.exe	Paiogf32.exe
PID 1360 wrote to memory of 1468	1360	Paiogf32.exe	Pjdpelnc.exe
PID 1360 wrote to memory of 1468	1360	Paiogf32.exe	Pjdpelnc.exe
PID 1360 wrote to memory of 1468	1360	Paiogf32.exe	Pjdpelnc.exe
PID 1468 wrote to memory of 2308	1468	Pjdpelnc.exe	Qpcecb32.exe
PID 1468 wrote to memory of 2308	1468	Pjdpelnc.exe	Qpcecb32.exe
PID 1468 wrote to memory of 2308	1468	Pjdpelnc.exe	Qpcecb32.exe
PID 2308 wrote to memory of 1620	2308	Qpcecb32.exe	Akblfj32.exe
PID 2308 wrote to memory of 1620	2308	Qpcecb32.exe	Akblfj32.exe
PID 2308 wrote to memory of 1620	2308	Qpcecb32.exe	Akblfj32.exe
PID 1620 wrote to memory of 2336	1620	Akblfj32.exe	Bdmmeo32.exe
PID 1620 wrote to memory of 2336	1620	Akblfj32.exe	Bdmmeo32.exe
PID 1620 wrote to memory of 2336	1620	Akblfj32.exe	Bdmmeo32.exe
PID 2336 wrote to memory of 720	2336	Bdmmeo32.exe	Bacjdbch.exe

C:\Users\Admin\AppData\Local\Temp\2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2bed9032f02b00f87c1112bcb7012589871d3452b1bd441fcdca3f70fa9d46fb_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\Jiglnf32.exe
C:\Windows\system32\Jiglnf32.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\Kjblje32.exe
C:\Windows\system32\Kjblje32.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\Kjgeedch.exe
C:\Windows\system32\Kjgeedch.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\Kofkbk32.exe
C:\Windows\system32\Kofkbk32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\Lfgipd32.exe
C:\Windows\system32\Lfgipd32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\Mjjkaabc.exe
C:\Windows\system32\Mjjkaabc.exe
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\Mfchlbfd.exe
C:\Windows\system32\Mfchlbfd.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\Nnojho32.exe
C:\Windows\system32\Nnojho32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\Npbceggm.exe
C:\Windows\system32\Npbceggm.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\Njjdho32.exe
C:\Windows\system32\Njjdho32.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\Ojajin32.exe
C:\Windows\system32\Ojajin32.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\Oghghb32.exe
C:\Windows\system32\Oghghb32.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\Pjkmomfn.exe
C:\Windows\system32\Pjkmomfn.exe
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\Paiogf32.exe
C:\Windows\system32\Paiogf32.exe
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\Pjdpelnc.exe
C:\Windows\system32\Pjdpelnc.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\Qpcecb32.exe
C:\Windows\system32\Qpcecb32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\Akblfj32.exe
C:\Windows\system32\Akblfj32.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
23⤵
- Executes dropped EXE
- Modifies registry class
PID:720

C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2152

C:\Windows\SysWOW64\Cggimh32.exe
C:\Windows\system32\Cggimh32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5008

C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
26⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWOW64\Cdpcal32.exe
C:\Windows\system32\Cdpcal32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4668

C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:568

C:\Windows\SysWOW64\Dhphmj32.exe
C:\Windows\system32\Dhphmj32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3572

C:\Windows\SysWOW64\Dakikoom.exe
C:\Windows\system32\Dakikoom.exe
30⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\Dgjoif32.exe
C:\Windows\system32\Dgjoif32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2268

C:\Windows\SysWOW64\Doccpcja.exe
C:\Windows\system32\Doccpcja.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\Ehndnh32.exe
C:\Windows\system32\Ehndnh32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1436

C:\Windows\SysWOW64\Eqlfhjig.exe
C:\Windows\system32\Eqlfhjig.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:4620

C:\Windows\SysWOW64\Ebkbbmqj.exe
C:\Windows\system32\Ebkbbmqj.exe
35⤵
- Executes dropped EXE
PID:416

C:\Windows\SysWOW64\Fooclapd.exe
C:\Windows\system32\Fooclapd.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1492

C:\Windows\SysWOW64\Fndpmndl.exe
C:\Windows\system32\Fndpmndl.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2084

C:\Windows\SysWOW64\Fbbicl32.exe
C:\Windows\system32\Fbbicl32.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3472

C:\Windows\SysWOW64\Fkmjaa32.exe
C:\Windows\system32\Fkmjaa32.exe
39⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\Fgcjfbed.exe
C:\Windows\system32\Fgcjfbed.exe
40⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\Gegkpf32.exe
C:\Windows\system32\Gegkpf32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4592

C:\Windows\SysWOW64\Ganldgib.exe
C:\Windows\system32\Ganldgib.exe
42⤵
- Executes dropped EXE
- Modifies registry class
PID:2652

C:\Windows\SysWOW64\Gaqhjggp.exe
C:\Windows\system32\Gaqhjggp.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1332

C:\Windows\SysWOW64\Gijmad32.exe
C:\Windows\system32\Gijmad32.exe
44⤵
- Executes dropped EXE
PID:1476

C:\Windows\SysWOW64\Gbbajjlp.exe
C:\Windows\system32\Gbbajjlp.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:3100

C:\Windows\SysWOW64\Hpfbcn32.exe
C:\Windows\system32\Hpfbcn32.exe
46⤵
- Executes dropped EXE
PID:2248

C:\Windows\SysWOW64\Hajkqfoe.exe
C:\Windows\system32\Hajkqfoe.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5012

C:\Windows\SysWOW64\Hbihjifh.exe
C:\Windows\system32\Hbihjifh.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4212

C:\Windows\SysWOW64\Hnphoj32.exe
C:\Windows\system32\Hnphoj32.exe
49⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\Hbnaeh32.exe
C:\Windows\system32\Hbnaeh32.exe
50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408

C:\Windows\SysWOW64\Ipbaol32.exe
C:\Windows\system32\Ipbaol32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4184

C:\Windows\SysWOW64\Iafkld32.exe
C:\Windows\system32\Iafkld32.exe
52⤵
- Executes dropped EXE
- Modifies registry class
PID:1652

C:\Windows\SysWOW64\Iojkeh32.exe
C:\Windows\system32\Iojkeh32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:456

C:\Windows\SysWOW64\Iialhaad.exe
C:\Windows\system32\Iialhaad.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4296

C:\Windows\SysWOW64\Jlbejloe.exe
C:\Windows\system32\Jlbejloe.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:616

C:\Windows\SysWOW64\Jbojlfdp.exe
C:\Windows\system32\Jbojlfdp.exe
56⤵
- Executes dropped EXE
PID:1268

C:\Windows\SysWOW64\Jbagbebm.exe
C:\Windows\system32\Jbagbebm.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:3424

C:\Windows\SysWOW64\Jbccge32.exe
C:\Windows\system32\Jbccge32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3032

C:\Windows\SysWOW64\Jpgdai32.exe
C:\Windows\system32\Jpgdai32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4576

C:\Windows\SysWOW64\Kakmna32.exe
C:\Windows\system32\Kakmna32.exe
60⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWOW64\Kamjda32.exe
C:\Windows\system32\Kamjda32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2648

C:\Windows\SysWOW64\Kapfiqoj.exe
C:\Windows\system32\Kapfiqoj.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4728

C:\Windows\SysWOW64\Kpqggh32.exe
C:\Windows\system32\Kpqggh32.exe
63⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\Kpccmhdg.exe
C:\Windows\system32\Kpccmhdg.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1248

C:\Windows\SysWOW64\Lljdai32.exe
C:\Windows\system32\Lljdai32.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\Lpgmhg32.exe
C:\Windows\system32\Lpgmhg32.exe
66⤵
- Modifies registry class
PID:4560

C:\Windows\SysWOW64\Ljpaqmgb.exe
C:\Windows\system32\Ljpaqmgb.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1524

C:\Windows\SysWOW64\Lchfib32.exe
C:\Windows\system32\Lchfib32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4088

C:\Windows\SysWOW64\Lckboblp.exe
C:\Windows\system32\Lckboblp.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3704

C:\Windows\SysWOW64\Lpochfji.exe
C:\Windows\system32\Lpochfji.exe
70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3756

C:\Windows\SysWOW64\Mablfnne.exe
C:\Windows\system32\Mablfnne.exe
71⤵
PID:2348

C:\Windows\SysWOW64\Mofmobmo.exe
C:\Windows\system32\Mofmobmo.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560

C:\Windows\SysWOW64\Mlljnf32.exe
C:\Windows\system32\Mlljnf32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4636

C:\Windows\SysWOW64\Mbibfm32.exe
C:\Windows\system32\Mbibfm32.exe
74⤵
PID:2128

C:\Windows\SysWOW64\Nciopppp.exe
C:\Windows\system32\Nciopppp.exe
75⤵
- Modifies registry class
PID:976

C:\Windows\SysWOW64\Noppeaed.exe
C:\Windows\system32\Noppeaed.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1364

C:\Windows\SysWOW64\Ncmhko32.exe
C:\Windows\system32\Ncmhko32.exe
77⤵
PID:2876

C:\Windows\SysWOW64\Njjmni32.exe
C:\Windows\system32\Njjmni32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108

C:\Windows\SysWOW64\Ncbafoge.exe
C:\Windows\system32\Ncbafoge.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4684

C:\Windows\SysWOW64\Ofckhj32.exe
C:\Windows\system32\Ofckhj32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1056

C:\Windows\SysWOW64\Ookoaokf.exe
C:\Windows\system32\Ookoaokf.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188

C:\Windows\SysWOW64\Ofgdcipq.exe
C:\Windows\system32\Ofgdcipq.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128

C:\Windows\SysWOW64\Ofjqihnn.exe
C:\Windows\system32\Ofjqihnn.exe
83⤵
- Drops file in System32 directory
- Modifies registry class
PID:5172

C:\Windows\SysWOW64\Oqoefand.exe
C:\Windows\system32\Oqoefand.exe
84⤵
PID:5216

C:\Windows\SysWOW64\Pbcncibp.exe
C:\Windows\system32\Pbcncibp.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264

C:\Windows\SysWOW64\Pfagighf.exe
C:\Windows\system32\Pfagighf.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5308

C:\Windows\SysWOW64\Pcegclgp.exe
C:\Windows\system32\Pcegclgp.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5352

C:\Windows\SysWOW64\Paihlpfi.exe
C:\Windows\system32\Paihlpfi.exe
88⤵
PID:5404

C:\Windows\SysWOW64\Ppnenlka.exe
C:\Windows\system32\Ppnenlka.exe
89⤵
PID:5448

C:\Windows\SysWOW64\Qclmck32.exe
C:\Windows\system32\Qclmck32.exe
90⤵
- Drops file in System32 directory
PID:5500

C:\Windows\SysWOW64\Qbajeg32.exe
C:\Windows\system32\Qbajeg32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5544

C:\Windows\SysWOW64\Apggckbf.exe
C:\Windows\system32\Apggckbf.exe
92⤵
- Modifies registry class
PID:5592

C:\Windows\SysWOW64\Amkhmoap.exe
C:\Windows\system32\Amkhmoap.exe
93⤵
PID:5636

C:\Windows\SysWOW64\Abhqefpg.exe
C:\Windows\system32\Abhqefpg.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5680

C:\Windows\SysWOW64\Amnebo32.exe
C:\Windows\system32\Amnebo32.exe
95⤵
PID:5720

C:\Windows\SysWOW64\Aidehpea.exe
C:\Windows\system32\Aidehpea.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5764

C:\Windows\SysWOW64\Abmjqe32.exe
C:\Windows\system32\Abmjqe32.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812

C:\Windows\SysWOW64\Bdlfjh32.exe
C:\Windows\system32\Bdlfjh32.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5856

C:\Windows\SysWOW64\Bapgdm32.exe
C:\Windows\system32\Bapgdm32.exe
99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5900

C:\Windows\SysWOW64\Bbaclegm.exe
C:\Windows\system32\Bbaclegm.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5952

C:\Windows\SysWOW64\Bfaigclq.exe
C:\Windows\system32\Bfaigclq.exe
101⤵
- Modifies registry class
PID:6000

C:\Windows\SysWOW64\Bagmdllg.exe
C:\Windows\system32\Bagmdllg.exe
102⤵
PID:6044

C:\Windows\SysWOW64\Cibain32.exe
C:\Windows\system32\Cibain32.exe
103⤵
- Drops file in System32 directory
- Modifies registry class
PID:6092

C:\Windows\SysWOW64\Cdhffg32.exe
C:\Windows\system32\Cdhffg32.exe
104⤵
- Drops file in System32 directory
PID:6136

C:\Windows\SysWOW64\Ccblbb32.exe
C:\Windows\system32\Ccblbb32.exe
105⤵
PID:5168

C:\Windows\SysWOW64\Cpfmlghd.exe
C:\Windows\system32\Cpfmlghd.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240

C:\Windows\SysWOW64\Dcffnbee.exe
C:\Windows\system32\Dcffnbee.exe
107⤵
PID:5276

C:\Windows\SysWOW64\Ddfbgelh.exe
C:\Windows\system32\Ddfbgelh.exe
108⤵
- Drops file in System32 directory
- Modifies registry class
PID:5396

C:\Windows\SysWOW64\Ddhomdje.exe
C:\Windows\system32\Ddhomdje.exe
109⤵
PID:5460

C:\Windows\SysWOW64\Dnqcfjae.exe
C:\Windows\system32\Dnqcfjae.exe
110⤵
- Modifies registry class
PID:5536

C:\Windows\SysWOW64\Dncpkjoc.exe
C:\Windows\system32\Dncpkjoc.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5600

C:\Windows\SysWOW64\Ddmhhd32.exe
C:\Windows\system32\Ddmhhd32.exe
112⤵
PID:5664

C:\Windows\SysWOW64\Eaaiahei.exe
C:\Windows\system32\Eaaiahei.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5760

C:\Windows\SysWOW64\Ejlnfjbd.exe
C:\Windows\system32\Ejlnfjbd.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840

C:\Windows\SysWOW64\Edaaccbj.exe
C:\Windows\system32\Edaaccbj.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940

C:\Windows\SysWOW64\Eafbmgad.exe
C:\Windows\system32\Eafbmgad.exe
116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6024

C:\Windows\SysWOW64\Egbken32.exe
C:\Windows\system32\Egbken32.exe
117⤵
PID:6080

C:\Windows\SysWOW64\Eqkondfl.exe
C:\Windows\system32\Eqkondfl.exe
118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048

C:\Windows\SysWOW64\Ekqckmfb.exe
C:\Windows\system32\Ekqckmfb.exe
119⤵
- Modifies registry class
PID:5232

C:\Windows\SysWOW64\Fkcpql32.exe
C:\Windows\system32\Fkcpql32.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5300

C:\Windows\SysWOW64\Fcneeo32.exe
C:\Windows\system32\Fcneeo32.exe
121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5412

C:\Windows\SysWOW64\Fcpakn32.exe
C:\Windows\system32\Fcpakn32.exe
122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5528

C:\Windows\SysWOW64\Fqdbdbna.exe
C:\Windows\system32\Fqdbdbna.exe
123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616

C:\Windows\SysWOW64\Fdbkja32.exe
C:\Windows\system32\Fdbkja32.exe
124⤵
- Drops file in System32 directory
- Modifies registry class
PID:5772

C:\Windows\SysWOW64\Fbfkceca.exe
C:\Windows\system32\Fbfkceca.exe
125⤵
- Drops file in System32 directory
PID:5792

C:\Windows\SysWOW64\Gjaphgpl.exe
C:\Windows\system32\Gjaphgpl.exe
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6032

C:\Windows\SysWOW64\Gdgdeppb.exe
C:\Windows\system32\Gdgdeppb.exe
127⤵
PID:6124

C:\Windows\SysWOW64\Gkalbj32.exe
C:\Windows\system32\Gkalbj32.exe
128⤵
- Drops file in System32 directory
PID:5228

C:\Windows\SysWOW64\Gdiakp32.exe
C:\Windows\system32\Gdiakp32.exe
129⤵
PID:5444

C:\Windows\SysWOW64\Gbmadd32.exe
C:\Windows\system32\Gbmadd32.exe
130⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 400
131⤵
- Program crash
PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5672 -ip 5672
1⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmjqe32.exe
Filesize
163KB

MD5
2b9e810d941ab3fcf610f97155569a48

SHA1
d5b4fc597507a0f8c255670da424905cc57e7f15

SHA256
030afb0681c88acf642ad400efba905907c7a90f9373e12e91c17eea0414af7a

SHA512
028ccb7a9a234515e929e7b72b1a8983ecbf606c95b85c5d44a2f03d055e243a3477dd44d661fdedc62f5787d1e4e7f2ddc1563604dfe64aaf68796ffe0b2b5b

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe
Filesize
163KB

MD5
fafb383f30584c23158a32061c54c78e

SHA1
835701fde8bcd1bca77efd3122482f434cab97f5

SHA256
f4caf822f4a3547a0013c51c1478b780b08717fb0d116b766fe85069667283a0

SHA512
48a5ea007678fbdbe8a3bafbc0d65b231211a7999afce3bc1fdc7ba83f36d91cbb61c98f25fe66d47b0453fbb6c8e1a454b72470ddbc3bdaa432f3202c86ba37

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe
Filesize
163KB

MD5
92fd25b0921cec6aeed573904368761c

SHA1
91981ee4954c6d50b8480f587f62b51f2c6479da

SHA256
3a81869acb079b982e4b26da0bbacd7007f07502a7cb4e490cd69b2338b8e4c1

SHA512
d1d9bee8ee23db41f27c28459edc3dd62e42f2b26085b94f2b35b17eb3e90fe3b4d5a40204ab7e21885fa2de2f103697558d87df65e5bc14912c8ec8f63c5144

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe
Filesize
163KB

MD5
ce889e86769a824a05effc58dbe17123

SHA1
8977bda2418d2aeb2cdda4826dfd8b687cf91fa0

SHA256
e25fa9cc23de5b83583997dd655cd96ef5378547b3b9f06e2a968c467fdc30a5

SHA512
2abf358e23a1bf6858333b9dba3abe4e4e81daf31c2dbac969fbb5c32794030bb4e8ef60eb27ab88353c6b782cb98be3438f1c8cb4b1f4a04eaacfda14ce0bd2

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe
Filesize
163KB

MD5
ca36f13de6763b095c0f53e991ec9358

SHA1
f09b5968c63953b035b83911a7f8813cbc1c132f

SHA256
970c1bb5afcc40e751cc25b85ddf4238cea37677687b5132a47615209520d94b

SHA512
1f5e3d16884ea037b844718757c3c8588e7add732d5cce56b75190dbab5a31e1915aaf6fe546812e90233fcc4e934c7430be6669bac9dc6bf35dee10d64ac1fe

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe
Filesize
163KB

MD5
f2d9246a62636b5d58b98eedf8722b96

SHA1
494ce96d928bd9beb35e13e4689f0a32806b3d32

SHA256
e19e0b7d8c2da31b14e77597b210c6295d9140c37b7392b48844c72cb07dc2a1

SHA512
f8a771a1e667880c133b574d299c052d7ed32364c6680cb1336996060dbbb7f7f0fb2fb3acc86ab537c9d29eaaf7ae9be4cf74e6380c8b6d20cb99d75e1e1323

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe
Filesize
163KB

MD5
7c23f88f2eb41b2fcda8292eaa0bc019

SHA1
cd2213e797e59f05f26d8b6978206bc917d136cb

SHA256
1d392c408c7ebf1e169ec8d4887e666b4ce81441a65e03d17c6835528e03bc7e

SHA512
effaa9f9a57a5fa32fced9b15113d534062f6f2ec871ca3f75b9030132241e485dd5292d8c499f3db90a48d8f8739423ff8824479abe4eff2f15f1794568973f

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe
Filesize
163KB

MD5
2aad605f40f211cc3ab5566eb3f5bd9b

SHA1
a82a8505764a6847cf4425f1295e28ea5da994c1

SHA256
8e244cee385b4c88248cc073626370534b72bb6fa8df719c9669fb0da9d10e4a

SHA512
0c77bb8f30c2ec264fc0b1f6c6b0a302e9c9de64e582b7fedb35b1d72dae1e4952ce850ac3ce55f7680f5dcbe5af1c2f032fde4304b7cdd2c2f014d7c663b92d

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe
Filesize
163KB

MD5
87fe0ea0bad8b1cf3a507236b07279e0

SHA1
be32161e872e355872db1a43b55929077369f88c

SHA256
61e66ac7fa3c50568f4d988968f7499496d0625631575a0ccbb12ab46ad320c7

SHA512
43b0085c12ebac47d18851fc5bff31d9c472f79e7da5c40097e2302a1942739bc9543eabd9da295269566dd3fd1c3db2668559a31cd3c08b9834aac96c117f0f

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe
Filesize
163KB

MD5
b3213eb61f68f851d631fb6688a3ca81

SHA1
46e0a4f7837310b6f33754fc08ee340fc59f9821

SHA256
7b65da748669e177cceb707f303634a8c5b8171da796d5db4dfbb9f68169dbce

SHA512
d9009081af7c2c13a0da092bf6ec76b666ff27fbf4d26b96489a3174ab471de861cb296ee74c4ec47919ce295d3cd6c101d33328ef01390219831ab325e73893

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe
Filesize
163KB

MD5
69dab71917a2df58de39d55d3a438207

SHA1
2340095301d58715e54975c00df4a32f2e4b8212

SHA256
c0ebaa9750b21d42ee4738aa428c1ff23b50918160fc5c9d0f1dd824f90a9510

SHA512
59473e552d437f8939c39681c61cbad8bb410aeb0b6c1bdeba9b0dbcc92d882d6a18ba73c2b0942aed9ad7f7ef6a921f7525322eac990248f9993538f9fd2978

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe
Filesize
163KB

MD5
305fec73b6b66f4c24114fa1a64eabe1

SHA1
0015a9189f5404fb3e4416da27377f2132ae5ca0

SHA256
3be274371eff1878665d443e23214db0482d4a483e9e9b97d3aa3aa839d76798

SHA512
623e054edc7ce1d4d16da910967d612eb94c98fda9cd0d85c7715e03ad31a09be554794283bf7d79f878605f7876db0d1581d10181988f38a488f1f91cf88fd0

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe
Filesize
163KB

MD5
2f0cb0ea9b8ad75c6cd04a0a39c40b87

SHA1
90262257dc8c449b5df60e7a8da67f2039dac6cf

SHA256
ec27f3945c4d6f17b9468d21ccad440c31a4701d44e6a7c323098792d06fa084

SHA512
3762c92e6415711d9fdfb6190672b33331bf1060ac6bf22a88d0700149f7621f6e9aca2d4dda4ae5567f893c03db7b7d369fd2f9d282ec685bb1fede5ce986b9

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe
Filesize
163KB

MD5
d96c04153d007d73f644b7ca5723f8c4

SHA1
ec1e60c0bfecb39200c13b7036982b29c0d47399

SHA256
7aeada5584387c7aa6534a403fb7709e46d1bc9f748e6709c6baaae56179a9b3

SHA512
3b6bf40491986c092d5f5488d903554c0f9ee7a6034713c12301460c21a5f35a71c64d792224b1e1cb44111eeb251aec8e6b36ee28faa201e9fb8b8aaf5b1267

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe
Filesize
163KB

MD5
0e4345a352e223cbafb879af97c31e2f

SHA1
fbe54cd10cb7964a085b19b844fddcce20ec3a7b

SHA256
51f626f4a2a5264559f6818cebbb6497f0579cbde5c7955b487c1a718e46e698

SHA512
53cd464d92519afcdf3e09f9c12b2a5b2891d678b59339ec758626d3048126f3aa7083f8c045cdd1c794e9e38838397e2e748a633bb646c93a355a9414c9469d

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe
Filesize
163KB

MD5
c87ac5072e55cf5227f8635b32ef64f0

SHA1
0c4b9310894bd4e9b917be1767dcb3c180d47d96

SHA256
fab6cfd740cfe32720e454852f838387a1f3096a51640e414108d7b1be603700

SHA512
4ee8862c909a72a7a01a1e39ddd3128c5286e2b30fe401f9a6341b27a38af82fc7e059289fbb41a1ccee983ce4341e0ab16d260d6dacf09d9aa59cc93d95cd1c

Download Submit
C:\Windows\SysWOW64\Doccpcja.exe
Filesize
163KB

MD5
ef9d8c3e50a3388288a9f4274215be14

SHA1
dab35c8c1c192e21f3b7b54e5f578962c4d3b75e

SHA256
5ddaca372c797aaf296138d749662cd55b9aa67def7d8261dfd2266d239dfd1c

SHA512
87aec2c03a207e3a0c4ac6870b3a1cf51fb3243153e1255a1c3ac9e1a33027d3bd8dbd1fd47a9aeaeca6ff848f77cdc248be19f9f04b616ef8b41e3e1e9d2710

Download Submit
C:\Windows\SysWOW64\Egbken32.exe
Filesize
163KB

MD5
87b082e04aa2bf942aa6c6d2d0edde1e

SHA1
d86c3e5335a8547f195a819fb3e20946ae828d5f

SHA256
5ec9fcfd29b15ef482eb0219a91c7844c28ff093ae45431e509e05004c99e679

SHA512
26bda73c6def722c28e8bf2ec4ea5bf65e1ff1896d066b069daf7b35c1dc8977ea205c334edc55a9b79cb4cfcde9aa51d7c32099106f6b18760ba63903002d9a

Download Submit
C:\Windows\SysWOW64\Ehndnh32.exe
Filesize
163KB

MD5
d39e5875a2a0c4d735a42d264bd9afd6

SHA1
43a63f816c5e06fda5b004e407256a191143be2d

SHA256
344b21d8885c2f324cd40b9ae5fe80122a91de3a5106ff195d0ff1d6c595acb2

SHA512
77dc39cc9a0c9e5412616d5d41b9ddb376e67af112e33f7160da6ac8deb7c91a5b8139439e9b993ca411eb80b4e9574cade8dd515cc7bb1568f739335cef32b4

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe
Filesize
163KB

MD5
d9436bd0d3f791b4aa1d4d63cf3f58e5

SHA1
353dfee34109cce331f6cb1de4dc3eeb1a5307ca

SHA256
c43c101cd3ea3963fcc2053e90ad8279f5d0e8b298e7995323573580f26d1c41

SHA512
eac018813a220a7e52d9cdfe6f4d1fe872a1a9bff92f50dfda984baf93ca2c34ce44c030e58995a3a0477d5bf8b22538ca420998cedb83359f559c2ec0340e55

Download Submit
C:\Windows\SysWOW64\Gaqhjggp.exe
Filesize
163KB

MD5
9b729700a2396c3b6390c652fec9da44

SHA1
bb0c0ad0a44cf448a32e57035d2051254dfbd8bb

SHA256
17c02e1bc3f5bf2ee0f3b98ab51a9adda2e258ee0c27aaa002fab1480ac49b08

SHA512
919a0283014fd74371253190688b9686e13562fba774d27d03916c188e75ed22ebe32daf0d0414b29478ed0616596bccae1e98736751828412c2d2e6e4818070

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe
Filesize
163KB

MD5
5f16f6c57a9d86cd7a03a25dd05e26ac

SHA1
c215c227936981762b4311820613f556e6647eb1

SHA256
7bb096adcb0db9d7454124664d2a9d152f00334291771861da64ee87e79cbe04

SHA512
17f8e6936fcdc938ad6eda448e81a8c7d6a2bf83f13d53647b26d64889cd5f7f674e37b1ac84874f4fd61edfabb125dc2c7843bffe321ae411fb356a342b1667

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe
Filesize
163KB

MD5
d6c55c2ee054aac1d3949cf22c6803b8

SHA1
8ad2cd7e5c8de7f4eec3991944ca1843b5afd7b6

SHA256
92e8342668ac7b02b1098b675ea4b75b09e8af222ae1ce10ee37e40dd50876c0

SHA512
935e8fff160e229bd5de097cb89b8cdca5bbfba4d823adba9a0343ea0a9db13feadcebd4741f5250ff9e25fd5ae428516e85eb0ce214acf5171fd5d37b7b7442

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe
Filesize
163KB

MD5
2e08ae7af677e8541647b5f70c95fa04

SHA1
ec39c373d018e9a2f710afc5a68bd12dc714cc26

SHA256
6aeab072af7ab9d256750d9099acd8c3c898a3576f0768beedb0747ad2f47730

SHA512
f7acc2807348adb58e963668cdcddb67c7e00bf2e041b179b28dbef4ee2b8e533dd0920a63633befeda8a67dc01bf2d33d23d5cd84677da321de4006ce093712

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe
Filesize
163KB

MD5
86191019980909b809f4adac577955ca

SHA1
82adfd4a747eb8db13d90b6c6e9e20f8294b4f32

SHA256
acabb5b20a00d4b0b367d31db652a260d6772faf9cae954f939705b4a4dba7fa

SHA512
c5c43b3d803be7eea35581f8a865fa4d2abe3c2b93504be0493f77bd260c2855af973f03a9c3fc7a475a1abb03cbc5c021744819171b2a73d363eebe6bbd02bf

Download Submit
C:\Windows\SysWOW64\Kjblje32.exe
Filesize
163KB

MD5
0937249a2773ac0aff326bd75759bbc1

SHA1
2453c3ca02587b2c2d652ae50c775ec86f389c9a

SHA256
5c6c6bf7c968ae6878d53a1c8cc2dc92775c2593ac8e24807817a6f5036d46c0

SHA512
9fd9ca4f322f8b780a5458659e95413d7db3571369c73fff6b7b073b9226c2bd768b5072f3bfde29df065c650e425da7928c61bba702c533114c5aac5e74fab4

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe
Filesize
128KB

MD5
e9ab1e6187e7bdeabde450b3608004c3

SHA1
1985c109f6a1a00e9808cd6d671be44fa76ba913

SHA256
b2aa2b3f828abc62c627625077627eb1fc1c44feea4d502e6c24b5953f0ee5f5

SHA512
3005864f150cf20a933b4073cce50b2ee6deb46f55b7d1a7b2c6df257fe2a00ce58c539d539fad135f86e8d820a4be830a479c144097a4e6a263ae26dc1d792c

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe
Filesize
163KB

MD5
572757ec7576a9e112a5c3ffb0fde2ef

SHA1
7691e309771995319421808c0884195c95ead2f7

SHA256
9db554b48d881943cda1dc97ab5ba8096240168a7d6bfc933059271967003076

SHA512
0416c08b5df1e2c61ae9a86ae539f6fd9d68c2b034512a211fc7fc5f9ab8762968b5b75abc05eecb569d6d015eba4062c2b1222ae4bd3e34506b265800675b81

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe
Filesize
163KB

MD5
31c77b84682d651ac9c9ab964e65602b

SHA1
ce9409b2b65789f06d39d93a7235f6204eb060e7

SHA256
7b817982dc2b36919937cd60f1e8b407b3d983a152a376cc8d80a4d27fd7f07a

SHA512
f8e2c3459633f600679e41e6d2f3ff48c37b3afd2fb097c8ba9d7185da0efe7369cde759e677762dbd0fac24630bc43d3243ec8212ef5146ff35995442995f71

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe
Filesize
163KB

MD5
9dcca3bb7ac479a01cc879d725485090

SHA1
5745895769695c4eced9ce394d32655fdc187415

SHA256
fbf42ae6e38b61534b639f7fda7fd37411b8c838a31e0aecf114e97efea994cb

SHA512
7971a083fb385810f94e353a274182c7e693612dd30c4afbbc927c2c73ee60b8f1ae6ccda0d02cd362ab785fe8727b8b23cfb4f0c8aa4e43ba00c62643258983

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe
Filesize
163KB

MD5
e50ecb2e0187c4df3eff361d20ed97b4

SHA1
b0486aa69169a2b868cec0c5452f38d6382cb5ea

SHA256
0e763e4eda86ef972afdcd3c1d9bef8d1f4dcdbb948241de6671a5fb2cb714f9

SHA512
787f21a79162d3a65228cee5b215498b4c70127cc6a24102e30eec459c275df0e18591fe9215ef86f009499ba54e26612788586f2b98bd430224c86600199237

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe
Filesize
163KB

MD5
3cf3b7076344a96d0cc26eee91f708c9

SHA1
b30d0a586e1d161835f59dd03c61ae89ba6e4835

SHA256
d579868c5856c97930ccb4cb0b24cffd7cfe42296328d9f8b3807affd892a2db

SHA512
411790582014a4189ef3addef9614be87735a78d9b90069a9b70b8dd101398c7ff66b8a76fb823242716475c4571905a4f3e4c367187c03d5372a9b5a518758d

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe
Filesize
163KB

MD5
98e8faab66b03f64d2fe3c759a285a5c

SHA1
6c0ce8258d0303bf8ab82257e135752efefdacc8

SHA256
b3ac1ca54c0dc636024cec4dc7f32b7a341d741b7a7adf4cb662d2463beb6a28

SHA512
1aea47e6684367b24d1ed145c1f73bdedb095927435ac0c123ed2a9854d39422cf67bcd1b5c4bfaf34f27d0b873ea3579690208abb7e3b8c699e84956f3a1822

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe
Filesize
163KB

MD5
8366e3709db3babad798b8210d6104f2

SHA1
26a1efe3f65e7280cfca499f555cdfa1f9d8cb38

SHA256
96b049b845e9369770f61b881f8d5f514b06578c93d41374d0899e541731ac52

SHA512
b4106a0f8a6d3339de8fc13a82873338ee4958e48402b23a9d39318c642a6700c96162bfaaa379c42bd3c5bde49bc3577f685aaafabb5ffbbcf4fa60c957ef13

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe
Filesize
163KB

MD5
7d4576e74f5016f0a6dd414e11fa6105

SHA1
9c2c798a907da3e6448ef9602989da3d7a9d4205

SHA256
b74d69fd403acef585ca913bb2ff05710ed6ac3c8bc571140ab60fa22fc86253

SHA512
619f029e0b27c64771a4d4876fb919dc7580d1db78d4ac80d501b2673131c375c6c544c500cff384c74a9d44180c8b64e41ba91ee6c143dec20b182ec4d82d9b

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe
Filesize
163KB

MD5
df61adb53812bedb5dd40f28fffb76c8

SHA1
fe80e8c5643e68a9465bce514c91beb84e0023a8

SHA256
0f9ea495633ba95eac02a2760b57dbf2d12a0de9e8a4db088380746e62aff6f1

SHA512
5b4c7afaf4c4163532669ed943687e6125d7925926f176cc14af53eabb425e84412d8447fe22d0b46eae91d90efa3762432af65a78e6857b4a18678a3a37149e

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe
Filesize
163KB

MD5
f7735c94b5379c92a0f054a3a7af82e2

SHA1
43a5f49b6356ba75ae009bdeb9e573fa6da0c90a

SHA256
8163110829fcb80270e15a042c1a1322216db9900549fbda45ae2b64a12d63b6

SHA512
c373b47f4c11b38b13d9b99b6fa55be4cab88ca834c24d4488367a5e46936b1bc6b64faeb00c3e082aa288b2faf534cdfe61b7c1ff70d6a5718b9a3a1ded72b9

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe
Filesize
163KB

MD5
0995208cf30d45ea5d8f1351c3791458

SHA1
6cd79fdfcb9c96b4a93db10dc17efad2d1fc7894

SHA256
6a324bd1d01b12ca3bec0897af01527126abf1aeec041280bf6cdbc64bcd5281

SHA512
5427bca42d4692e1c15bc90d25022d683a7057ab4e0e982fc3dab2e26a28c391198689cf4a2fec52210a56e9171ac351bd26f12015c587843d463ad1bdca46ae

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe
Filesize
163KB

MD5
0543a7f809f964ce802f8f2b61b41b11

SHA1
1efefebfe7d6c0fc1cf5baf962099c6aa4906ef2

SHA256
dfb8d5be19c0da3c748820ac0666698f72f4ee61ea34b2f771ccef1bbf682188

SHA512
5d9e3a82171414af77b8c970933fb57c4a937e8a7835ce5437f3af7f80fb1d8117e19829e25f0a5c380871a770454b1dfafe1cbd954b3f1e992adf839a20eba9

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe
Filesize
163KB

MD5
528c500849da987da4bd98e8fb45a47b

SHA1
2b78b6189bce8f502e392b1c0b8ff17f6dc683dc

SHA256
728236c01f36c65aa5ff75844dd2aebd3f1c095699a43e504c92e2be2cf220da

SHA512
e88e04613e4e1cb32da2ae3aa17ae223bdf9ee4e3376adf88bab50ed39d6f9389d08b8d876821146b7844cb7bc6abb49e94551ca126fb1a664444e851da5c865

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe
Filesize
163KB

MD5
f08a405a029dae4cb96975a4c727e984

SHA1
ba75c15f23dc52c701ee47ad4d6e034654830686

SHA256
5afaf1e86654b5e7eb11480939f248e9ee7cf703e1e896ef83a43702d38deab7

SHA512
06405b35f78caa8e976b702cab9e65988959e763d528f61a9f19210a1949126b0bf343a39984caf046458ec7198f2f26b0bbd5ef1f11459734d34354502be49a

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe
Filesize
163KB

MD5
b706a727c62c0a2fd91df0bc2a28bc87

SHA1
e97e35c3ab991d262df13541867927827e22bd15

SHA256
9afbc89176f1ad50f626f2a93f979c7407252fe0156f9fd4480689a285ea8082

SHA512
17982f46eacba487cbf7368912b00a1fb60883953589f7f256707f4a578611a0c32f36de46148cc6e57d82937148afc5d6c6e3b497ce063407053d00ed5bc235

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe
Filesize
163KB

MD5
5ad52ff684173e140485e9abc0429084

SHA1
1ec89823e90571f9394526f00901a51d10e07d94

SHA256
09f24dee5d339be631dc6ec37a47d867dc9c16b6e9663413597a34e5a4b5491e

SHA512
08e6275ffa1921805b5e0a94c370565a9289a694f3c02df3e8cc8a9aa0c063f972f7443415b4705ff91cffac11b5baabb1aea2720671c103ce618b020de8cb3e

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe
Filesize
163KB

MD5
ce6706df75c35089c0a90a0e23bab98f

SHA1
3375b41fdaef4d3473559415e1142ec1d75ce069

SHA256
bb451d036c715435e76ba099b95f835df3fcefed1c99879ec7ccbed4f90a8aeb

SHA512
baa706462ca90a15aedc748ae5983705374f4df7894414e80ca8bcd83c3aaa1c418c768dd0991d96061b09b3448a9201da9618495dba79e69472c60aa514e124

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe
Filesize
163KB

MD5
058923a9d03dd6d4a48058b7ff9028ce

SHA1
183eea6e7e4ee88e9742e9c1ccfbf0357f48fb94

SHA256
4e6430d2333dc764091dc937896bdeb6f142810aab6c22dc1f8d923e9604f7c2

SHA512
7bcba1f06d8782cc5c91e741c35bf71f37eea177784b342e8768e29d1577e1a17171b5f3e185b5cfb7acf6d17f7410fdb67fbe1deeb2dcc4b983f5628addd539

Download Submit
C:\Windows\SysWOW64\Pbcncibp.exe
Filesize
163KB

MD5
fd78a71795193f48a6a727b2ccd82c16

SHA1
25359f7fb2f2ba7a0c065f0d50d3ca5aae747fbe

SHA256
28c8719de1ca58d286ffa44f4f80bade95e4f275d1576761c9ff994bb27da04f

SHA512
f4e0379053ca46c4ca50ca276a899bde1a0b726b4e4aaddaded469dcca6d2fe457c4e8330aacad3cd5e157f0d2d368fdafef6f9dd5794e4ae7e5eca066e58f1b

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe
Filesize
163KB

MD5
6d7e6d33afd583f8847ac172b43aa325

SHA1
00912836cd00ea0304d9270524a8869f67ecd048

SHA256
02fedaa9bc47e300d83df5c6649db5c9d9e2346c3ce025b3972be7ee922b9aba

SHA512
45f85aaf1f5211fac5ef67a1859eb0a843c7a142a6679dcc049fc90b2d4b5d10f4ca9629bbfcfc1856e13216d753159dc26dc919e12bffeb47c2427d9f2dccf4

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe
Filesize
163KB

MD5
94013dc35c993cfad1446a064b9db597

SHA1
c0439d07e4de3514a55e4ef17ad63a11674e4234

SHA256
8a00df9748a54feb3feda6730a7935ae6535c23623a7e622dd44f73ca21c35c9

SHA512
b40367960bcd9a2c52814716d3d7d813ab93df0bce68441fd782339743d543f94bff607f38e9c2f35c292a096e431adc324223ff6ce7dafc8375667754b23426

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe
Filesize
163KB

MD5
bce7e369ae812e7c3d92a60109de8190

SHA1
e909bbcf8d28e7d4ddc1180190129045c35eafe6

SHA256
7bbf3a38851a0edb26ad254fff724754e1b02957a8501b81b2733e124e2599fd

SHA512
e7dc0c876849df2e62a07e45069893ce7d3d935078986dc205b9fd8a18c0f9ed0efdb21032192932e24ae3d20e9a9c53a48e440b1ffd7b9b2892a122748dde72

Download Submit
memory/380-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/380-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/380-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/416-270-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/568-218-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/616-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/660-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/660-594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/720-178-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-1022-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-1011-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1248-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1332-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-138-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1364-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1436-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1444-234-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1492-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1524-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1524-1038-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1688-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-608-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2108-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-186-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-202-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2248-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2248-1079-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2308-154-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2336-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-623-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2648-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2876-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-1056-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3100-1081-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3100-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3560-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3572-1114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3572-226-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3708-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3708-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3756-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3888-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4088-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4184-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4212-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4296-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4296-1064-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4312-130-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4380-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4380-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4456-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4560-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-416-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4592-1089-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4592-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-264-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4636-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4668-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4700-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-1047-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4840-300-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-90-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5008-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-250-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-1101-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-616-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5128-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5168-961-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5216-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5264-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5352-602-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5404-609-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5448-617-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5500-624-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5544-990-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5664-947-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5952-972-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download