1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe
Size

55KB
MD5

8cae5459af7c63525ee35d6577199267
SHA1

4fbd92a0283ab220cf704b79d4ab6a44ff7f10e0
SHA256

1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358
SHA512

2a70fec2d558c6fa2225c5b44dc84e89aaf3b1c2c16bf3f358099b48a6e853a9a736954decf49e81dc97955786071d1198e82dbd05b6e0d7caf91b819a046d61
SSDEEP

1536:PV3EOiKCEBqpKbfsiP7G575USIpS8J3/Kp2Lp:PV3EjEBsKbUiP7ayVp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jiphkm32.exeJaimbj32.exeJdjfcecp.exeKcifkp32.exeMjjmog32.exeJbkjjblm.exeJbocea32.exeKgphpo32.exeJmbklj32.exeLdaeka32.exeLcdegnep.exeMajopeii.exeMjhqjg32.exeMglack32.exeKaemnhla.exeKajfig32.exeLcmofolg.exeLnepih32.exeMpkbebbf.exeLpocjdld.exeLkdggmlj.exeJdemhe32.exeJbhmdbnp.exeLiggbi32.exeLphfpbdi.exeLknjmkdo.exeMnocof32.exeNcgkcl32.exeNbhkac32.exeJidbflcj.exeLalcng32.exeNjacpf32.exeJagqlj32.exeKpccnefa.exeKilhgk32.exeKagichjo.exeNjljefql.exeNnolfdcn.exeJpaghf32.exeKacphh32.exeKknafn32.exeLaciofpa.exeNjogjfoj.exeJjpeepnb.exeJkdnpo32.exeLaalifad.exeNacbfdao.exe1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exeMjqjih32.exeMpdelajl.exeNklfoi32.exeJaljgidl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe

Executes dropped EXE 64 IoCs

Processes:

Jbfpobpb.exeJiphkm32.exeJagqlj32.exeJdemhe32.exeJbhmdbnp.exeJjpeepnb.exeJaimbj32.exeJbkjjblm.exeJjbako32.exeJidbflcj.exeJaljgidl.exeJdjfcecp.exeJkdnpo32.exeJmbklj32.exeJpaghf32.exeJbocea32.exeJkfkfohj.exeKmegbjgn.exeKpccnefa.exeKbapjafe.exeKilhgk32.exeKacphh32.exeKgphpo32.exeKinemkko.exeKaemnhla.exeKbfiep32.exeKknafn32.exeKmlnbi32.exeKagichjo.exeKcifkp32.exeKkpnlm32.exeKajfig32.exeKdhbec32.exeKckbqpnj.exeKkbkamnl.exeLalcng32.exeLpocjdld.exeLcmofolg.exeLkdggmlj.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLnepih32.exeLaalifad.exeLpcmec32.exeLcbiao32.exeLkiqbl32.exeLnhmng32.exeLaciofpa.exeLdaeka32.exeLcdegnep.exeLklnhlfb.exeLaefdf32.exeLphfpbdi.exeLcgblncm.exeLknjmkdo.exeMjqjih32.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMnocof32.exeMajopeii.exeMcklgm32.exe

pid	process
3588	Jbfpobpb.exe
4844	Jiphkm32.exe
4364	Jagqlj32.exe
1772	Jdemhe32.exe
2652	Jbhmdbnp.exe
4752	Jjpeepnb.exe
2328	Jaimbj32.exe
3520	Jbkjjblm.exe
4572	Jjbako32.exe
2372	Jidbflcj.exe
4064	Jaljgidl.exe
3556	Jdjfcecp.exe
2556	Jkdnpo32.exe
3784	Jmbklj32.exe
2808	Jpaghf32.exe
1536	Jbocea32.exe
1360	Jkfkfohj.exe
2400	Kmegbjgn.exe
4592	Kpccnefa.exe
5092	Kbapjafe.exe
1212	Kilhgk32.exe
4992	Kacphh32.exe
1888	Kgphpo32.exe
3208	Kinemkko.exe
3860	Kaemnhla.exe
4880	Kbfiep32.exe
4336	Kknafn32.exe
2164	Kmlnbi32.exe
4732	Kagichjo.exe
224	Kcifkp32.exe
1808	Kkpnlm32.exe
336	Kajfig32.exe
1160	Kdhbec32.exe
316	Kckbqpnj.exe
1164	Kkbkamnl.exe
2868	Lalcng32.exe
5064	Lpocjdld.exe
5016	Lcmofolg.exe
2116	Lkdggmlj.exe
776	Liggbi32.exe
2008	Laopdgcg.exe
4512	Ldmlpbbj.exe
1408	Lgkhlnbn.exe
2668	Lnepih32.exe
3372	Laalifad.exe
2896	Lpcmec32.exe
880	Lcbiao32.exe
4468	Lkiqbl32.exe
2620	Lnhmng32.exe
1660	Laciofpa.exe
3924	Ldaeka32.exe
1992	Lcdegnep.exe
4168	Lklnhlfb.exe
3216	Laefdf32.exe
1700	Lphfpbdi.exe
1912	Lcgblncm.exe
1968	Lknjmkdo.exe
4560	Mjqjih32.exe
4740	Mpkbebbf.exe
3900	Mciobn32.exe
4688	Mkpgck32.exe
1864	Mnocof32.exe
4276	Majopeii.exe
384	Mcklgm32.exe

Drops file in System32 directory 64 IoCs

Processes:

Mpkbebbf.exeMkpgck32.exeNdbnboqb.exeNnolfdcn.exeLklnhlfb.exeLcgblncm.exeLkdggmlj.exeLaalifad.exeMnocof32.exeNjogjfoj.exeKbapjafe.exeKkpnlm32.exeLcdegnep.exeMpolqa32.exeJdjfcecp.exeLcmofolg.exeLdmlpbbj.exeLaciofpa.exeMciobn32.exeMkbchk32.exeJmbklj32.exeJkfkfohj.exeNklfoi32.exeLnhmng32.exeMdmegp32.exeJagqlj32.exeKgphpo32.exeNqiogp32.exeLnepih32.exeLcbiao32.exeJbocea32.exeMajopeii.exeMjqjih32.exeMjhqjg32.exeKilhgk32.exeKbfiep32.exeMjjmog32.exeLaefdf32.exeLalcng32.exeLkiqbl32.exeNjljefql.exeJjbako32.exeJpaghf32.exeNcgkcl32.exeKmlnbi32.exeKkbkamnl.exeLaopdgcg.exeJaljgidl.exeKckbqpnj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4268 1048 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4268	1048	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kgphpo32.exeJbhmdbnp.exeJidbflcj.exeKbfiep32.exeLdaeka32.exeNbhkac32.exeLknjmkdo.exeMdmegp32.exeLcbiao32.exeLaefdf32.exeMkbchk32.exeNkqpjidj.exeMnocof32.exeMpdelajl.exeNnolfdcn.exeKmlnbi32.exeLiggbi32.exeLcdegnep.exeKkpnlm32.exeJmbklj32.exeKagichjo.exeLdmlpbbj.exeMjjmog32.exeNacbfdao.exeNjacpf32.exeJagqlj32.exeKajfig32.exeLkdggmlj.exeLaciofpa.exeLklnhlfb.exeJkfkfohj.exeMcklgm32.exeKpccnefa.exeKacphh32.exeMpkbebbf.exeJbocea32.exeKknafn32.exeNjljefql.exeNdbnboqb.exe1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exeKcifkp32.exeLalcng32.exeLgkhlnbn.exeLcgblncm.exeJbfpobpb.exeJdemhe32.exeKckbqpnj.exeLpcmec32.exeJaimbj32.exeNdidbn32.exeKilhgk32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exeJbfpobpb.exeJiphkm32.exeJagqlj32.exeJdemhe32.exeJbhmdbnp.exeJjpeepnb.exeJaimbj32.exeJbkjjblm.exeJjbako32.exeJidbflcj.exeJaljgidl.exeJdjfcecp.exeJkdnpo32.exeJmbklj32.exeJpaghf32.exeJbocea32.exeJkfkfohj.exeKmegbjgn.exeKpccnefa.exeKbapjafe.exeKilhgk32.exe

description	pid	process	target process
PID 4528 wrote to memory of 3588	4528	1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe	Jbfpobpb.exe
PID 4528 wrote to memory of 3588	4528	1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe	Jbfpobpb.exe
PID 4528 wrote to memory of 3588	4528	1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe	Jbfpobpb.exe
PID 3588 wrote to memory of 4844	3588	Jbfpobpb.exe	Jiphkm32.exe
PID 3588 wrote to memory of 4844	3588	Jbfpobpb.exe	Jiphkm32.exe
PID 3588 wrote to memory of 4844	3588	Jbfpobpb.exe	Jiphkm32.exe
PID 4844 wrote to memory of 4364	4844	Jiphkm32.exe	Jagqlj32.exe
PID 4844 wrote to memory of 4364	4844	Jiphkm32.exe	Jagqlj32.exe
PID 4844 wrote to memory of 4364	4844	Jiphkm32.exe	Jagqlj32.exe
PID 4364 wrote to memory of 1772	4364	Jagqlj32.exe	Jdemhe32.exe
PID 4364 wrote to memory of 1772	4364	Jagqlj32.exe	Jdemhe32.exe
PID 4364 wrote to memory of 1772	4364	Jagqlj32.exe	Jdemhe32.exe
PID 1772 wrote to memory of 2652	1772	Jdemhe32.exe	Jbhmdbnp.exe
PID 1772 wrote to memory of 2652	1772	Jdemhe32.exe	Jbhmdbnp.exe
PID 1772 wrote to memory of 2652	1772	Jdemhe32.exe	Jbhmdbnp.exe
PID 2652 wrote to memory of 4752	2652	Jbhmdbnp.exe	Jjpeepnb.exe
PID 2652 wrote to memory of 4752	2652	Jbhmdbnp.exe	Jjpeepnb.exe
PID 2652 wrote to memory of 4752	2652	Jbhmdbnp.exe	Jjpeepnb.exe
PID 4752 wrote to memory of 2328	4752	Jjpeepnb.exe	Jaimbj32.exe
PID 4752 wrote to memory of 2328	4752	Jjpeepnb.exe	Jaimbj32.exe
PID 4752 wrote to memory of 2328	4752	Jjpeepnb.exe	Jaimbj32.exe
PID 2328 wrote to memory of 3520	2328	Jaimbj32.exe	Jbkjjblm.exe
PID 2328 wrote to memory of 3520	2328	Jaimbj32.exe	Jbkjjblm.exe
PID 2328 wrote to memory of 3520	2328	Jaimbj32.exe	Jbkjjblm.exe
PID 3520 wrote to memory of 4572	3520	Jbkjjblm.exe	Jjbako32.exe
PID 3520 wrote to memory of 4572	3520	Jbkjjblm.exe	Jjbako32.exe
PID 3520 wrote to memory of 4572	3520	Jbkjjblm.exe	Jjbako32.exe
PID 4572 wrote to memory of 2372	4572	Jjbako32.exe	Jidbflcj.exe
PID 4572 wrote to memory of 2372	4572	Jjbako32.exe	Jidbflcj.exe
PID 4572 wrote to memory of 2372	4572	Jjbako32.exe	Jidbflcj.exe
PID 2372 wrote to memory of 4064	2372	Jidbflcj.exe	Jaljgidl.exe
PID 2372 wrote to memory of 4064	2372	Jidbflcj.exe	Jaljgidl.exe
PID 2372 wrote to memory of 4064	2372	Jidbflcj.exe	Jaljgidl.exe
PID 4064 wrote to memory of 3556	4064	Jaljgidl.exe	Jdjfcecp.exe
PID 4064 wrote to memory of 3556	4064	Jaljgidl.exe	Jdjfcecp.exe
PID 4064 wrote to memory of 3556	4064	Jaljgidl.exe	Jdjfcecp.exe
PID 3556 wrote to memory of 2556	3556	Jdjfcecp.exe	Jkdnpo32.exe
PID 3556 wrote to memory of 2556	3556	Jdjfcecp.exe	Jkdnpo32.exe
PID 3556 wrote to memory of 2556	3556	Jdjfcecp.exe	Jkdnpo32.exe
PID 2556 wrote to memory of 3784	2556	Jkdnpo32.exe	Jmbklj32.exe
PID 2556 wrote to memory of 3784	2556	Jkdnpo32.exe	Jmbklj32.exe
PID 2556 wrote to memory of 3784	2556	Jkdnpo32.exe	Jmbklj32.exe
PID 3784 wrote to memory of 2808	3784	Jmbklj32.exe	Jpaghf32.exe
PID 3784 wrote to memory of 2808	3784	Jmbklj32.exe	Jpaghf32.exe
PID 3784 wrote to memory of 2808	3784	Jmbklj32.exe	Jpaghf32.exe
PID 2808 wrote to memory of 1536	2808	Jpaghf32.exe	Jbocea32.exe
PID 2808 wrote to memory of 1536	2808	Jpaghf32.exe	Jbocea32.exe
PID 2808 wrote to memory of 1536	2808	Jpaghf32.exe	Jbocea32.exe
PID 1536 wrote to memory of 1360	1536	Jbocea32.exe	Jkfkfohj.exe
PID 1536 wrote to memory of 1360	1536	Jbocea32.exe	Jkfkfohj.exe
PID 1536 wrote to memory of 1360	1536	Jbocea32.exe	Jkfkfohj.exe
PID 1360 wrote to memory of 2400	1360	Jkfkfohj.exe	Kmegbjgn.exe
PID 1360 wrote to memory of 2400	1360	Jkfkfohj.exe	Kmegbjgn.exe
PID 1360 wrote to memory of 2400	1360	Jkfkfohj.exe	Kmegbjgn.exe
PID 2400 wrote to memory of 4592	2400	Kmegbjgn.exe	Kpccnefa.exe
PID 2400 wrote to memory of 4592	2400	Kmegbjgn.exe	Kpccnefa.exe
PID 2400 wrote to memory of 4592	2400	Kmegbjgn.exe	Kpccnefa.exe
PID 4592 wrote to memory of 5092	4592	Kpccnefa.exe	Kbapjafe.exe
PID 4592 wrote to memory of 5092	4592	Kpccnefa.exe	Kbapjafe.exe
PID 4592 wrote to memory of 5092	4592	Kpccnefa.exe	Kbapjafe.exe
PID 5092 wrote to memory of 1212	5092	Kbapjafe.exe	Kilhgk32.exe
PID 5092 wrote to memory of 1212	5092	Kbapjafe.exe	Kilhgk32.exe
PID 5092 wrote to memory of 1212	5092	Kbapjafe.exe	Kilhgk32.exe
PID 1212 wrote to memory of 4992	1212	Kilhgk32.exe	Kacphh32.exe

C:\Users\Admin\AppData\Local\Temp\1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe
"C:\Users\Admin\AppData\Local\Temp\1c2498b65b92c745e0263169cb4d701032bf5595d0f3c21a712e11075dbbe358.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\Jiphkm32.exe
C:\Windows\system32\Jiphkm32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4992

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1888

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
25⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4880

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4336

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4732

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:224

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1808

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:336

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
34⤵
- Executes dropped EXE
PID:1160

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:316

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2868

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5016

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:776

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4512

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:1408

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2668

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3372

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:2896

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:880

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4468

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1660

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3924

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1992

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4168

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3216

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1912

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1968

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4560

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4740

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3900

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4688

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1864

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4276

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
65⤵
- Executes dropped EXE
- Modifies registry class
PID:384

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1900

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
67⤵
PID:3864

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
68⤵
- Drops file in System32 directory
PID:4664

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
69⤵
PID:3340

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1372

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
71⤵
PID:3048

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
72⤵
- Drops file in System32 directory
- Modifies registry class
PID:5012

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3248

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4452

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4424

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3484

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1692

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3188

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
81⤵
- Drops file in System32 directory
PID:3052

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4152

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:820

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
85⤵
PID:4176

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
86⤵
- Modifies registry class
PID:3964

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:840

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
88⤵
- Modifies registry class
PID:1148

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
89⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 400
90⤵
- Program crash
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1048 -ip 1048
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
55KB

MD5
40b2c398018c3b15c84b551e956e419f

SHA1
7b5f05db784070a09ac119da1967e4e3f8dc9fcb

SHA256
92f4bcfe1419f2979c840a7d8f44468c919f8b98d1a8525b41c07191006fba55

SHA512
082fcaccd94c7b21285264a6908bfb56cb4440b8882f5aa3b88a53412a8d462426215cba141886c37ce9af28b0df40a7708bfe56b51dfe9757e6338991561fc4

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
55KB

MD5
190d9a932b6db8b78a156d2dac3438c4

SHA1
bdc3d1d29bc61a3f2dacd364a6d3382b956b20c9

SHA256
97b56494d41bd3e54930acca77eec4285c25a80a8412bad45fdd3394a9914eb3

SHA512
99fc9dca1ee1241b1ed44079e70051e36f2fe3c6f02b40b2d1e055729036933bd45623e051c33246a558ab2245fc45d2194c0e9dad7db69c1efd005ab7d5a6b4

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
55KB

MD5
73441f031808f5626ca98c9e8df4df6f

SHA1
37cd52f7f973f183bdfd6243a1fee6dbeba7adec

SHA256
4de4ee6d6f34a4e02072b55ba923793eb656a1b1f9bb95e7f36c9b08aa6faae3

SHA512
475996a558bbc926945930e82ccbb23a085639fd202f30b89e6fb9a84340d358514544396bd650f00cf86712a8138e51745bc828db4c909f9d770264374a452b

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
55KB

MD5
df69f055f96059b221c1c092ae4fb9e9

SHA1
65a4fbfde88c5ec25859020bce3329bb0c90ac2b

SHA256
0f3990a89a413f571923e791d9070306919326684790591a845b97bcceb755e3

SHA512
b545c447a93334c85474a298db3495a47d4671215509c5b23fe0367f22015fdd003791772d8d6eb71d572407db3615dc4ba35eef96efc0e033675dc0abf17563

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
55KB

MD5
823f05c6fe0aef0ec8927f96309a6dde

SHA1
02e5b1476820f4265b547baf7ceb87c810b14def

SHA256
f481bb24d8f91f87921f1e4c922ea355f0a3ae885ef485c8fb2e69fe58058cde

SHA512
72ec30ef64384fa484852c6aba97f1ea3bbc364ae130c577c5f9d0ac07ad2c789dc8b60a904f9bfa4c0009625ae1074ce52f3ad54599f6f3433dd0d59d626346

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
55KB

MD5
3be5e2f2def9451a7fe74a7a5d9128cc

SHA1
cba8f3f25739120032d62bd05a6839dd8cdd6020

SHA256
f93580076f0d191c2b2bd6267dab1135b54e633629ed4fe7d6f7c82336817f4d

SHA512
07746117e165389e413ccd7b840e68d7187c09de06ecbc801acce879349e2b2b1d034d25b51b83380a46fd7309d13e7966405c7c847c23c9434ddb7f284749de

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
55KB

MD5
a6b4fcced2edc3ba67f93d1e2e5360a4

SHA1
b54b90310b1d934493e8a337be73987e1374b096

SHA256
4c1cfbdc0df4eaf483596902d38e34d32a8eb6321b93f69ffd07c30279dc2ef8

SHA512
6a639d2ceb6658a04b49e8bf4c520bc408ec62de4c03a09a3f3ad972f5cd7a25dab681387c1e67096deb70804cf435120fad84ef5b1742f90393b90df4a2dc6b

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
55KB

MD5
7e3b57a4d2d65988407761c42730c3fa

SHA1
a6bfa0ead6d8b1ca4c3b1bae24d35816cec70fd9

SHA256
68599decfad84d45cd0937f2cd6e782a9a276258d59e8dddc9fd09a5ed8e83d0

SHA512
25d4fa204b8575766f0ac6ff20934c4e14159e3804a4e2bc39c8b5456e089a002fd37fe889c8b84fbdde540f8b61f778983da4795ffc61d6b36a5d9b8753b4bd

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
55KB

MD5
6a624efd72be7bcb91c163430f355d93

SHA1
aa20dff8d24c2a23a87a9877b182ac8c847be5e3

SHA256
fc3d34dfc7e15ad9a74f55efdd831c950ffb06396228ab8875b6dcae8d6c934b

SHA512
6446f61b3860e5adeab9d1389b29eba066d8c47fc9e8c95291580ea13f2a1d3753289eb5844721a1ac0e266b655cc288b64cc1209ccb15eaedbfa3ba27e83e68

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
55KB

MD5
2e1bff46267f4889db60470056d10993

SHA1
0e6b5906828cc95926cb3463f5550ac17ca4ad6c

SHA256
749ff3d0546b90cdf1251d6880ad6853b6bbfba2748d650d8cec597f35e8ae56

SHA512
2f8512d2f7b9717bfa9fcfafe87edbd75cca51d759cc76dd32b49cc0b234f6a1a9b9c47d7524cc641afb063db40d64007ffa67d5caeb856fd0450c59092507dd

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
55KB

MD5
56f161c5543dde239dfa212c524ada5d

SHA1
d6a589ea93a3a327e8f312716089e0b7b603f083

SHA256
a7624a339a44d007aee743ca4a6ed05437b344a49435da00cebb75fb4660740d

SHA512
117d21e3e379734a0ff145692dcd3336343a362435807e70a59104f3eb5c8d5d5eddd3edc5ff47fcf6c60daa8c3eb916adc4c45419f45a8451e455da0e6719b5

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
55KB

MD5
c83504660371d199c54c74a468a8bcfa

SHA1
18bced25f40595f12995fa6565854a7cf9904fe4

SHA256
e24abceee02a26fe438c162c878cd21f159f3957429cc9c67dba03ea97c555db

SHA512
6414d930806232aab99037b5f4285276edcd5f24dffaf24ee87aedfe4f6876237883d9212ad1f9ae5adc183c768734b0df4ad1a6530e6b102bfe8b7026cca225

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
55KB

MD5
7a666894fb5b427bfe687fe215d48913

SHA1
67ad12b51663f785a65fc487d2751f00e74da3fd

SHA256
716c3d66cddd663a3b81202d01b4e25dcb900f2a50b62565a7d20d743e94c807

SHA512
1ab4aa22463f697fbc69484c49893f6353e7ccf91bf1df4a57c3c896cdef4b9c61493778d2a5324db5773fd28a74988ca9875fd3725d1de3bfea182f56f0d8f2

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
55KB

MD5
9b7dcc9a340211a723a697f4aaa6a8f8

SHA1
6986feb5857545f683cabe3f18973e27d1d29a1d

SHA256
0b685f2b3b50182bcb82c57a44a84379b94fecbb4e48f5f5e843abc7cc4c4626

SHA512
2de26e96a5cf177b487be959ba87bc8a0cb5464e3ff68329f750f8c2eaa041f88cc0018ac5d03e22284caa65083167fc2f51e6a9d40d6727d474acd96116d0fe

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
55KB

MD5
05b278642b2a2a2b8b4dd1e4a205ff20

SHA1
140b479fe01e7c449999399c0445676a7c400618

SHA256
28f56e0f5527da4c4f34ca64139eeb842ee19a21d0a66fe5ef5c5e7060e82ec0

SHA512
47da05840b92e3f95443eb0de170caa8fb8b13f9bb220e0fe45484ff5d1148e7693945e7e7623d709a3aa4bc7412ae97c93c785543fe85a3c9d7ace057f79947

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
55KB

MD5
b31236c29ba0da04a185f9a5f43cc321

SHA1
55e563f4e3154fafa6df9410554e65e8f459bc69

SHA256
ae945627bd3696ea459ce53dd6010b8488584f5f5c9cfea3981deb6c55e32ce1

SHA512
013599714b327341791836c546d56c9d70a21b88cdd4bf672ea54bde18b310d42c5b0ea34fc8c1b5977994758d8b48e4a6f3a3dbf8b377c6a41e2fa1dc7f6df0

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
55KB

MD5
adbedcdef822bfe3ed1922b08ea9c715

SHA1
c28b64e2306e9e4c494ead8c2ced23b33ebcfa09

SHA256
b41e1e2696de79b93eb8c2bea9767f6423c2996370322ff8e17476e8320656db

SHA512
5b500d18cea0bf5c14b3428e0deed044d5b4bfcc43175d4abc01334ae9be2d0fce03853c914f900e8b0ad6835ef41be22095f8ecde419219edecb41eae58c6d5

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
55KB

MD5
7be16ad322e077c115f938dd45a5ae08

SHA1
043048a0eb5fed1d339558ac033002096c223baa

SHA256
73c936e4c824e491bdcd87dae79ad15df806312e393a1b8d12de27e22e459c57

SHA512
3a381ab89ca71a41b4676af7ad8c9ed03af7b1e99f393494f1846abd9af2f889b63cd2d49b1c85c7c90097e5622b61438798b395ffc34c48f42dced12bd1895d

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
55KB

MD5
70a7fa4bb97ac1a648bf41bfe50cff01

SHA1
35fc82c9d4f76475a09e29a0dc8971320f90cb25

SHA256
47a169542d4832e56fb36328b838c5a4f6f33f9255f93f15ae9c4c6208687179

SHA512
91d0084bc89a05d69d6f224b5ed8d21cc81d658879ba102b9ab00b0604b7177d6f3e691dcd85d0674f77af57ef9036a58497d48f72173b78ffd68effccbdd069

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
55KB

MD5
d5d16c5f76f3b442d1a84d51f1004992

SHA1
45902669bedd0de1c3ca6d7229e8635bcb7f3221

SHA256
b5f377b0eeb5354d78ccc6a28dc8957df42215f0344b109fb65f843772f0def2

SHA512
288eb6d71725a19cfd8b4721383086eab612845c746a3e8bb5301655389e491f933566f4d5e4abecb9f62c0ec3d61597355c96687e9d293f32742fb3ed31d8a4

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
55KB

MD5
d3f640b243fbd59b0cabdd1ba625bc0f

SHA1
b8e54454519bc3929a8218a4463f798885b41207

SHA256
463b9d7f0595a9f11bac87db4bc62362a95625e543410f8e414b7d2d6b924884

SHA512
9d5f8085317253777e5d0c38da43afa58772c4e99c856fdf7ecf56937cbaa0d2b3cd471d80bb2ce96a502c27620c4fdca575d99317adc2422a0af4babdbcc5d8

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
55KB

MD5
e893f63d92d28d93c58de17a16ef16c1

SHA1
511063a76de66a631287ac18856a316b81154095

SHA256
37c98d9b7549446d6d2daef990420aa5fffd5ba03470da92b9a61c1055c0a752

SHA512
a13f771220398fae6f0ccf9c80410ba5af7d5d9dd794aa984c2390f0116e3e28f1870adfd688265af80abe1447ec0f98517fa8416e7327bbc689004a5dbad661

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
55KB

MD5
50522fb2763b179a2d6feee521abc525

SHA1
b7a09ac8334973f9b80449e9ddd074f4ea02b7c7

SHA256
3790c5afe5b98d0b1a3a9be0fccf31c2da3a87844f318d3a01d83c6c4e82bb53

SHA512
7de6f07cf5881e605dc80ce7f05fee6e28ae01f6a8deccbd20acfdd72c4c76538cdff8f70aeb7154398b2722c2f5d2a362f705b3a87ef5943a32f42bb0a2fc68

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
55KB

MD5
3419e15720fa2172eb9d87ba610c4f7b

SHA1
f0db7496e1aec2fd4dc0237cf7bbbfed362f65af

SHA256
3a233b2d05e2dc791efb6e73eebc55740765a6b879b52a672cca819f1291850b

SHA512
039a5e48eb4d5e8b7ee2c65ecf684627b12d2df2366494b5e3ba03fd28ca177eb0fb28f48416283305469f8254bd946ac65a22ec16e8f6be303dd82e993031d3

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
55KB

MD5
d33eeba12dd01303988b3e6b2147fbd7

SHA1
43dd13f874211c37d5f952c564ebc19373df5097

SHA256
410a2f41f37548554907c3edfc9bbd80a4f7a4b3d09e9eecc8c31dd2bb28b1b7

SHA512
e6231e2b3be373c799835ab544a129715ab0630052490171f43d4d0b80731a4d3d62df1869a3fb35aebca10d477fad79651e550ed9f4c75baa4b9b99f9d83c0a

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
55KB

MD5
9ed88b430f389af9df76e5374f02656f

SHA1
06433a4db7fba73bf74517f0e65af4adb721af8e

SHA256
d394e90442465a68b4738344981215187875aa259087f72e2eeb722d21e595eb

SHA512
c41aea42d4c792bbd6c4dad28e912c61365cd0ddbe79ea2e0d03aaaf46c0a2391514c9c98c0fe77fd240a212b36e7b5e1478863b5c65f8acc5ae281f274be80f

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
55KB

MD5
a7fbcae5aa6818cc23b509b4d022b7d2

SHA1
e68afe8b6b50b69159f062c7d30a0f2937bced87

SHA256
192ac5453d999069dd7f667cc5af20194a4ab66ccb65d565cee9a13685522eb9

SHA512
829cfed812b7b351811f1b57cc31ac5e416b56dc69b471a3cb1ef816811005a2ee4590e1f08206a57e1b4e677a4be1bf2d2b2f5e7e39c39fd76052d1aedbb433

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
55KB

MD5
92c5e80503c07af2ebcf7db3f6667ff0

SHA1
504a26da36c2a999ded7234d10190a0fe124a139

SHA256
02acabf20f09d379f2e4ae4e85f5b4479abb079511a5ee58f287c7ce2fb5890d

SHA512
bf0191d0df66345bdeeb5155fe4a237345fd4eb4997fc7cba168dedaa230a4636ee945194ba31df07a3a57c4ceee7aeb2c421d66cff6b0df7c8c3fbd9118b7ec

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
55KB

MD5
64b553b098cfcf65fb7251387d209a39

SHA1
0461e71e7cc0ed7426ec62687256f877e0fc4b0d

SHA256
9d481094e937b594a339cdaca0fac70d260b41aeeacb3fb93ef247de5991be9d

SHA512
9a509ea122d9f5c86b1822ad32618e77c62311663a7ed9c5732079e93ee066d84406afbd51607a9abd5851918711a4e3d2d154b5c92b3280cea5196ff630d5aa

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
55KB

MD5
5ee191b94e118844f72e394754ff67e2

SHA1
40732ba8f74e20dba07e9f666dd89198c3d0282f

SHA256
81e6f069da8843f92bf47325819f8303cab9a681b10043fcc896c33e79703a58

SHA512
f1604071102c874fd591c84011dc1e8878778c60a8086c1c24a5ecb34270918f92f20e6e6be73ca0ff53529f6c793880ad9540ab4950cc17bde354175a19852d

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
55KB

MD5
21fa44d4527a0146aa601859add88fb0

SHA1
dff264eb50b73dfc61579a6f53cddeb91d9adf5c

SHA256
3fb785689036d6ac1e21739b8b5631a63b2d885f2b6a8f049323fc681142a898

SHA512
ebb83c98ffadc4c8eca52a012942204ac07094424bdd66b41acc6d001b03fef944fd546ea09408c0522cc1607fe3158ce4e6ed773f9455e4ccf9c8eef3a496e0

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
55KB

MD5
0d26899f9bd6da5d50189acfc6e781f1

SHA1
b0a526e7336eaa39363b9b9027ee450bd37fa30f

SHA256
3e1250003b5a09eb132572423cb495964ae39b3461058eb85135e29c41632b58

SHA512
d541f030a251de532ac482a3675c31e49e2e533f6032125727731434009a98c8bada221380f574cdfc0b0f9bbab62705e873f5f687e2b67cde3d1802a28be4ed

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
55KB

MD5
ba33c83a1560adab0121ac0d99a538b7

SHA1
f50242cd39cc3989f0e6948a8d22c777ec36dd8a

SHA256
3602018cc50a57479436979ebdcc1dcd070168ba0f747be931766cae460900af

SHA512
cad5593837af0f275967b68cf8550a9815ebecde910661acba37d704a97ad7d5aaa5e4c5a960c7a63cd7c1167f1febc753abf16dbd07360bafa4fc1c49997f9e

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
55KB

MD5
11a6451b8dd8c99dfbd93673789a6e1e

SHA1
421c96833386dba175baead2123d3f1f2c6e91e4

SHA256
bc0b7106eadd3f2996aa4a88e8e5169f9260c7e42734e47d54e77485eb0913a7

SHA512
b8f1f70d28f64449e766c5c39e46e08c2cf4ad4c2d6705416bbf2293682c4bf009751cdcb15ac1e7d425f1c1be19754684a2ac5e1860d50609f86c30278f81bb

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
55KB

MD5
2276861d4a420047072dc52cf857f328

SHA1
a7c3be228508a2df8b39de16b80a2761afa67c47

SHA256
bbaa5b6b678bca20f564566c0c152dff523ff6a0ebcd1b8a85e6155a140fbbd5

SHA512
27e65edc058762468d7b889522c980f837b7ced933ac881b9f47f2479fa046ef5f58cbd8394e89c87162cafc8a0cd893d8eaf6b25f8c0e514e3a9c1655fc1c2d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
55KB

MD5
280bfc698d91d0e15eb067c0ea3e7270

SHA1
45fbc8d4f780e78c475fb633a6a990c5157d2183

SHA256
80645be9d002846add8dfc94e117430c7d325b8ccb6204f604f2488c33a0cc49

SHA512
96e3ffaf68bee040d82a6eebdb4fd57dd93a10f9146894278b01d77ee3206be75335283f3a9e354117f83064ae4f9426f6f2ad00a149c1834ffa07eb4fac397b

Download Submit
memory/224-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-689-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4560-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download