4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe
Size

768KB
MD5

0c2e59d1c59a17186b256f5987815300
SHA1

f2b873c76d823496f028256bb701e7ea2bd716b1
SHA256

4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c
SHA512

8c22f25a0ada16826d9935ef7abf19c69625cdfd7d2393dd4a07c6e64521ddaa86d6c09ab9d9f358a3fb4255a743c4759bd41c262fd3193f7113c7ece8f59346
SSDEEP

12288:srq0HVRvL6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRCW:UDhq5h3q5htaSHFaZRBEYyqmaf2qwiHP

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kinemkko.exeLmccchkn.exeLkgdml32.exeJmbklj32.exeMncmjfmk.exeNklfoi32.exeLcpllo32.exeMdiklqhm.exeMkbchk32.exeNceonl32.exeJiphkm32.exeNbhkac32.exeLdkojb32.exeLkiqbl32.exeLdaeka32.exeMnapdf32.exeLaciofpa.exeMahbje32.exeMkpgck32.exeKgdbkohf.exeJpojcf32.exeKckbqpnj.exeLgikfn32.exeLcbiao32.exeNqfbaq32.exeNnjbke32.exeJidbflcj.exeKbdmpqcb.exeMciobn32.exeMgghhlhq.exeNnolfdcn.exe4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exeLaalifad.exeMjjmog32.exeKpccnefa.exeLcgblncm.exeNkjjij32.exeNnhfee32.exeNcldnkae.exeLalcng32.exeLiggbi32.exeLphfpbdi.exeMjqjih32.exeMpaifalo.exeKmgdgjek.exeLpcmec32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jiphkm32.exe	family_berbew
C:\Windows\SysWOW64\Jpjqhgol.exe	family_berbew
C:\Windows\SysWOW64\Jbhmdbnp.exe	family_berbew
C:\Windows\SysWOW64\Jidbflcj.exe	family_berbew
C:\Windows\SysWOW64\Jpojcf32.exe	family_berbew
C:\Windows\SysWOW64\Jmbklj32.exe	family_berbew
C:\Windows\SysWOW64\Kpccnefa.exe	family_berbew
C:\Windows\SysWOW64\Kmgdgjek.exe	family_berbew
C:\Windows\SysWOW64\Kbdmpqcb.exe	family_berbew
C:\Windows\SysWOW64\Kdcijcke.exe	family_berbew
C:\Windows\SysWOW64\Kinemkko.exe	family_berbew
C:\Windows\SysWOW64\Kipabjil.exe	family_berbew
C:\Windows\SysWOW64\Kdffocib.exe	family_berbew
C:\Windows\SysWOW64\Kmnjhioc.exe	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
C:\Windows\SysWOW64\Lmccchkn.exe	family_berbew
C:\Windows\SysWOW64\Lcpllo32.exe	family_berbew
C:\Windows\SysWOW64\Lijdhiaa.exe	family_berbew
C:\Windows\SysWOW64\Laciofpa.exe	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
C:\Windows\SysWOW64\Lgpagm32.exe	family_berbew
C:\Windows\SysWOW64\Lkiqbl32.exe	family_berbew
C:\Windows\SysWOW64\Lcbiao32.exe	family_berbew
C:\Windows\SysWOW64\Lpcmec32.exe	family_berbew
C:\Windows\SysWOW64\Laalifad.exe	family_berbew
C:\Windows\SysWOW64\Lkgdml32.exe	family_berbew
C:\Windows\SysWOW64\Lpappc32.exe	family_berbew
C:\Windows\SysWOW64\Lgikfn32.exe	family_berbew
C:\Windows\SysWOW64\Ldkojb32.exe	family_berbew
C:\Windows\SysWOW64\Lalcng32.exe	family_berbew
C:\Windows\SysWOW64\Kckbqpnj.exe	family_berbew
C:\Windows\SysWOW64\Kgdbkohf.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Jiphkm32.exeJpjqhgol.exeJbhmdbnp.exeJidbflcj.exeJpojcf32.exeJmbklj32.exeKpccnefa.exeKmgdgjek.exeKbdmpqcb.exeKinemkko.exeKdcijcke.exeKipabjil.exeKdffocib.exeKgdbkohf.exeKmnjhioc.exeKckbqpnj.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLpappc32.exeLcpllo32.exeLkgdml32.exeLijdhiaa.exeLaalifad.exeLpcmec32.exeLcbiao32.exeLkiqbl32.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLjnnch32.exeLphfpbdi.exeLcgblncm.exeMjqjih32.exeMahbje32.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMnocof32.exeMajopeii.exeMdiklqhm.exeMgghhlhq.exeMkbchk32.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMglack32.exeMjjmog32.exeMaaepd32.exeMdpalp32.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNgcgcjnc.exeNjacpf32.exe

pid	process
3536	Jiphkm32.exe
3432	Jpjqhgol.exe
1696	Jbhmdbnp.exe
4584	Jidbflcj.exe
5108	Jpojcf32.exe
1508	Jmbklj32.exe
4372	Kpccnefa.exe
3340	Kmgdgjek.exe
1812	Kbdmpqcb.exe
1836	Kinemkko.exe
3836	Kdcijcke.exe
4776	Kipabjil.exe
2572	Kdffocib.exe
116	Kgdbkohf.exe
1312	Kmnjhioc.exe
2752	Kckbqpnj.exe
3456	Lalcng32.exe
1184	Ldkojb32.exe
2152	Lgikfn32.exe
1620	Liggbi32.exe
3996	Lmccchkn.exe
2304	Lpappc32.exe
1616	Lcpllo32.exe
464	Lkgdml32.exe
908	Lijdhiaa.exe
1232	Laalifad.exe
3776	Lpcmec32.exe
2772	Lcbiao32.exe
1104	Lkiqbl32.exe
876	Laciofpa.exe
4500	Ldaeka32.exe
4388	Lgpagm32.exe
4652	Ljnnch32.exe
4484	Lphfpbdi.exe
2936	Lcgblncm.exe
2732	Mjqjih32.exe
3316	Mahbje32.exe
4912	Mpkbebbf.exe
4800	Mciobn32.exe
516	Mkpgck32.exe
5080	Mnocof32.exe
4632	Majopeii.exe
3100	Mdiklqhm.exe
3108	Mgghhlhq.exe
8	Mkbchk32.exe
32	Mnapdf32.exe
940	Mpolqa32.exe
1540	Mcnhmm32.exe
2492	Mkepnjng.exe
2652	Mncmjfmk.exe
4676	Mpaifalo.exe
4424	Mglack32.exe
4796	Mjjmog32.exe
1632	Maaepd32.exe
1888	Mdpalp32.exe
1512	Nkjjij32.exe
3440	Nnhfee32.exe
4280	Nqfbaq32.exe
4392	Nceonl32.exe
3216	Nklfoi32.exe
1524	Nnjbke32.exe
1868	Nddkgonp.exe
3168	Ngcgcjnc.exe
3892	Njacpf32.exe

Drops file in System32 directory 64 IoCs

Processes:

Nnolfdcn.exeNqmhbpba.exeNcldnkae.exeLpcmec32.exeLaciofpa.exeMnapdf32.exeNgcgcjnc.exeLpappc32.exeMkbchk32.exeMcnhmm32.exeNnhfee32.exeKmgdgjek.exeLdaeka32.exeLgpagm32.exeMajopeii.exeMpolqa32.exeNqfbaq32.exeNnjbke32.exeLjnnch32.exeMaaepd32.exeLphfpbdi.exeMkpgck32.exeJpjqhgol.exeLmccchkn.exeLcbiao32.exeKbdmpqcb.exeJbhmdbnp.exeJpojcf32.exeKpccnefa.exeMahbje32.exeMciobn32.exeMjjmog32.exeNceonl32.exeJiphkm32.exeLaalifad.exeJidbflcj.exeLdkojb32.exeKgdbkohf.exeKmnjhioc.exeLijdhiaa.exeMncmjfmk.exeNjacpf32.exeKinemkko.exeKdffocib.exeLcpllo32.exeNbhkac32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nbhkac32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4284 2192 WerFault.exe

pid	pid_target	process
4284	2192	WerFault.exe

Modifies registry class 64 IoCs

Processes:

Kpccnefa.exeMjqjih32.exeNddkgonp.exeNgcgcjnc.exeKmnjhioc.exeLcbiao32.exeLgpagm32.exeMpolqa32.exeNklfoi32.exeKbdmpqcb.exeKgdbkohf.exeLpappc32.exeLcgblncm.exeLgikfn32.exeMgghhlhq.exeMdpalp32.exeMaaepd32.exe4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exeLmccchkn.exeLdaeka32.exeKipabjil.exeMcnhmm32.exeKdcijcke.exeLiggbi32.exeLijdhiaa.exeLaalifad.exeMpaifalo.exeNnjbke32.exeJidbflcj.exeMnapdf32.exeKmgdgjek.exeMajopeii.exeKckbqpnj.exeLkgdml32.exeMkbchk32.exeMciobn32.exeNqfbaq32.exeNbhkac32.exeNqmhbpba.exeLaciofpa.exeMncmjfmk.exeMahbje32.exeJmbklj32.exeLjnnch32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exeJiphkm32.exeJpjqhgol.exeJbhmdbnp.exeJidbflcj.exeJpojcf32.exeJmbklj32.exeKpccnefa.exeKmgdgjek.exeKbdmpqcb.exeKinemkko.exeKdcijcke.exeKipabjil.exeKdffocib.exeKgdbkohf.exeKmnjhioc.exeKckbqpnj.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exe

description	pid	process	target process
PID 4784 wrote to memory of 3536	4784	4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe	Jiphkm32.exe
PID 4784 wrote to memory of 3536	4784	4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe	Jiphkm32.exe
PID 4784 wrote to memory of 3536	4784	4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe	Jiphkm32.exe
PID 3536 wrote to memory of 3432	3536	Jiphkm32.exe	Jpjqhgol.exe
PID 3536 wrote to memory of 3432	3536	Jiphkm32.exe	Jpjqhgol.exe
PID 3536 wrote to memory of 3432	3536	Jiphkm32.exe	Jpjqhgol.exe
PID 3432 wrote to memory of 1696	3432	Jpjqhgol.exe	Jbhmdbnp.exe
PID 3432 wrote to memory of 1696	3432	Jpjqhgol.exe	Jbhmdbnp.exe
PID 3432 wrote to memory of 1696	3432	Jpjqhgol.exe	Jbhmdbnp.exe
PID 1696 wrote to memory of 4584	1696	Jbhmdbnp.exe	Jidbflcj.exe
PID 1696 wrote to memory of 4584	1696	Jbhmdbnp.exe	Jidbflcj.exe
PID 1696 wrote to memory of 4584	1696	Jbhmdbnp.exe	Jidbflcj.exe
PID 4584 wrote to memory of 5108	4584	Jidbflcj.exe	Jpojcf32.exe
PID 4584 wrote to memory of 5108	4584	Jidbflcj.exe	Jpojcf32.exe
PID 4584 wrote to memory of 5108	4584	Jidbflcj.exe	Jpojcf32.exe
PID 5108 wrote to memory of 1508	5108	Jpojcf32.exe	Jmbklj32.exe
PID 5108 wrote to memory of 1508	5108	Jpojcf32.exe	Jmbklj32.exe
PID 5108 wrote to memory of 1508	5108	Jpojcf32.exe	Jmbklj32.exe
PID 1508 wrote to memory of 4372	1508	Jmbklj32.exe	Kpccnefa.exe
PID 1508 wrote to memory of 4372	1508	Jmbklj32.exe	Kpccnefa.exe
PID 1508 wrote to memory of 4372	1508	Jmbklj32.exe	Kpccnefa.exe
PID 4372 wrote to memory of 3340	4372	Kpccnefa.exe	Kmgdgjek.exe
PID 4372 wrote to memory of 3340	4372	Kpccnefa.exe	Kmgdgjek.exe
PID 4372 wrote to memory of 3340	4372	Kpccnefa.exe	Kmgdgjek.exe
PID 3340 wrote to memory of 1812	3340	Kmgdgjek.exe	Kbdmpqcb.exe
PID 3340 wrote to memory of 1812	3340	Kmgdgjek.exe	Kbdmpqcb.exe
PID 3340 wrote to memory of 1812	3340	Kmgdgjek.exe	Kbdmpqcb.exe
PID 1812 wrote to memory of 1836	1812	Kbdmpqcb.exe	Kinemkko.exe
PID 1812 wrote to memory of 1836	1812	Kbdmpqcb.exe	Kinemkko.exe
PID 1812 wrote to memory of 1836	1812	Kbdmpqcb.exe	Kinemkko.exe
PID 1836 wrote to memory of 3836	1836	Kinemkko.exe	Kdcijcke.exe
PID 1836 wrote to memory of 3836	1836	Kinemkko.exe	Kdcijcke.exe
PID 1836 wrote to memory of 3836	1836	Kinemkko.exe	Kdcijcke.exe
PID 3836 wrote to memory of 4776	3836	Kdcijcke.exe	Kipabjil.exe
PID 3836 wrote to memory of 4776	3836	Kdcijcke.exe	Kipabjil.exe
PID 3836 wrote to memory of 4776	3836	Kdcijcke.exe	Kipabjil.exe
PID 4776 wrote to memory of 2572	4776	Kipabjil.exe	Kdffocib.exe
PID 4776 wrote to memory of 2572	4776	Kipabjil.exe	Kdffocib.exe
PID 4776 wrote to memory of 2572	4776	Kipabjil.exe	Kdffocib.exe
PID 2572 wrote to memory of 116	2572	Kdffocib.exe	Kgdbkohf.exe
PID 2572 wrote to memory of 116	2572	Kdffocib.exe	Kgdbkohf.exe
PID 2572 wrote to memory of 116	2572	Kdffocib.exe	Kgdbkohf.exe
PID 116 wrote to memory of 1312	116	Kgdbkohf.exe	Kmnjhioc.exe
PID 116 wrote to memory of 1312	116	Kgdbkohf.exe	Kmnjhioc.exe
PID 116 wrote to memory of 1312	116	Kgdbkohf.exe	Kmnjhioc.exe
PID 1312 wrote to memory of 2752	1312	Kmnjhioc.exe	Kckbqpnj.exe
PID 1312 wrote to memory of 2752	1312	Kmnjhioc.exe	Kckbqpnj.exe
PID 1312 wrote to memory of 2752	1312	Kmnjhioc.exe	Kckbqpnj.exe
PID 2752 wrote to memory of 3456	2752	Kckbqpnj.exe	Lalcng32.exe
PID 2752 wrote to memory of 3456	2752	Kckbqpnj.exe	Lalcng32.exe
PID 2752 wrote to memory of 3456	2752	Kckbqpnj.exe	Lalcng32.exe
PID 3456 wrote to memory of 1184	3456	Lalcng32.exe	Ldkojb32.exe
PID 3456 wrote to memory of 1184	3456	Lalcng32.exe	Ldkojb32.exe
PID 3456 wrote to memory of 1184	3456	Lalcng32.exe	Ldkojb32.exe
PID 1184 wrote to memory of 2152	1184	Ldkojb32.exe	Lgikfn32.exe
PID 1184 wrote to memory of 2152	1184	Ldkojb32.exe	Lgikfn32.exe
PID 1184 wrote to memory of 2152	1184	Ldkojb32.exe	Lgikfn32.exe
PID 2152 wrote to memory of 1620	2152	Lgikfn32.exe	Liggbi32.exe
PID 2152 wrote to memory of 1620	2152	Lgikfn32.exe	Liggbi32.exe
PID 2152 wrote to memory of 1620	2152	Lgikfn32.exe	Liggbi32.exe
PID 1620 wrote to memory of 3996	1620	Liggbi32.exe	Lmccchkn.exe
PID 1620 wrote to memory of 3996	1620	Liggbi32.exe	Lmccchkn.exe
PID 1620 wrote to memory of 3996	1620	Liggbi32.exe	Lmccchkn.exe
PID 3996 wrote to memory of 2304	3996	Lmccchkn.exe	Lpappc32.exe

C:\Users\Admin\AppData\Local\Temp\4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe
"C:\Users\Admin\AppData\Local\Temp\4493e4236784036c82f40e48381f40ac9e1776a6b20fce3287aa0a6c318ed60c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SysWOW64\Jiphkm32.exe
  C:\Windows\system32\Jiphkm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\Jpjqhgol.exe
    C:\Windows\system32\Jpjqhgol.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\Jbhmdbnp.exe
      C:\Windows\system32\Jbhmdbnp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        39⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        42⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        50⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        53⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        70⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 400
        71⤵
        Program crash
        
        PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2192 -ip 2192
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
768KB

MD5
1747b27e3f4ada8678ec85a7300cae52

SHA1
c104b200d2f9cbc69a0f060af73cec9ee0c6c3c8

SHA256
32e868c82daaceb5b23996beac75d13ad97883801d23e1ff6ab4cfe3e2b7a118

SHA512
616ca228429a8823be607b145accf4944eb97e0da895d91a77541fba7613760379b696acbeef612bcfd4e65b438ca6d162b38776f880bb624fec515e6db548d0

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
768KB

MD5
1f76f83044cb787a539c52c248b4c000

SHA1
be8aa165d401e34cf67993f9f7c8dfc35ac91bd4

SHA256
adfecc27aa96435b2085b5977609bee6b613d534073385029f4b4efe1876f75b

SHA512
398c30210b4b74b098c09f35c76191f216e4620e8e018b3fba885383c43a0b23f35e8077478518a331288c91d7da4dadc446c1cc98859670f5977bb72889a4c6

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
768KB

MD5
f3dbdecc867c5672d844846df7f782ec

SHA1
09dee4b3da7ae79576a538bb26d40307e3160aff

SHA256
b9d250148aec3603267f50097cb8eb24365ce14b618a99126774e9e5a5555223

SHA512
60a76ec4bbc1f9ab6dd9890b1f38a6404a3615275bf13f65d3eb4ef4f3fa3302249f0fe11921343c5a956fbf0fde5d499ce6364b6a45eedc78b0dc15488ddf3e

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
768KB

MD5
100af2fcfdf401c79cf0390b7001a215

SHA1
67413e27203e1ef2fba525b2d8e7ba25abfde975

SHA256
29aeac328675f5b2d727a0d6253883be94ba5713799505ba30b2496a0196616a

SHA512
cea74d03244911f5a96ba0869b928f8d2227bc891a216f70753f869d16dd8653acb41e0579effe95c3bf290e110aaa101e792ef96248266a22a5f3f077469f4c

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
768KB

MD5
8ba6b4b21c3cbe2036e165edf422821e

SHA1
a444524cbc737fbe9a8478355ff0e74dd983534a

SHA256
e5776677b13c640e2a1d0497ec036c3383d87be05cc07d5989d8ce0841b6e2fb

SHA512
dbf766de100dd2ad403de6d37452f141d5501a74959b6a5570d2d8a6c7991cf597f0666ca1d97a6187de7dd3cb193f6cf6c035ed00c0f5a72d284610425bc071

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
768KB

MD5
3ab741f830f123e57959e3aeda16e40b

SHA1
747517ab6dd7a41e1475fdce5279ea075a440d79

SHA256
4fac5f434cae25773171020200f5a93834c8e0b1e37b0c75283c1ceb05c9d87e

SHA512
209dd3675b4a4dd07217c5567dd8aa7480ddcaaca6137e0d8e1b27debc20d476fd7b4ead4a5ad22e13fbc351609a4da0604bf7b8a5905bb8c6f362e67081aa6f

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
768KB

MD5
e0b5a414096688986fddbb0ae976f9ea

SHA1
847e308602666ae383cc247ea36ac8edbf755734

SHA256
a348a70c019e69a0d0bc0f84eaa9a31562e60cd3bedaa12392e7441c516f8428

SHA512
04c1922972729587f01275b8568aacb44543fcaef1a605d0c37d5126d06e860ae28010446765326a02da001264dd629fe14a73295e8a829cfc75d402e55fb1a6

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
768KB

MD5
8130a551004d5451741f280493fe1ca9

SHA1
f8a940ee29daa7f6bc4a6aab4063e4c95b171c79

SHA256
ab84c1296ac6f820cc25172f0f8159965dbf2774d6660236b09db6ec3b05e2af

SHA512
9e1177d75fb3b918d5481cdb6eaf66fc163b662f01f63fe93d4b2b239cf192ffd711146b36928def7d7c31a4001cfb1733403f47e3eb176233db3f1ae88fe72d

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
768KB

MD5
3ea24280768e6c090fa6477aa76f9750

SHA1
94bdf38ada6a6e2dca29d33904552467bdaa62b2

SHA256
7afec4d859a2d9f6eb957fd7fdafcd970f318246b263ca8e6e79d39d2104fcb0

SHA512
0cab102392bdeb2f368e2044b97a969ca0ee862cc96ac873b044de66145dbde2e739d65bbd0e7e0e519e8e1bee2743eed34c2d57a65d29e6fd85670beb70e2e6

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
768KB

MD5
ae48d372517c40678b871519ec27e711

SHA1
2aa74f93dbf4856e373273024117bc377c24795c

SHA256
b8bf1f84f2af4347efbbba9002de7b697587ed967f973414bd6644b06ae60ec6

SHA512
109aa76b6ff6e468dc2c72f29826cca4d3d6128fe91d1e9f76b382a4dcc2a120447d3ff5564e25c1f6e847b3498ca821189c6b109233d6dbe582dd2a51978f38

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
768KB

MD5
70182ad3606acdb8c79daa226c92e811

SHA1
f74fd0b6d4b742c7aacdbe9dee82929cb6e0f7bd

SHA256
4b7eec044d7ee763ce192ce8cead2ebdb34e546e507b5cf9b5bd867e85c326f4

SHA512
395330b6a0ba51f769f7efeff4b3217cf3c717dc937d01303b7bd4071120361d79bccfd03c69c721e46b294aadda44e04a9c10cdeae996aceaf2c1c1b0144c66

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
768KB

MD5
f448c5a2735bd785a0c8bdd3bad1abb4

SHA1
8c7816690f781f95d1ce3062c5e77734184c637e

SHA256
ba531b333aa581deea4ea759a873a22830e93365c42ac808c595d690ff3b4440

SHA512
f2e205c138d4b03908b25529304ddc9e587a68610c5d18b0ed298285a39b3d5ab7b113e29c27367a94207b7a3761bc33e3cb215a9b4e32e9a5d66d07db2363a6

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
768KB

MD5
62838cab4746c1719f2fda13757cbf7e

SHA1
809aed9f79e5c63719ade3e0f546c7cbb0e78a7d

SHA256
2b18e7bf917a589d6bb6e90b49f6c8f01b557505a7e8c828d737c95cd0170af6

SHA512
c77b96b520a06a610c93e158206775b721450ac29cdc8f0fa277c10b3f43bd0229c040aa8a12631e66d6dda9c99671d81f67071c77a113b679b4346d444127d2

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
768KB

MD5
956b29e5b8f6286feec9fd6d7f605376

SHA1
63b949cc6068dfadc730efbdcd050a4fa3dc1a94

SHA256
afbc452bb132cf20a9265c9a52b5ceec2309a71ad56dc164b18e5c8fd2ef4b54

SHA512
1f3246e5714eb25563923f8e86256ffbbe299e508a4f763ed632092aa9da5628bcca629c092ef9f60bbdaf197ba24799f510a176a0b8c55b08098a2f2f513e38

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
768KB

MD5
eb3e2910d616f7fd14fc2ad7353782b5

SHA1
668d508a8ca7d809e3c297d4601658e574c7ec7d

SHA256
827145a3209470c14424a0da0db57a2e0f483da0b8a68a9e6e750d95e9071e00

SHA512
701c2616ad84447e0d22a5e74d0d65af562d412a919348377fca74e859bcefa3f0ab11ecaa24a5b71dbd8b7d647bc160b336da6822033799697151bb1079c9ae

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
768KB

MD5
901a16bf9e6d05ee506b34a232497d8d

SHA1
e01fdde52309d0a188f2d84d620ba89db121d503

SHA256
ee29036cccee390e19ad261e4a9e5afc1923f1b8e3a1b8a869dacb8582d47d07

SHA512
8fe6e0255a9f7935e27f5620d7cfa9587109686d88e32785f2d7498f004d31a0c59ac24bdb7a0027028c90409dbd6565b9cf0741de133f8e8c3843ebbb253469

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
768KB

MD5
2fb7dfabaf6920e5443d0f8f031a41ad

SHA1
8f6b56f25a4b750385b4b1743c05040f72b6b76d

SHA256
47dfa607bcf8280ae903404c7a6516e20d50b888e1c9a7c27bc010e609548b54

SHA512
c601fa02f6e4a51984f617ca7a51c9815347ecb9f86c2c92388c83314b10fabbf59b618b70a17cbf83b2f3b6273aa33ff8ef908671d0e2f41292e45c6a86d178

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
768KB

MD5
1a6bef6b604f0e952607abe4598009bd

SHA1
59fdeb6ac71df24c1fd29111593a20403fa2342f

SHA256
b467211ad3d1103576b7f0e5a180d806dab61197907440cf790e1bd7a870ebc2

SHA512
668e1514c7f17e38699a598a247b0b7b15b9a4d34fae0f9f259993bea2f0dcc73fb8e9aaeb7ad0c9b6284fbd0e4de4b0db831e0a0ab8eafee06ca84ef17a9a26

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
768KB

MD5
35f6c459b3563c2931537602ba272aa3

SHA1
e0935902e7801901bf2c8413128e60e81877ad4f

SHA256
88e4f927de2490855fa0410c29d90abc325618d558bc5ccba08cc536c9de1b7c

SHA512
590e698ab4638fdf1f27700c2534954360b9424440757e69c29c234e842585317de0f33f64d02f0ff5e5a253526816226dfc81407b66a199b84bd1127b667149

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
768KB

MD5
d0daf1f95ebfb91252af8d01714b432c

SHA1
e626e3e966b41175a3241dac3e16f8ef8d2b4357

SHA256
c823f915995a256e47e3df1847eef3d528416a142ff18f4813a315cd0189ffec

SHA512
5ca03efb3ba35e4c11bd8da5e3810ed24aa87397df2e85d2ad450d02ab6a9dcc185f50dbffb5326566a28e02ed447febf3e037de6cfef62d0a5f21843f3753aa

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
768KB

MD5
b62b9f983ca042e3a6669192918f5865

SHA1
6ed6565cdf6836ae2168c94df3b1c186875623e9

SHA256
592692cf47cf0120810fe6086d802bce842f442b4ffd60ea635401ca5c0a2309

SHA512
ac4b69d62b6037fc811233b9b6039ce1603f9ac0b2c7c6245f886af716e40ab90a80d9ee1ff8a97caab0a520478808b78613f468e1abfb2db90d3bbff99fe738

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
768KB

MD5
1f2866feae1ccb3dffe3bbba5d76eb66

SHA1
174aaf7045908443cf8284551f28d81f78f5e782

SHA256
553ad4777cda6d8e5ce0b46c14244c23c1aa111406ac0ef331110897239a792e

SHA512
fd84fabd6ba3164cc03f0c23fb6526b0605342ed91a82e28ef3fdfa29a3d9b3002a40ff6240030e61cb7ca0d619eb2148c63e7306f9f81f722b2b43749b3a6f8

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
768KB

MD5
1a847866ad2968f4a72881df12508ce9

SHA1
b2c8ef0c2a31d0da3a17a1c73d6fe85605922e08

SHA256
d60a2626a7d1251bb2d4f96a066a25420294f047bcbbe439ae1ad50559213676

SHA512
f5fce067758ebf3b55dab49b88a9a1f49398554af4b7e46ae6561082b673034b5e12942485b51852da2745ceb7febe3683d361ad1587d6f278dcb952edba06d0

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
768KB

MD5
3a05c3facf1a5bc201aa62929dc0e575

SHA1
580e1fbafa73ff8a143a4d189a6cc0253d564925

SHA256
d236f93e7af49777ef898fb47aea6e05fb47d4c3d123e5288402b79241c204e7

SHA512
672f9f69302ac9884fc343b846d84d98577756f160c7a86e3f333df80e1ceaac09f502ec371d0cdef968cfe0fb2f0749b6fca71cb42d2f40548b0ffef94675b5

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
768KB

MD5
d0cf7d8f35abc1cdf9d82ea3a684487d

SHA1
7288bf9ab8761f23bd4e52a7ece3d5f4927e4abb

SHA256
9752902efee41dcfce47858c43078e703387a28d1951fe2386d135475a3dd69e

SHA512
76cdfc542d9f9f8fefd453f5434010290f5d4b7e3392d1421820e575b391d748c2f5c82f76bebc8b3cb43e4194521489e2d56ff6b644a4e41399af5ffbd933bc

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
768KB

MD5
ef68787efef8e407e8df1c155ee9a007

SHA1
8773122247774564644d99dbae0d436e894d1dbc

SHA256
58c06fdd10083be6ddf89bd18f270f1afff83b447e10918f2473676ee903b8f3

SHA512
09f11491b521056696717bfeb639b8960be1c1d6a9582b65c631ac3dbcf3a544778367817f4389f28f3c23e59250f1ea67fb1035d8251173c85f5f70e1ab8d66

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
768KB

MD5
70f146a68214d3e1c527ef9ce44a72ca

SHA1
1315bf5dedbb72353800aafdee8466ebfc758eed

SHA256
c5c405c428342de8d93799c8431c3f31ec71e7e6119d0c15d42454f371e055c4

SHA512
98fe1754bfede8a7196f9d9e73eb467564054c983486d865dfe13c015807342ab0b71addba101027ff961096cac57571f15f9b11bf0275d2ec25cc7c57d19da1

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
768KB

MD5
5fd00b88d974eb1a6debb743f78f4aef

SHA1
504f99d2c7786a938b8ebfd5e269c9915bcbb1ec

SHA256
c9fa06e465ba2a0d86e0c58cd30191064eaeabcc9a0c0c4f133b519c8e20322b

SHA512
b8032902a8d8ed8df38e311d50c96b5075aae1651d8205a07cc34833455c67a32b9f27283f0847b223b224e018bbf049a847523587b59e6d7a9a917956c4e663

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
768KB

MD5
ee0ea5da9427e98aad0bd03e8ac64d6e

SHA1
663ba8d2130ab089914c97b2b49cd6c999c7c6f7

SHA256
f6b4da6b79853dae4c952bfa9b6e3ef9a7894335b45936a9d5829b1e9500f6d8

SHA512
cce0b5aabb4caee57bb68e039cf75047e23e1a54dd32bea139ae64a971f98a37df3c010e49cb0580afbd30d4dcbd9c0dfeb7d83e5791a00af83f0a47a2625b89

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
768KB

MD5
334bb90a4da31e2e9a4f6b0965ced84b

SHA1
9b35ecb3fd13a40133b0dd60a681b2bfc54b889b

SHA256
1b57c44fb361c0916f4bb81aab0111928f877b41f646bbcd83b3d44375ae40e9

SHA512
5aac46d6f83dc037c5b9954f58e0331366d07e96ab2695994c65131045626e2c6f7106adcb2fa8fb32a7e34b09cce7785f5809973eaeaee91372f7cbd79a0537

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
768KB

MD5
edd724c2b251b2778f2cc0aa9242db55

SHA1
3850649d1a69e4dffebb438bde657acb901be48e

SHA256
84036496f57c54817ef104da3582613631531e3c7877f18ebacd623bbee1ec32

SHA512
7a0250bbf2b4d0a68d29765ab00fb797c80c4dea1681311bfc23579890ad8b66a0a3fe37177276988c9509e0bc81b9260f5774a269288b8244b3f06bb3804beb

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
768KB

MD5
36a67050f09f3247041b230d04d5efd7

SHA1
4d648e844169ca6d30dd96ec97e0b5e441dcf8da

SHA256
4d1c8f5e24f37151b343f44ecfae53131d09a269846087f339c321af6e3b52a3

SHA512
4ef9a89f073a090adea09a1db6c5caef301606524c68473dd9bf6832d7a321d6bd83050b1d8c0734dd82217f6cea9c493e2cb25cca0f205e8c02d49b3e7f26ea

Download Submit
memory/8-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4784-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download