6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe
Size

64KB
MD5

028c4e93ad7041287963b076d09e7e38
SHA1

a39f170686a13db9ad8dc365973de59a9cf8f01d
SHA256

6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867
SHA512

cb9f2d390599d0dcbb133e5c0fafc52fdd364eeca06891bae590c418e54b39fb8eaa433492578e8ce1df30efb64d0fc20bb645cf683c21e201aad9e1fcc89143
SSDEEP

1536:eU+QKG+r97LdwHLLc3Lr4FUXruCHcpzt/Idn:GQKzmHc7r6pFwn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lkgdml32.exeMpmokb32.exeNnhfee32.exeJbhmdbnp.exeLklnhlfb.exeMcklgm32.exeMdkhapfj.exeNjcpee32.exeLnjjdgee.exeJfffjqdf.exeJmpngk32.exeLcgblncm.exeMpdelajl.exeLpocjdld.exeNgedij32.exeLaciofpa.exeMkbchk32.exeNdbnboqb.exeNafokcol.exeKkpnlm32.exeLgkhlnbn.exeMnlfigcc.exeKdaldd32.exeNqmhbpba.exeMkepnjng.exeJigollag.exeMciobn32.exeMgidml32.exeJjmhppqd.exeKbapjafe.exeKgphpo32.exeJfhbppbc.exeJiikak32.exeMnocof32.exeNkncdifl.exeIinlemia.exeKkihknfg.exeKmjqmi32.exeLaopdgcg.exeJidbflcj.exeMajopeii.exeLmqgnhmp.exeKagichjo.exeMglack32.exeNbkhfc32.exeKgbefoji.exeMncmjfmk.exeKpmfddnf.exeJpojcf32.exeJbocea32.exeMpkbebbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe

Executes dropped EXE 64 IoCs

Processes:

Idacmfkj.exeIjkljp32.exeIinlemia.exeJpgdbg32.exeJfaloa32.exeJjmhppqd.exeJmkdlkph.exeJdemhe32.exeJbhmdbnp.exeJibeql32.exeJplmmfmi.exeJfffjqdf.exeJidbflcj.exeJmpngk32.exeJpojcf32.exeJfhbppbc.exeJigollag.exeJangmibi.exeJbocea32.exeJiikak32.exeKaqcbi32.exeKbapjafe.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKphmie32.exeKgbefoji.exeKipabjil.exeKagichjo.exeKdffocib.exeKkpnlm32.exeKmnjhioc.exeKpmfddnf.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLpocjdld.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLkgdml32.exeLaalifad.exeLdohebqh.exeLgneampk.exeLkiqbl32.exeLnhmng32.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLnjjdgee.exeLphfpbdi.exeLcgblncm.exeMjqjih32.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMnocof32.exeMajopeii.exeMpmokb32.exe

pid	process
3536	Idacmfkj.exe
1900	Ijkljp32.exe
1968	Iinlemia.exe
4236	Jpgdbg32.exe
976	Jfaloa32.exe
2108	Jjmhppqd.exe
3600	Jmkdlkph.exe
2996	Jdemhe32.exe
4372	Jbhmdbnp.exe
4212	Jibeql32.exe
3340	Jplmmfmi.exe
1956	Jfffjqdf.exe
1564	Jidbflcj.exe
3100	Jmpngk32.exe
3836	Jpojcf32.exe
2040	Jfhbppbc.exe
2544	Jigollag.exe
4364	Jangmibi.exe
2924	Jbocea32.exe
1656	Jiikak32.exe
2900	Kaqcbi32.exe
2016	Kbapjafe.exe
2504	Kkihknfg.exe
4796	Kacphh32.exe
2792	Kdaldd32.exe
1496	Kgphpo32.exe
1568	Kmjqmi32.exe
4744	Kphmie32.exe
1436	Kgbefoji.exe
3804	Kipabjil.exe
2536	Kagichjo.exe
4164	Kdffocib.exe
3904	Kkpnlm32.exe
1160	Kmnjhioc.exe
1768	Kpmfddnf.exe
4872	Kckbqpnj.exe
3928	Kkbkamnl.exe
2816	Lmqgnhmp.exe
4064	Lpocjdld.exe
2992	Liggbi32.exe
4472	Laopdgcg.exe
2640	Ldmlpbbj.exe
4116	Lgkhlnbn.exe
2708	Lkgdml32.exe
3920	Laalifad.exe
2448	Ldohebqh.exe
2228	Lgneampk.exe
464	Lkiqbl32.exe
4144	Lnhmng32.exe
5016	Laciofpa.exe
3564	Ldaeka32.exe
1104	Lgpagm32.exe
4636	Lklnhlfb.exe
3832	Lnjjdgee.exe
3320	Lphfpbdi.exe
3316	Lcgblncm.exe
5072	Mjqjih32.exe
4632	Mnlfigcc.exe
5056	Mpkbebbf.exe
208	Mciobn32.exe
3812	Mkpgck32.exe
2788	Mnocof32.exe
4424	Majopeii.exe
4696	Mpmokb32.exe

Drops file in System32 directory 64 IoCs

Processes:

Lgkhlnbn.exeMkbchk32.exeNdbnboqb.exeKmjqmi32.exeKmnjhioc.exeLdaeka32.exeMkpgck32.exeJidbflcj.exeJangmibi.exeKdffocib.exeLaopdgcg.exeNgedij32.exeKckbqpnj.exeLiggbi32.exeLaciofpa.exeNafokcol.exeNqklmpdd.exeLmqgnhmp.exeLdmlpbbj.exeLkiqbl32.exeMamleegg.exeJpojcf32.exeKgbefoji.exeMjqjih32.exeMajopeii.exeJbocea32.exeLklnhlfb.exeLphfpbdi.exeKacphh32.exeKkbkamnl.exeLdohebqh.exeNjacpf32.exeNdidbn32.exeJplmmfmi.exeKgphpo32.exeMnapdf32.exeMkepnjng.exeNacbfdao.exeNqiogp32.exeJfaloa32.exeMciobn32.exeNqmhbpba.exe6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exeJjmhppqd.exeMcklgm32.exeJigollag.exeMcpebmkb.exeJbhmdbnp.exeMcbahlip.exeNgcgcjnc.exeKphmie32.exeLgpagm32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5524 5436 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5524	5436	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Jmkdlkph.exeLdmlpbbj.exeLcgblncm.exeMajopeii.exeNgcgcjnc.exeNdidbn32.exeIjkljp32.exeNacbfdao.exeNbhkac32.exeKkbkamnl.exeMjqjih32.exeNgedij32.exeNjcpee32.exeJjmhppqd.exeLpocjdld.exeLgkhlnbn.exeMcklgm32.exeNqiogp32.exeKckbqpnj.exeJfaloa32.exeLkgdml32.exeLiggbi32.exeKkpnlm32.exeLaalifad.exeNjacpf32.exeJidbflcj.exeMgidml32.exeJplmmfmi.exeKgphpo32.exeMkbchk32.exeMkepnjng.exeNggqoj32.exeJpgdbg32.exeKphmie32.exeNafokcol.exeJdemhe32.exeKkihknfg.exeKacphh32.exeKagichjo.exeJibeql32.exeMnlfigcc.exeJangmibi.exeLnjjdgee.exeJigollag.exeLkiqbl32.exeIinlemia.exeKbapjafe.exeNnhfee32.exeNqklmpdd.exeLphfpbdi.exeMcbahlip.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exeIdacmfkj.exeIjkljp32.exeIinlemia.exeJpgdbg32.exeJfaloa32.exeJjmhppqd.exeJmkdlkph.exeJdemhe32.exeJbhmdbnp.exeJibeql32.exeJplmmfmi.exeJfffjqdf.exeJidbflcj.exeJmpngk32.exeJpojcf32.exeJfhbppbc.exeJigollag.exeJangmibi.exeJbocea32.exeJiikak32.exeKaqcbi32.exe

description	pid	process	target process
PID 3496 wrote to memory of 3536	3496	6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe	Idacmfkj.exe
PID 3496 wrote to memory of 3536	3496	6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe	Idacmfkj.exe
PID 3496 wrote to memory of 3536	3496	6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe	Idacmfkj.exe
PID 3536 wrote to memory of 1900	3536	Idacmfkj.exe	Ijkljp32.exe
PID 3536 wrote to memory of 1900	3536	Idacmfkj.exe	Ijkljp32.exe
PID 3536 wrote to memory of 1900	3536	Idacmfkj.exe	Ijkljp32.exe
PID 1900 wrote to memory of 1968	1900	Ijkljp32.exe	Iinlemia.exe
PID 1900 wrote to memory of 1968	1900	Ijkljp32.exe	Iinlemia.exe
PID 1900 wrote to memory of 1968	1900	Ijkljp32.exe	Iinlemia.exe
PID 1968 wrote to memory of 4236	1968	Iinlemia.exe	Jpgdbg32.exe
PID 1968 wrote to memory of 4236	1968	Iinlemia.exe	Jpgdbg32.exe
PID 1968 wrote to memory of 4236	1968	Iinlemia.exe	Jpgdbg32.exe
PID 4236 wrote to memory of 976	4236	Jpgdbg32.exe	Jfaloa32.exe
PID 4236 wrote to memory of 976	4236	Jpgdbg32.exe	Jfaloa32.exe
PID 4236 wrote to memory of 976	4236	Jpgdbg32.exe	Jfaloa32.exe
PID 976 wrote to memory of 2108	976	Jfaloa32.exe	Jjmhppqd.exe
PID 976 wrote to memory of 2108	976	Jfaloa32.exe	Jjmhppqd.exe
PID 976 wrote to memory of 2108	976	Jfaloa32.exe	Jjmhppqd.exe
PID 2108 wrote to memory of 3600	2108	Jjmhppqd.exe	Jmkdlkph.exe
PID 2108 wrote to memory of 3600	2108	Jjmhppqd.exe	Jmkdlkph.exe
PID 2108 wrote to memory of 3600	2108	Jjmhppqd.exe	Jmkdlkph.exe
PID 3600 wrote to memory of 2996	3600	Jmkdlkph.exe	Jdemhe32.exe
PID 3600 wrote to memory of 2996	3600	Jmkdlkph.exe	Jdemhe32.exe
PID 3600 wrote to memory of 2996	3600	Jmkdlkph.exe	Jdemhe32.exe
PID 2996 wrote to memory of 4372	2996	Jdemhe32.exe	Jbhmdbnp.exe
PID 2996 wrote to memory of 4372	2996	Jdemhe32.exe	Jbhmdbnp.exe
PID 2996 wrote to memory of 4372	2996	Jdemhe32.exe	Jbhmdbnp.exe
PID 4372 wrote to memory of 4212	4372	Jbhmdbnp.exe	Jibeql32.exe
PID 4372 wrote to memory of 4212	4372	Jbhmdbnp.exe	Jibeql32.exe
PID 4372 wrote to memory of 4212	4372	Jbhmdbnp.exe	Jibeql32.exe
PID 4212 wrote to memory of 3340	4212	Jibeql32.exe	Jplmmfmi.exe
PID 4212 wrote to memory of 3340	4212	Jibeql32.exe	Jplmmfmi.exe
PID 4212 wrote to memory of 3340	4212	Jibeql32.exe	Jplmmfmi.exe
PID 3340 wrote to memory of 1956	3340	Jplmmfmi.exe	Jfffjqdf.exe
PID 3340 wrote to memory of 1956	3340	Jplmmfmi.exe	Jfffjqdf.exe
PID 3340 wrote to memory of 1956	3340	Jplmmfmi.exe	Jfffjqdf.exe
PID 1956 wrote to memory of 1564	1956	Jfffjqdf.exe	Jidbflcj.exe
PID 1956 wrote to memory of 1564	1956	Jfffjqdf.exe	Jidbflcj.exe
PID 1956 wrote to memory of 1564	1956	Jfffjqdf.exe	Jidbflcj.exe
PID 1564 wrote to memory of 3100	1564	Jidbflcj.exe	Jmpngk32.exe
PID 1564 wrote to memory of 3100	1564	Jidbflcj.exe	Jmpngk32.exe
PID 1564 wrote to memory of 3100	1564	Jidbflcj.exe	Jmpngk32.exe
PID 3100 wrote to memory of 3836	3100	Jmpngk32.exe	Jpojcf32.exe
PID 3100 wrote to memory of 3836	3100	Jmpngk32.exe	Jpojcf32.exe
PID 3100 wrote to memory of 3836	3100	Jmpngk32.exe	Jpojcf32.exe
PID 3836 wrote to memory of 2040	3836	Jpojcf32.exe	Jfhbppbc.exe
PID 3836 wrote to memory of 2040	3836	Jpojcf32.exe	Jfhbppbc.exe
PID 3836 wrote to memory of 2040	3836	Jpojcf32.exe	Jfhbppbc.exe
PID 2040 wrote to memory of 2544	2040	Jfhbppbc.exe	Jigollag.exe
PID 2040 wrote to memory of 2544	2040	Jfhbppbc.exe	Jigollag.exe
PID 2040 wrote to memory of 2544	2040	Jfhbppbc.exe	Jigollag.exe
PID 2544 wrote to memory of 4364	2544	Jigollag.exe	Jangmibi.exe
PID 2544 wrote to memory of 4364	2544	Jigollag.exe	Jangmibi.exe
PID 2544 wrote to memory of 4364	2544	Jigollag.exe	Jangmibi.exe
PID 4364 wrote to memory of 2924	4364	Jangmibi.exe	Jbocea32.exe
PID 4364 wrote to memory of 2924	4364	Jangmibi.exe	Jbocea32.exe
PID 4364 wrote to memory of 2924	4364	Jangmibi.exe	Jbocea32.exe
PID 2924 wrote to memory of 1656	2924	Jbocea32.exe	Jiikak32.exe
PID 2924 wrote to memory of 1656	2924	Jbocea32.exe	Jiikak32.exe
PID 2924 wrote to memory of 1656	2924	Jbocea32.exe	Jiikak32.exe
PID 1656 wrote to memory of 2900	1656	Jiikak32.exe	Kaqcbi32.exe
PID 1656 wrote to memory of 2900	1656	Jiikak32.exe	Kaqcbi32.exe
PID 1656 wrote to memory of 2900	1656	Jiikak32.exe	Kaqcbi32.exe
PID 2900 wrote to memory of 2016	2900	Kaqcbi32.exe	Kbapjafe.exe

C:\Users\Admin\AppData\Local\Temp\6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe
"C:\Users\Admin\AppData\Local\Temp\6f84d290001657ad700248e8603852acb7ae0ec6e7404e2a4e1638c4a2862867.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\Jpgdbg32.exe
C:\Windows\system32\Jpgdbg32.exe
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2504

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4796

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1496

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1568

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4744

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1436

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
31⤵
- Executes dropped EXE
PID:3804

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2536

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4164

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4872

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3928

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2816

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4064

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2992

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4472

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2640

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4116

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2708

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
46⤵
- Executes dropped EXE
- Modifies registry class
PID:3920

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
48⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:464

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
50⤵
- Executes dropped EXE
PID:4144

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5016

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3564

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4636

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3832

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3320

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3316

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5072

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4632

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5056

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:208

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3812

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4424

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1056

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
67⤵
PID:4856

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3692

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
69⤵
- Drops file in System32 directory
PID:2912

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
70⤵
- Drops file in System32 directory
PID:3292

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4852

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:468

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2140

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
75⤵
PID:4776

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
76⤵
- Drops file in System32 directory
PID:2652

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3720

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5064

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1360

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
80⤵
PID:2172

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1796

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3456

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:624

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
84⤵
PID:4204

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4536

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
86⤵
- Drops file in System32 directory
- Modifies registry class
PID:3400

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:3408

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5076

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2064

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
90⤵
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1688

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
92⤵
PID:5140

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5184

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5224

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5300

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
97⤵
- Drops file in System32 directory
- Modifies registry class
PID:5352

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
98⤵
- Modifies registry class
PID:5396

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
99⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 404
100⤵
- Program crash
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5436 -ip 5436
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
64KB

MD5
bcc1a08eab35972a2b17bf9438bce102

SHA1
e4e23618bf8c89bdc1c98c99983002ce8358df76

SHA256
3ea0637aab29099d98340b21147142f1d064da3cf241052c7f98ca9419871ec3

SHA512
185b608fda2b4af84b627035522f98f98620826530c6da16f4402878bb7e553a6e43506571d44d5c7ab533d84ee26e9a7627fb687e2f5747ca0c32ba200366f0

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
64KB

MD5
600ed6caa0e5d149c6dfe46a3a0fa68c

SHA1
bfc48a1c7075f66c67a0d0981cac3ae65c01d61a

SHA256
3e257d9686c5482b92d14d6decb7ecbe891c26b8a9ce2232afb9b2eb93819f89

SHA512
b21b9ca9777a50d4a0d9d18e925d7a5c9a28e795d2688b294d082b7b4f3d5435f2b64bc663d58a4d3d950e93fddc10cf686c78e7bae16a2e249d94846962bcd3

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
64KB

MD5
e52ffb5b394ae0d149e9cbbfc8f249f4

SHA1
d89fdbdfc5807e2a10f218fabca10d7d0146da90

SHA256
fa426277b8c08aaf5c521936234348c4fdd3de0810861307d0bb3aab07913aae

SHA512
37648fad241dbdd9f35cd6baa06bceb1967146b05f7cc6e5696d782b239bb1cc89c4021e9c0f08e3b16105e0391df25796c54c64d71013c5e75943682862078e

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
64KB

MD5
422622169e0593e7a19b8ea04a4d09e7

SHA1
7ca89a487925f9105f24ec53fceb2718d334ce88

SHA256
58616ffd84361d2f64fc0ad16ec740ddc3cac0f95baf893255a9fb5063e9b34e

SHA512
eb3ce6ad9b1d7b7b8254f1a09bb662d5ad2314559fc00b6446204122437e39108fd53de552b1168bae807051d11cc530203b62c3b41e70274c42f57f85ba5049

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
64KB

MD5
fcb08ac98e0d30d9ad66c2a98f19ec4a

SHA1
b0c4d620d789723de38dfa95ffebbaee47659c65

SHA256
5989881fdcdbbf8ce63e00c82d9778f952f6752986783855ef6206ac13dc4b1c

SHA512
7e8e7a0a89974cdaefeb2c1b3e2d66452dc6d7bbffb72ab747c8af2562f9aa905aaaa3ed3f00c5943cf1402799577eb3e2dc3b0f5e57b5ccfc7c2f3ff37c9336

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
64KB

MD5
2532ac65464fb88f3f73252e11fc556c

SHA1
1cda242d5290008307e952c6c2245976e028cc14

SHA256
db4e62b17c23cf1e51605353b63bb624e49f3650a9f819712a83ac7f36ca2d6c

SHA512
7abcffd5d23327ac2dda3e56fc56f5902e97558f4a1075fc658796c50babd729c81b389746d65e8b19a9e569e349d41b22f6f5f192859b875d98a59808297193

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
64KB

MD5
df1556343ec0451988448c6e97a57847

SHA1
2231ff5bd48b84f316e96666b5906d5dc4f6a980

SHA256
db09ef04c61d2cd980e4f425f5302b9a52806a827c7baa8c25d53c48e8549233

SHA512
f631aa862ff6021509bc01aea553aba384c274ae141451230e61b6422fc07532626aa2b6761c737d59b31847c619d96302cee5a6140336946802848781d51434

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
64KB

MD5
fd1e6c46d89e488dd6ef7fd4b8f647a0

SHA1
4f879cd41d90d874bb8d89af7e0531b7a2ea6448

SHA256
a43715e4bc58cbed8c55dc021477c2422a5cd56534dd0c21ed8c78561e8cf405

SHA512
dc18ed99f15e8c5ccd2be1f768fc90b98e400006dbc9d0f4fbc5b4a05b03f7c625c104dfb58d85212a9c2da738d0a1c46247eecce89bc15c68c8ee08422c3b7c

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
64KB

MD5
4db18ad29d191b0aeb71752c5472bd76

SHA1
4c02ead06a089ed7f68745bf3c0dc9931e87a9b0

SHA256
e395e708bb6873e4c0f181e350ebddb2dfdf6f0e95299d9c9bd367e27f744507

SHA512
d59217ef4e8dfa4e033d6331097173ed5dbc8a7c6e225f8172f0c2cdb0ccd1cfb544181302fbe31e222b0b065937007fca5f98ebf0835552282b19c76dc84d25

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
64KB

MD5
87a017c04f3d1d21fd61683bf95ad1ae

SHA1
176a9fc7b945961effd0578c33cb3221d0d5b63b

SHA256
9974d7446eb598aa1871a2a6d719195df7c09fc6ab6d10e29d774fcff42d2897

SHA512
5ba483a4a830ea9bb709db955ddcf28ca41640c67cb31c911ac5b25200cddc7ca440d163f98de2eb32ac845b231b692ef489de46e3fe34dd3113a0fe8d4714b5

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
64KB

MD5
30f32c6e91cd4536dafd0effb896d5d9

SHA1
d877dd9530917c086b81b1347df77957578c6ccc

SHA256
ba43ad68d4909a4e5b0aabd718bf154bb9d2e0aef8c5f65aca64ddea6982de33

SHA512
97d5aaee11a28bd773d0f3c71374c0d35bc6796df1d14c93386420a748c5555c91abd7a91d17523ea5a0d0e7fe1b736cd562d75aecc836deeccffb15887d781a

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
64KB

MD5
3a5693bec98dad9d5f612537215048ae

SHA1
1371836432c9d0810c8abdedd04b4774ac9a55e4

SHA256
42d3ebab4553d2e9384836ac274525e7bf9c942507da60d519e5dc396f99eaf5

SHA512
0f1ca1cbce895b0763561cf9e97219c2351941eed48a2ac96bb40485542e877154a61d0926dade8adb2c65c41712ca658c0c9d0c8dffb24b93114696b4e15d5d

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
64KB

MD5
c3743e4771bf02b770b0a7672eb42a28

SHA1
28cb35c353fa74a46edaf665282ab3f80eac06e1

SHA256
e994ded6a8c1602548b6098e04f580655cc21d975454606081c2226c8697e7d0

SHA512
fa0d0ffddbdc3cc357c0b3bfd1521621cbfa47a4d7f1780a3c04efed4d4ad1fe7419010398b044ae6b0638a73770688be3e3cdb8de965267d8d43175607eb81c

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
64KB

MD5
2f7ea9b7a1012921d163c64ddee7c5b5

SHA1
b7d4dcba410dfce2b42275bc17e0e35c02309769

SHA256
dbac1a3a877a3f78a785c17dd701e9d505a82a6baea45699673d105dbdd60c96

SHA512
1d4abfa9e109d47653bb33b149724d9e9883e6dfca7a1d082d09e3935b71550cd9979d66eaf8959057cd6f069d00961c9a1036b48908e4caf324b20307726bb7

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
64KB

MD5
6723e0a472b069cf4283cad1e4aa6f04

SHA1
5fad7e3089be08231f9c5671b378fc3a0ca9e5e0

SHA256
54704c82a232efdf4d1deb1109ab7bde19dd5fa8ca021efe991bdf4d22e3501d

SHA512
17edf1d0fb2af41df1f555a96188945be1d61fc64a37de00360f4e6d5e13dac730f8a76a81f5151a9d672771af6279772b0fbb182dd56cdbed5e592c96e24b6c

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
64KB

MD5
ffab306fce1affa2dc9f6c3edd9f30b5

SHA1
5706b9423d0ecc9d7db66a0208fa5de1e79924af

SHA256
870750fbf680d77e92453f96713a15ce2dab3b54163d1fbfd21a764bfeaad925

SHA512
88b2ff6f75957675229f735cdc4a204aac7b1426daeaa660981426e7d3bf652ad492bb4c03081e190bac8455b1f55be714117333669750d3ea2ad38b049f4e5f

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
64KB

MD5
e0ceda5b5c0d520af81961102a964ffe

SHA1
218f19b1f7f6c2dc0b4c6fb308638069ae4bba82

SHA256
1b56efc9571a8cf20cf5fd5f0591995db12268a6ebdb7b6834324e581784c7e5

SHA512
048fdfc25844da657b7fdb76e3196281dfc4e79dfb31f2fa058fb08ee97617912f964a04288b5c484b00e48d9ac04669878cc0cc20e64b018bc1d7b4f09d9b58

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
64KB

MD5
1a5eb215535bf61dd9e4ef69a2a8a1e4

SHA1
60d92da6360fe08a5f02aee97b3c7c2d4fddc87c

SHA256
353bbba50408094faa1cc908570ee20d997ca0dda4f5b51533f7242ce0433362

SHA512
e3af39a766d673e40bb9a089cfd25705712b97870116ebc8e06b82b11006e04888b89993735e73d06c3b9159dbe5661a5343e2d7b44d3d5871d641b815c4cc6a

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
64KB

MD5
ae3969e3827cec8aeb7af5f00df0f279

SHA1
bc39b3cad0e9c126e73de1fc8a8cad4ec7762de7

SHA256
a76dd3bef223b9874c77982481ac233da0260e206da5cdd098ac0fb403fdc480

SHA512
50b67de14b0cd052eb78c85cee9f73422b889b0b958f356eaf473da047c904e7d95e63a788568b8db04fb4b429da9404b34608dcfd38b86ece784d58f65bdd67

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
64KB

MD5
ca6efce79a67b0fff5d373c1e41356f5

SHA1
a529a652fe33454426ae1329080d80dc95031edf

SHA256
ae76b6fd798ef9902659997c0265ab40e34e1e35cdfb45f77a815c98e11b9b2f

SHA512
b0287db1a88817b2e162a41fe47c409593f09ec3d3d20ec0a9d1cc628481bae385ae0facf6ca6f35aa05c6bfc65a9e5b2561fe9b053cde0974c1a09fe7b69beb

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
64KB

MD5
518a187a1b40362d05485fcde928164a

SHA1
5dd0e8c377fccbd6b0f2194ca7c20b3d2998ada8

SHA256
ff6246e6e7b26631794b4502e4998504d81f4af6a7cefd88d51aba2bc560a944

SHA512
c4be0b0a0fb5c5ecf9221550c74065372deab633debf66822dd14d8d8c97cf66aae001cecf393a9928c8f00904f103b138cb44650cb93c4aa154a2583c6c58c2

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
64KB

MD5
7700204c50da1b249087d00b3151436b

SHA1
7ef595849ef8868e2f7c562330985ed968f2e945

SHA256
06c8f0bb8b0fd0595cb40e303066f0230ce6255cc1ef70d7684f177dca0a5ac9

SHA512
fed1ac767e88c347ce68ab3c775214b8509b227dc70d0ee649c17ff4babbd8245c1ab0d410166c0659557c477939147a97679061c99643aac608bc0edf55d4fa

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
64KB

MD5
07bcb991077080093270abec7366dfa5

SHA1
8e4a9903379c4a59edefd7514adb6841b9dd92f7

SHA256
1eb56dcc737e79bb4f5f167a278097fdf675faee1684fd4f9996d71629472543

SHA512
008342c59212d7d16bbae75a96da9d331815de73f08c774084e5fff9eff2265da4478d3633b1b370cdcd008cee9c3c3ea1e6437feda5db8d052f67f1997ebaae

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
64KB

MD5
7fa073c7ce03e821c2e88cf261e55da6

SHA1
ec640cc97eb01455c4ae64413a5c01aaa8b5d63f

SHA256
f6e41b68d703efa20d65ea04694583ea53549c0c84af657962f855ec1e6a6824

SHA512
cc9a4ec363ce4fb35107724a4fa7cbfea8090931330028a292000f5b3757d0b723f091f203f4cab41a60dad7eaaec5fca618ba96851776fd246460f12101d21b

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
64KB

MD5
7ebd5fc1cddaf11cb6792b379d8ba340

SHA1
a5d9fc6c48f4b68b96d2c8bbfe16c59eb3f76989

SHA256
4672f8b40c2f41da60383b45d43b72dd698e3f07dc73791a8845e9780ab64154

SHA512
d17e28b7bd01a1cebbe9c58f57d8e8d4d6d8902acf0cc95e7725e028f4483bb704f3f2b271615b60bc04db87a224aa33c18befed9da1641968ea990c818b60c8

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
64KB

MD5
148c43dfe972c2bfa254b1458e1fdf23

SHA1
5adf989e1f31b79a5ef5d58d3fadb0f200579dd5

SHA256
7b3afbb03c284d8a72cfe9165388748f189fac98249e09398d88b126fab5c1e9

SHA512
a3c2fb1da252b5e8dca96ea93de470d8610d57177999ecdb7024aa475f1791187de63182e048fbd4daf0032be01b9f8be8a83de3cc9398de43e8a22b5e6fb3dc

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
64KB

MD5
748b9e6546fa5f2238bf5a6dd93cf0f0

SHA1
61c71eb407ece86dbf10e7dc633101b2603766b3

SHA256
844f24f0e2c555b86b09c08d7e26fd7c257aa2d09b4e3b2dc554d27b986f9508

SHA512
ec8ee27f7a23c8bc453b831497dd5287aff4b0fed60fef733137b656968c45e97e9729423a9a4c2a894ffa4ebe67f75ee66365c8fd8fc73539b732a07e7e9f84

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
64KB

MD5
b7851201693fe9c11601770ea6320596

SHA1
440fd1000b4688a2211dc96fc8157818a4d89377

SHA256
bd71ff54b32b11b2d0df75b6ba97dbdb2a8fec9683aabfc057d06f84348b5f21

SHA512
7eb3f6df6c63ac13176c938ae34888a351480384c1e933c3d1cc4efbcd70719cb7c95fab431506f97249e0b7e98c53e1ea8152a0e63ae4733b0a25a71d8b7808

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
64KB

MD5
115dc4ea8cd3ce5116efc82fb0b7b00b

SHA1
92823b8382d35537aa7b6de38b29416209e8b041

SHA256
bc85897cdde792e26e43d69cb236d75f50211914a74307236b64f73e4d1a3128

SHA512
ee0e72299aa902b5acf6d20a6f3e0fe34a34eafc808561dd001b3195bc41387b01b363f0f74ea7807310290fdde4bc4d1c15ba983724953a0ab9c29d6e9b1a7d

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
64KB

MD5
2fe2105ac9e961e29c7947511c33a258

SHA1
349a6e6efdaa376110b8486fb73db3d40c406c99

SHA256
2bad72deedb2cf2cce17cac06116fa00923b9b171bb188274aad7728b73d96e8

SHA512
27d5a272042860e2d873013f8fc696ca849f35590454f469e5b77c90629e0a56d1e015f6dc207a5812541e63f7122258d364c0078773394074cfa6298feef2e9

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
64KB

MD5
9921303a88a971d1078ef657192f8145

SHA1
0814fa07ae6dc4e8af81638d70d9d7cd63fe922e

SHA256
89e0d2f6e2b74f7cddd532e5ca9e59458f4235439b0a0d40e66c9a38a7a6e2fd

SHA512
12d9fb9e94be6906f6fd013198f4e0dd4af5905a56a82362cef007c018da2fa20c5f763248be43eb187f3ebbec48377f3e66c2ec0cee2689d9ea1b663c8dcf64

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
64KB

MD5
29f42cab15f2bcd75aac6525bb1ed9ec

SHA1
0a8428d7da2d259017cc87bef3f9339bc2dee2f5

SHA256
8cd1c531680e414c2f48bb7067ff608bdff41fc0a928945907c6909859d0a8fc

SHA512
5bce758bc272f1042ece15444b9e6629b6214dff9c1b6d4a34f621ec20cc62c1851f3c55e697aa32e94ac5211d1b1493c370c4833d5afb28e55a77de058f8c3a

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
64KB

MD5
31ddc6a9201d4d9cac9c0f13505f0559

SHA1
dc4bb33a9e794caedd27b5731fe4541246537a29

SHA256
0fc06c1d3397307efdcfbfe25ad22a96e97530ec6d4fd073f8d780970582ec35

SHA512
49aa23a7393ef9c15cdb08e37a85d856e7ec70b9405778eb6111f152b81698783bedc1b903969a01fc8ebdb763cdc7fd8f457ec378cc3d3998f845aa6c821473

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
64KB

MD5
85841066df7601308ef420e711996589

SHA1
e1d7c5b655e175843f87f9c51cae1c8806ffac59

SHA256
97cbb21660e2aa9c79cb54c0f20ee3f0a46835c73ec038e2f87d43a8baca0306

SHA512
2cb3b080070c88afb5ef0bea3577eae82ff59e0bb3d70b6dfa0592b94457ee912dd4f92975af7433d025b4a1236f8c3dcd48ac81fa3dc276dce169f21777ee72

Download Submit
memory/464-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download