69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exe
Size

89KB
MD5

0609b434e5e0c7a173a5a9c193858a60
SHA1

07f862a0cdd755a5f27a987566da173c6d66c9e8
SHA256

69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50
SHA512

2aa0656b35eb22038b65ee5c493262001f5cb2906d5ebecf86111b42a5aff4a03e473f5f76d40ae76cd22c8e61676c268bd07bbe6b874d0ebe305fcedaaee34e
SSDEEP

1536:kHx+IwtwKvMXJAMAHKQ3Qo1yeeJwDObmsCIK282c8CPGCECa9bC7e3iaqWpOBMD:EUlwK07gKKZDObmhD28Qxnd9GMHqW/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jfkoeppq.exeKaqcbi32.exeNdghmo32.exeJibeql32.exeKajfig32.exeLilanioo.exeLijdhiaa.exeLaalifad.exeMpmokb32.exeLphfpbdi.exeMajopeii.exeJfhbppbc.exeKagichjo.exeMahbje32.exeLiekmj32.exeJaimbj32.exeKknafn32.exeMdfofakp.exeNdidbn32.exeJiphkm32.exeJigollag.exeLpappc32.exeLgneampk.exeMdiklqhm.exeNjacpf32.exeJjbako32.exeLnjjdgee.exeKdaldd32.exeJfdida32.exeKacphh32.exeKgmlkp32.exeMjjmog32.exeNqiogp32.exeKdffocib.exeLkiqbl32.exeNklfoi32.exeKdopod32.exeKdcijcke.exeNqklmpdd.exeJangmibi.exeNkqpjidj.exeIinlemia.exeMaaepd32.exeNkjjij32.exeNcldnkae.exeKgdbkohf.exeLgbnmm32.exeMncmjfmk.exeJdmcidam.exeKibnhjgj.exeKdhbec32.exeLdkojb32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe

Executes dropped EXE 64 IoCs

Processes:

Iinlemia.exeJdcpcf32.exeJfaloa32.exeJiphkm32.exeJpjqhgol.exeJfdida32.exeJibeql32.exeJaimbj32.exeJdhine32.exeJjbako32.exeJmpngk32.exeJpojcf32.exeJfhbppbc.exeJigollag.exeJangmibi.exeJdmcidam.exeJfkoeppq.exeJiikak32.exeKaqcbi32.exeKdopod32.exeKgmlkp32.exeKacphh32.exeKdaldd32.exeKkkdan32.exeKmjqmi32.exeKphmie32.exeKdcijcke.exeKgbefoji.exeKknafn32.exeKipabjil.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKkpnlm32.exeKibnhjgj.exeKajfig32.exeKdhbec32.exeKkbkamnl.exeLiekmj32.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLmccchkn.exeLpappc32.exeLcpllo32.exeLijdhiaa.exeLaalifad.exeLpcmec32.exeLdohebqh.exeLgneampk.exeLkiqbl32.exeLilanioo.exeLaciofpa.exeLpfijcfl.exeLcdegnep.exeLklnhlfb.exeLnjjdgee.exeLphfpbdi.exeLcgblncm.exeLgbnmm32.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMgekbljc.exe

pid	process
1820	Iinlemia.exe
4740	Jdcpcf32.exe
1852	Jfaloa32.exe
2860	Jiphkm32.exe
5116	Jpjqhgol.exe
3528	Jfdida32.exe
4876	Jibeql32.exe
2412	Jaimbj32.exe
2784	Jdhine32.exe
1436	Jjbako32.exe
3640	Jmpngk32.exe
1064	Jpojcf32.exe
4476	Jfhbppbc.exe
3360	Jigollag.exe
4892	Jangmibi.exe
4372	Jdmcidam.exe
540	Jfkoeppq.exe
2688	Jiikak32.exe
4856	Kaqcbi32.exe
1568	Kdopod32.exe
2184	Kgmlkp32.exe
3600	Kacphh32.exe
4640	Kdaldd32.exe
1084	Kkkdan32.exe
1280	Kmjqmi32.exe
368	Kphmie32.exe
4920	Kdcijcke.exe
4612	Kgbefoji.exe
4140	Kknafn32.exe
1476	Kipabjil.exe
2636	Kagichjo.exe
1912	Kdffocib.exe
3084	Kgdbkohf.exe
4816	Kkpnlm32.exe
2396	Kibnhjgj.exe
944	Kajfig32.exe
2044	Kdhbec32.exe
1780	Kkbkamnl.exe
1080	Liekmj32.exe
2016	Lalcng32.exe
4776	Ldkojb32.exe
3996	Lgikfn32.exe
1620	Lmccchkn.exe
3708	Lpappc32.exe
3424	Lcpllo32.exe
2168	Lijdhiaa.exe
2460	Laalifad.exe
1488	Lpcmec32.exe
3312	Ldohebqh.exe
3788	Lgneampk.exe
4556	Lkiqbl32.exe
4844	Lilanioo.exe
1788	Laciofpa.exe
3508	Lpfijcfl.exe
2008	Lcdegnep.exe
1572	Lklnhlfb.exe
3408	Lnjjdgee.exe
3140	Lphfpbdi.exe
1236	Lcgblncm.exe
1056	Lgbnmm32.exe
1380	Mjqjih32.exe
1768	Mahbje32.exe
4496	Mdfofakp.exe
4916	Mgekbljc.exe

Drops file in System32 directory 64 IoCs

Processes:

Kdopod32.exeKagichjo.exeMgekbljc.exeNkqpjidj.exeNdidbn32.exeJfaloa32.exeJigollag.exeKacphh32.exeMdiklqhm.exeLcgblncm.exeNgedij32.exeJfhbppbc.exeKphmie32.exeLdkojb32.exeLaalifad.exeLklnhlfb.exeLphfpbdi.exeNceonl32.exeJmpngk32.exeLnjjdgee.exeMpmokb32.exeMkgmcjld.exeLilanioo.exeJdhine32.exeJangmibi.exeKdcijcke.exeLpcmec32.exeNcgkcl32.exeNjacpf32.exeMcnhmm32.exeMgidml32.exeMpaifalo.exeNklfoi32.exeMjeddggd.exeJpojcf32.exeMjqjih32.exeJfkoeppq.exeLpappc32.exeLgneampk.exeMajopeii.exeMaaepd32.exeKaqcbi32.exeKdhbec32.exeKkpnlm32.exeLpfijcfl.exeNqfbaq32.exeKgmlkp32.exeLalcng32.exeLmccchkn.exeNqiogp32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5272 5188 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5272	5188	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kgmlkp32.exeKdffocib.exeNqfbaq32.exeJdcpcf32.exeKdopod32.exeKmjqmi32.exeNkqpjidj.exeKkpnlm32.exeKajfig32.exeLmccchkn.exeLcdegnep.exeNceonl32.exeNqiogp32.exeNnmopdep.exeNnolfdcn.exeJiikak32.exeLcpllo32.exeLaalifad.exeNcgkcl32.exeNjacpf32.exeKaqcbi32.exeKacphh32.exeLgneampk.exeMdiklqhm.exeJaimbj32.exeKipabjil.exeKibnhjgj.exeLilanioo.exeMdfofakp.exeKknafn32.exeLnjjdgee.exeMahbje32.exeNjljefql.exeNgedij32.exeNqmhbpba.exeJibeql32.exeKgbefoji.exeKdhbec32.exeLalcng32.exeJmpngk32.exeLgikfn32.exeMdpalp32.exeLiekmj32.exeLgbnmm32.exeMgidml32.exeJfdida32.exeJangmibi.exeNdghmo32.exeNdidbn32.exeJiphkm32.exeKdaldd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exeIinlemia.exeJdcpcf32.exeJfaloa32.exeJiphkm32.exeJpjqhgol.exeJfdida32.exeJibeql32.exeJaimbj32.exeJdhine32.exeJjbako32.exeJmpngk32.exeJpojcf32.exeJfhbppbc.exeJigollag.exeJangmibi.exeJdmcidam.exeJfkoeppq.exeJiikak32.exeKaqcbi32.exeKdopod32.exeKgmlkp32.exe

description	pid	process	target process
PID 4204 wrote to memory of 1820	4204	69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exe	Iinlemia.exe
PID 4204 wrote to memory of 1820	4204	69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exe	Iinlemia.exe
PID 4204 wrote to memory of 1820	4204	69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exe	Iinlemia.exe
PID 1820 wrote to memory of 4740	1820	Iinlemia.exe	Jdcpcf32.exe
PID 1820 wrote to memory of 4740	1820	Iinlemia.exe	Jdcpcf32.exe
PID 1820 wrote to memory of 4740	1820	Iinlemia.exe	Jdcpcf32.exe
PID 4740 wrote to memory of 1852	4740	Jdcpcf32.exe	Jfaloa32.exe
PID 4740 wrote to memory of 1852	4740	Jdcpcf32.exe	Jfaloa32.exe
PID 4740 wrote to memory of 1852	4740	Jdcpcf32.exe	Jfaloa32.exe
PID 1852 wrote to memory of 2860	1852	Jfaloa32.exe	Jiphkm32.exe
PID 1852 wrote to memory of 2860	1852	Jfaloa32.exe	Jiphkm32.exe
PID 1852 wrote to memory of 2860	1852	Jfaloa32.exe	Jiphkm32.exe
PID 2860 wrote to memory of 5116	2860	Jiphkm32.exe	Jpjqhgol.exe
PID 2860 wrote to memory of 5116	2860	Jiphkm32.exe	Jpjqhgol.exe
PID 2860 wrote to memory of 5116	2860	Jiphkm32.exe	Jpjqhgol.exe
PID 5116 wrote to memory of 3528	5116	Jpjqhgol.exe	Jfdida32.exe
PID 5116 wrote to memory of 3528	5116	Jpjqhgol.exe	Jfdida32.exe
PID 5116 wrote to memory of 3528	5116	Jpjqhgol.exe	Jfdida32.exe
PID 3528 wrote to memory of 4876	3528	Jfdida32.exe	Jibeql32.exe
PID 3528 wrote to memory of 4876	3528	Jfdida32.exe	Jibeql32.exe
PID 3528 wrote to memory of 4876	3528	Jfdida32.exe	Jibeql32.exe
PID 4876 wrote to memory of 2412	4876	Jibeql32.exe	Jaimbj32.exe
PID 4876 wrote to memory of 2412	4876	Jibeql32.exe	Jaimbj32.exe
PID 4876 wrote to memory of 2412	4876	Jibeql32.exe	Jaimbj32.exe
PID 2412 wrote to memory of 2784	2412	Jaimbj32.exe	Jdhine32.exe
PID 2412 wrote to memory of 2784	2412	Jaimbj32.exe	Jdhine32.exe
PID 2412 wrote to memory of 2784	2412	Jaimbj32.exe	Jdhine32.exe
PID 2784 wrote to memory of 1436	2784	Jdhine32.exe	Jjbako32.exe
PID 2784 wrote to memory of 1436	2784	Jdhine32.exe	Jjbako32.exe
PID 2784 wrote to memory of 1436	2784	Jdhine32.exe	Jjbako32.exe
PID 1436 wrote to memory of 3640	1436	Jjbako32.exe	Jmpngk32.exe
PID 1436 wrote to memory of 3640	1436	Jjbako32.exe	Jmpngk32.exe
PID 1436 wrote to memory of 3640	1436	Jjbako32.exe	Jmpngk32.exe
PID 3640 wrote to memory of 1064	3640	Jmpngk32.exe	Jpojcf32.exe
PID 3640 wrote to memory of 1064	3640	Jmpngk32.exe	Jpojcf32.exe
PID 3640 wrote to memory of 1064	3640	Jmpngk32.exe	Jpojcf32.exe
PID 1064 wrote to memory of 4476	1064	Jpojcf32.exe	Jfhbppbc.exe
PID 1064 wrote to memory of 4476	1064	Jpojcf32.exe	Jfhbppbc.exe
PID 1064 wrote to memory of 4476	1064	Jpojcf32.exe	Jfhbppbc.exe
PID 4476 wrote to memory of 3360	4476	Jfhbppbc.exe	Jigollag.exe
PID 4476 wrote to memory of 3360	4476	Jfhbppbc.exe	Jigollag.exe
PID 4476 wrote to memory of 3360	4476	Jfhbppbc.exe	Jigollag.exe
PID 3360 wrote to memory of 4892	3360	Jigollag.exe	Jangmibi.exe
PID 3360 wrote to memory of 4892	3360	Jigollag.exe	Jangmibi.exe
PID 3360 wrote to memory of 4892	3360	Jigollag.exe	Jangmibi.exe
PID 4892 wrote to memory of 4372	4892	Jangmibi.exe	Jdmcidam.exe
PID 4892 wrote to memory of 4372	4892	Jangmibi.exe	Jdmcidam.exe
PID 4892 wrote to memory of 4372	4892	Jangmibi.exe	Jdmcidam.exe
PID 4372 wrote to memory of 540	4372	Jdmcidam.exe	Jfkoeppq.exe
PID 4372 wrote to memory of 540	4372	Jdmcidam.exe	Jfkoeppq.exe
PID 4372 wrote to memory of 540	4372	Jdmcidam.exe	Jfkoeppq.exe
PID 540 wrote to memory of 2688	540	Jfkoeppq.exe	Jiikak32.exe
PID 540 wrote to memory of 2688	540	Jfkoeppq.exe	Jiikak32.exe
PID 540 wrote to memory of 2688	540	Jfkoeppq.exe	Jiikak32.exe
PID 2688 wrote to memory of 4856	2688	Jiikak32.exe	Kaqcbi32.exe
PID 2688 wrote to memory of 4856	2688	Jiikak32.exe	Kaqcbi32.exe
PID 2688 wrote to memory of 4856	2688	Jiikak32.exe	Kaqcbi32.exe
PID 4856 wrote to memory of 1568	4856	Kaqcbi32.exe	Kdopod32.exe
PID 4856 wrote to memory of 1568	4856	Kaqcbi32.exe	Kdopod32.exe
PID 4856 wrote to memory of 1568	4856	Kaqcbi32.exe	Kdopod32.exe
PID 1568 wrote to memory of 2184	1568	Kdopod32.exe	Kgmlkp32.exe
PID 1568 wrote to memory of 2184	1568	Kdopod32.exe	Kgmlkp32.exe
PID 1568 wrote to memory of 2184	1568	Kdopod32.exe	Kgmlkp32.exe
PID 2184 wrote to memory of 3600	2184	Kgmlkp32.exe	Kacphh32.exe

C:\Users\Admin\AppData\Local\Temp\69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exe
"C:\Users\Admin\AppData\Local\Temp\69572f0bd7e14451ab45d987f0d08aa04343404757ee33dfda5e4874d9e00f50.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\Jiphkm32.exe
C:\Windows\system32\Jiphkm32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3600

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4640

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
25⤵
- Executes dropped EXE
PID:1084

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
26⤵
- Executes dropped EXE
- Modifies registry class
PID:1280

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:368

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4920

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:4612

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4140

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
31⤵
- Executes dropped EXE
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2636

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1912

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4816

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2396

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:944

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
39⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1080

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4776

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:3996

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3708

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
46⤵
- Executes dropped EXE
- Modifies registry class
PID:3424

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1488

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
50⤵
- Executes dropped EXE
PID:3312

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3788

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4556

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4844

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
54⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3508

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
56⤵
- Executes dropped EXE
- Modifies registry class
PID:2008

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3408

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3140

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1236

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1056

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1380

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1768

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4496

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4916

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
66⤵
PID:3588

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3316

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1844

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2548

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
70⤵
PID:2764

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
71⤵
- Drops file in System32 directory
PID:64

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
72⤵
PID:692

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
73⤵
- Drops file in System32 directory
PID:2000

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
74⤵
- Drops file in System32 directory
- Modifies registry class
PID:4484

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4296

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
76⤵
- Drops file in System32 directory
PID:2900

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
77⤵
PID:60

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
78⤵
- Drops file in System32 directory
PID:3236

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4148

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1308

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
81⤵
- Modifies registry class
PID:3212

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4400

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
83⤵
- Modifies registry class
PID:3680

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
84⤵
- Drops file in System32 directory
- Modifies registry class
PID:640

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
85⤵
- Drops file in System32 directory
- Modifies registry class
PID:3428

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1884

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5000

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
88⤵
- Drops file in System32 directory
- Modifies registry class
PID:376

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3732

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
90⤵
- Modifies registry class
PID:3060

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4480

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
93⤵
- Drops file in System32 directory
- Modifies registry class
PID:3032

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1320

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
95⤵
- Modifies registry class
PID:3504

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
96⤵
- Modifies registry class
PID:2092

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5064

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
99⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 408
100⤵
- Program crash
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5188 -ip 5188
1⤵
PID:5248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iinlemia.exe

Filesize
89KB

MD5
1e839952062f7cdd928b81c6d9f153dd

SHA1
8f2e7761f51de075ad1c98f0e896430351ac2e4c

SHA256
937b3fcc02253b7c1b050a730c333a70973943dd3f58dadb0b4c8829d6a4206c

SHA512
ac164d04263fac2ece651658b8409d1a3f838438958e74db248001a1da9a844af6f76ff7ff4943235ad74ff05253a29773607c05cf6897488f3359fcd68efdc4

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
89KB

MD5
90ca51d72fa929573ba73525c657aec5

SHA1
b034eaa3c621cfeef60ccf8d3e709ca2d0e9d862

SHA256
fd05e473eb3b8eb17678d835d9f0bc7eda1548533fe867866ff0d3dc3e6f508a

SHA512
d6de312f42b4f133d5b853a9a21479f4810e021d35f113428e920ea22caad63f8549b5f9f2aae9c5ecfc39ff47dd9eb99dfce92da06b9bd12a6fd239e3b472d7

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
89KB

MD5
dd8b668157162fb3628e93b86ec9b468

SHA1
91b2efce79b16a697916d3723b93d3d1100f8317

SHA256
6050c05b550e5ca507e1a5b8125824a8fc62aae4064b43182e1bd48a0bb53cbc

SHA512
f9433f880b005de7eb758f1ad9c9a9ce0a929e72439c69a42dce47586b1c30906ee5abb62b776f5424fd5489002794115e3f259acd6900371879cbd08d656784

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
89KB

MD5
88dad3dd246eb9540f28bbe82e8dcd5e

SHA1
5f0961679a10b0bc0e3dc65cf85d57ca0c90f04f

SHA256
9924398a0aedaaaeb0edf011f2fac8d37884eb2b9ad287bb206b6bcac231d280

SHA512
cd43366d98a7e47d78d6d1face07b09dd825c09db7b1a9ed5f20e8ca194a9562ad5debd27cdf302a81ab1ca376ede5aed5ff4b7ce4b0f8e2d3067110c3a43455

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
89KB

MD5
7b3d500c23a51196355d4446f85a863f

SHA1
5d8965ebd235776ba5eb65cc227b95d6e56ae542

SHA256
0ffd0f7c85778f6e0c296027177aeac259c3b22970bb713e54fab2918a48f6ee

SHA512
a9065c713666d12cda443baeec2c49c7cf7ff0732dd64257b782e5f1c78cd02da1c9b9bf42de27557ece246bbf4ff17350ee796ee9b69821ce8346d972a0b15f

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
89KB

MD5
54c98dc9ea5bd8d59dc378b402237b1e

SHA1
4d8b38cdfa3e9b7094fb8350b859d77086d11ca0

SHA256
1cca3a3001953876d46b192445f9eb6f48d8a97ad33bb6de626f1b049b04e0c0

SHA512
3cf8aa0a5e41d0d3a5530a52f4db0a4690ec24cba3d00bc3235163ff95986368837bd5636ab9f521c792b3f336b74a468620eb1be0c42e96316090a55a25ec74

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
89KB

MD5
d98a97979f93aed0f0be88fc4a6e7e9f

SHA1
d300ea7a4efa0ec221a4a90140369711372785b9

SHA256
1ca49c0b93423f0d040e7c1cc1bcb58155704c98c715e487ce3c2cd72c19e8d7

SHA512
68a698c5d0e1b8d6557da41f5b00b87308d266db7ecfe3dc733aa9d3d531ede3872fff33625ed79a2cd1da26a5e516a654d10008f1e9ad4bfa925498431e1345

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
89KB

MD5
a8e2518d748d570dc4bb49ff3a85cd9c

SHA1
0c96042205078de9553323453035a490a10436af

SHA256
e528ed9c0616c2f21dc085ca8f2cc2dbef4a3294deba533ae89ea8cbc78e2607

SHA512
6876955e4127a654c911266972423afb9130163626394e38275548e681985bd69d28a680047131c028e745dcdd834e59dd773af6937e53cff618865619be12a7

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
89KB

MD5
37b584b3d3bcff44370a749948d46e01

SHA1
58e28e66ac6f4edafa45a12d800dc6973a36a9ef

SHA256
7dffdf8372d53f752abea0b8fdef66bae88a0501aad6c45705155b55c3cfabd6

SHA512
9401710259f7a65ce6bc17eef620c83ed8223a639b4b470148f6deb319f39a64b6735199a7dafdb3840c56028ac96d74e2c3a90cf44c2dc6308a65f738904507

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
89KB

MD5
ffc5ee84fc0006c425796ff676bb8eed

SHA1
7e2c02e870d923601d15fbaf909f08ed02dfe3c3

SHA256
aef07f0bec5ce6daa9ac36b1a303b100164afb1b2de97417aa84e99ff2f04ff8

SHA512
28639ca07a2e82dcd78313523a8c356ed9ebe69ed32c368fab2ac739489973dd71115da34e5645455fe7bbdf31578fcd13c5de752a7a3243555c88a0ab9a8196

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
89KB

MD5
984eed494b4efcfa2957a54b77cca8ce

SHA1
c2c765f378407e7a50cd625cb5ad18fed965551d

SHA256
a82f05a39242c9e9924b5c0a0150abb2aaf5e590a62672594cf7ed59fd22e112

SHA512
15e8805fad819bf748f3f26bf4779d7420dd3d4dc328211bbf86826064ef663190f3c6722ff0cd86480705a1487609a4ce769c2c2d96241362c6468d715fc612

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
89KB

MD5
b313de01a089b14a524bf9b18271cdfd

SHA1
187158b696ec95bc1cb4b3d10a9b5f5074e3cdba

SHA256
7956da89be6d811c5504b2ac9f2095fe38235adba158a95911b4f92da66c0749

SHA512
1fa1aa90c5640f9d490ba4d0c4125e006caf2bc56cb20f8ff3507d8c91ae020f7105ef2d652dc6d432f5279517ed56adce4bff0bb5d3e7914d89302d1afde6b2

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
89KB

MD5
747c46fa70c8f27bfe03f24dcfafb53e

SHA1
a25f3f6e6e11359a9e671cc23f2228f9631b48f4

SHA256
9bf5af74edeb72e4c8e6f9394dcd3bcaebf965b4246f12c6d852ce9d8aab6d33

SHA512
ad67c178d7db5f66d5228ca2787c1a900ef23619e1f937c8fd6fb4ca70113c76d81199516cd9fd7725d5ebb4ff4d6012c0d5b4dda35eb3f2fe909566732b9c15

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
89KB

MD5
cd79447e15e414160a80e42c3da44469

SHA1
26ee41aea7c918ca96cae6795a89917b0531c9c4

SHA256
f23c7d3cff4c0d675628cca2d61761d182267f720e29f6b4ceb6e5fbc5892879

SHA512
2cf38de37cc4cc5d5f34cfafc27040bbe536b0b4a23302666f288acae171d2f62d0454512af59661b045e17ad0dd76cd77c6acac4b6208bfbe1ae0bb607dd28a

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
89KB

MD5
fed4d82688f9f1d928e950f35d5f2e07

SHA1
ff790edc41365a38c1ae21b8af2cf12c5bf1d356

SHA256
c151908fbf403264314ebc6d43893930b5fbf8790d9fcc7ee6ff1ad6cd498903

SHA512
1864011a219ad355edf587320eae59817b77dbc8c7bd4df1636d1ca0c97d85a763aff6d76e2c2a88148d883a8a84f7c7ff7af20bdc9483d542240fd62eef37f4

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
89KB

MD5
23421c3a13210d83a60d7d4a5c4d9414

SHA1
240578f5d872b75c49d70c1a3745d27f83a64735

SHA256
7bf8d6b0b68bde1908788e020119f734efda8d4412f9d7ba7b2b3734860323fd

SHA512
b5a5db97e376653ae5331a89ab9acb3cdf3e4a8ac9c3f9fef2cb8217e4606dd702552c6489d3044278642fe30a829db85d42c7064e1a3ca2c11854e802ba22fd

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
89KB

MD5
e82927c8d0853e9eac54368de9055a3b

SHA1
55b35f5fc60fd577497b2eb07bb37a32ee019bff

SHA256
11213986dee179e6165369f3b9bc51173691e17a8f1ca00fcf2b1f937d76f7f7

SHA512
914dc0dbc9fed0f0ca3d6ec592f46373dd5ebc69e4f5284a18817bdb1703bc01664562cc95a9361a56e60dd71bc00c155f69b34670c6823241264c7f152b51c8

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
89KB

MD5
283ea70b49ed3e888c5b93744170f3db

SHA1
0a00fff82b6ba3fc5299e620b80d53c55c4b6e8d

SHA256
38f2172fff665febca2b44c3ecd98c05214a447deb51805727aafdcdf89b3643

SHA512
4dcc97b9b412efc141ffa6d7575048e84f59b28aef89d1913ef11856fce14d891442866f3f9ecb98b47219b03439e091a22536ef49d5b572286f0a83853cceb7

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
89KB

MD5
efd29c489fbc690bcab11f0756520d3d

SHA1
ea8683b3480fdb2f41c482613c95bf93506a87d0

SHA256
4238c165eb6923f5d508d6c3f2bfc3234b35de1b07216851b571b75f9f1d5476

SHA512
d519f344cd3306fc45fd644921a756f352ad4d58a8d87f25af61e4de0cd85fd1ad471c418c56702f3cf3998ddb9e55116c7523e915118474541f4afcb746f0c5

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
89KB

MD5
56d3eb2b2de4193b3f8f54da56c3d229

SHA1
9ae00ee3f2f0c93b993855269e41237e9e76dc1b

SHA256
477249232a32ba6f51ff65fbde22406f263936e0ebb7deb7298351df330e0138

SHA512
62ee1f67a7b7707aa7e1bb638f8dd6ced423fe4d7feba518665170eaf928d0efc22e066cf2142e72bcb5baa1be1bfce09f8dfc26e1499e37041171be7a3ba18b

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
89KB

MD5
739e88a33997c1f6e3633a1e5aa01766

SHA1
e4c2b6d5ad1d73b2fc4b552a387dadb12a75f08b

SHA256
47a8b09be179f3b662ea69e9ccba9ac3c56e0be26384f84c42cfd3e7ef7b5498

SHA512
3ea579827b5faf1062a34d8d735be9b8f7928bb71ea3569357253735991b95209b28ab6abc14445720eb43126de247ab52a6c1a236ecb4b5d23ad24fca521e09

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
89KB

MD5
cdbc0943400de0a44e0775020868e334

SHA1
73139e5b822bb6b3b4501d7e2d88b143cca44ba0

SHA256
456808d62394f534e6acae1dab998298e8a5b919e2c8b9f33c822058e3f75fd3

SHA512
a5909768593ef456e04f5a7a86b69ffd01943e493bba443450aab78906c8159344bc0ad7e3e1f59bf1931f61f219623457218ade73e611eb6eceba893580c3b6

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
89KB

MD5
e2b1c434baf57059eb88eddacd033c53

SHA1
052e3be808ed3816debc00968a0e31c362e03671

SHA256
2d1e840579771ef2a477a1cf12b488602f15b448d0387233ffe9ab6a159f8c93

SHA512
df67cdabca8261234fb68a47ba92092fd110401c26bb1a0a126268a04d1a3d51ea9f0bc1c47296b542add8d19f7657a96569ed0762136fff293a2e058671aea9

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
89KB

MD5
23845c9073bfafb8dfb94c7895a05895

SHA1
25b7c0055e51746e79e67d1e7f91152fd393b305

SHA256
9be57fdd19433c4f2f6952ec7b431416e0300fb55ba1e3b461f8b7a652fb1952

SHA512
f6cceb991e985b4a83b86a5288a922094a0a62e9e00f3612dcc54b04d1d541ad7b78d2183090e6adcecfe45747041c7a9e67a8d2a91b4cdd6395adae5389a447

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
89KB

MD5
4f041a5fff08ead4b5f19c7c3dd5846e

SHA1
3d4432619b96c86427374d88020573368f48f0ef

SHA256
8b727a316b51ba599933966d015b6a1101430bedf4069145625956c07b8e9eca

SHA512
42955acd33a25f4c9ea6e68e8e2e42826f83786f79eb9a3d619381d9a5d2770e99821134a49760a4f53552d5b0bf3e9b1d004d43f3c0113d8d141aef6168c688

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
89KB

MD5
85180f0a07303d57d880e40123de92da

SHA1
830b8d27539cc741150767c385a3af072fa80d58

SHA256
c8460e2ecda04a197558d843cce7388a0c3ef7276c0f674a755610bf374cc542

SHA512
e6c4d90ef17ab4c374d197059aa499308d15f157fe10b76d2aca7be2afaf19ef2eac9faf226d3bd3d52760459a7b7795aaba8bb2baec7e5740e4f871bfab23d5

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
89KB

MD5
0361db51813dfec3d2e921089c910c6d

SHA1
432afae8ac80d2691ab04fdb6f8156b764f71447

SHA256
5e3ab6f2536d28b325f37f2ee09d0f67a5f7ce4351ae549d6b420c163e1454d6

SHA512
5462686803097e03623db2b08151e4d611676b5a88294ac6d5a9fe56f4959c40a5275ea142770e96d4a8f56508740c96aae786d8456151c110c035add2021327

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
89KB

MD5
56d80577d467ae3082774efbc44ad06c

SHA1
d6745b61adbc1b63abccf871e431541d59bf54ba

SHA256
248234823df17d62833a102aeb3faf8d510f8c931738d898e78f52435ee4c14a

SHA512
44381f941c4818df8bf61336d578164d083dfbc9b81f3f425b5b665625d5150e3eed41aab7433acd30c135fe6462f43b0d3d20617644865da22221189865efd7

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
89KB

MD5
5b7153d0414714de4c425cd209def47c

SHA1
252c413c287acadc8810c07d6829aef9ae7090d0

SHA256
65bbf8369eec75e8dc88878dc490b2b90f43f4de683309dd326dfd0a71df5e87

SHA512
7e448c6d9e445a59a216a7afd49e5604e376d74aa1b1ee5fd5fb2f5c44990f769de8d2358b96a33a219e6a640288153dfc27b86f9f13680ee8a1938660306503

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
89KB

MD5
90f9689eb9a1b56391d4484b75a77081

SHA1
e67f73138790c965428746802fed984c4198b481

SHA256
d8c829651d6e93ab1658ba12a933c8940fd2156156c242bab8a3e4aa21b30f26

SHA512
23450295e7c9ecb1035a879d0d05051b011c0251ac6b933c7f479ece21dd723d79fc886e59052cbd109f7676fd00ca97eb861127643f08135249c343465b6d00

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
89KB

MD5
5044fa8d25bccfda74572d6313f53689

SHA1
da3a8b33e22d95555de17ededbc22b7f6419ab24

SHA256
60cf44fd8da353953932cde5bcaa6a9fb573534a1d5541eb8bb75b41382d27d6

SHA512
1e825191a5d7dd11febfe779846e7daa281c863e07e1ed532ba4aa679e05daa6edc9859b6551eed2d4b0ef785b3dfaf3753e932deac42f6b870a227968f75122

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
89KB

MD5
fbf299b954194500b9e5b7e2eef79484

SHA1
ed5a9d022e04cd5131f33d5b621a6550fe824568

SHA256
be2e00838e7b16a1bcf3a4dba919986bb774d937b57d48b8784552df5b316b4e

SHA512
25acfdc958c46a88bb95f37d377a9691d7422f4b4e61cc2b390da51ebe01c125c55a9c5726c33759644f3371daba24be3743c104bde5c226268f2259b561387a

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
89KB

MD5
bdddbee5d8e563e9955fc14683a1f772

SHA1
715f85775ea7ac7c6317c444e6519b49b94d9e79

SHA256
d812875e1fabb592b994ac052b9a9dafd7f7ef85511dd020731d7739d9d60f5d

SHA512
4409c93a0121e1da2a6fcf00b0b227f6ab7c162e28f1a4e337f4ba9e0d09aae0f044936eddbbcda33b2be2f57ed585e077d02473e215eb547bbc6f37b85bcbf5

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
89KB

MD5
c33209c8c083e14d1b844c1ca974d3aa

SHA1
eb69854ff91aeac5b42ab55bce91b9c1f78ee3eb

SHA256
6c77bb25d8d715c13f9ba17fcc128254b1a967d989d0c1f1f2223b41c43d257e

SHA512
2a6e717c673b5576053a5f227ac583b05e02be8c70c3ce82d1633b861b50cc045d7811b1d81cc331abca98194d215fd018e59ff7ee869248bc3ee85882a3c73a

Download Submit
memory/60-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/64-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/368-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/692-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/944-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1852-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1852-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2016-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-477-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3424-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3428-575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3588-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4204-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4204-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4204-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4484-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-563-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download