6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Size

96KB
MD5

14577b67f31809a0b72f49818496c0a0
SHA1

a2514f6fa8267e921ef08de4adcae1b74b4e98c0
SHA256

6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c
SHA512

96571e376630a5245e01fbad18efa8e834c676eac69c90c7c1a689bf3c5706705aa204ca3cf7aca8f6e4f8b0ecc3f7c6dc8d8423d3bcc52023e6e68de530a6fb
SSDEEP

1536:QwnVyR9HiNjtWaJ/Xy6b0h1FCZWFnZwO9zMANL2LI7RZObZUUWaegPYA:9wQZ7Ry6b0fo9O2rIClUUWae

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ngjdopkg.exeNoalpmli.exeNkagdoge.exeNqqlbe32.exeNnbpfj32.exeNghgipmj.exeNoopjmnl.exeObphlhkm.exeOendhdjq.exe6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exeNbkoai32.exeNejkmdnf.exeNicjhchb.exeNqlbgfhp.exeNomcen32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noalpmli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqqlbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnbpfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqqlbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnbpfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejkmdnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obphlhkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjdopkg.exe

Executes dropped EXE 15 IoCs

Processes:

Nqlbgfhp.exeNicjhchb.exeNkagdoge.exeNomcen32.exeNbkoai32.exeNejkmdnf.exeNghgipmj.exeNoopjmnl.exeNnbpfj32.exeNqqlbe32.exeNgjdopkg.exeNoalpmli.exeObphlhkm.exeOendhdjq.exeOgmado32.exe

pid	process
2708	Nqlbgfhp.exe
1932	Nicjhchb.exe
3504	Nkagdoge.exe
3016	Nomcen32.exe
3360	Nbkoai32.exe
1188	Nejkmdnf.exe
612	Nghgipmj.exe
4604	Noopjmnl.exe
4956	Nnbpfj32.exe
2604	Nqqlbe32.exe
3168	Ngjdopkg.exe
3180	Noalpmli.exe
3524	Obphlhkm.exe
4292	Oendhdjq.exe
2128	Ogmado32.exe

Drops file in System32 directory 45 IoCs

Processes:

Noalpmli.exeOendhdjq.exeNqlbgfhp.exeNoopjmnl.exeNnbpfj32.exeNgjdopkg.exeNqqlbe32.exe6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exeNbkoai32.exeNghgipmj.exeNicjhchb.exeNejkmdnf.exeNomcen32.exeObphlhkm.exeNkagdoge.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Obphlhkm.exe	Noalpmli.exe
File created	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Nicjhchb.exe	Nqlbgfhp.exe
File created	C:\Windows\SysWOW64\Cmhdhd32.dll	Nqlbgfhp.exe
File opened for modification	C:\Windows\SysWOW64\Nnbpfj32.exe	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Noggbepn.dll	Nnbpfj32.exe
File created	C:\Windows\SysWOW64\Noalpmli.exe	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Pminhodj.dll	Noopjmnl.exe
File opened for modification	C:\Windows\SysWOW64\Nqqlbe32.exe	Nnbpfj32.exe
File created	C:\Windows\SysWOW64\Minigl32.dll	Nqqlbe32.exe
File created	C:\Windows\SysWOW64\Lbjljm32.dll	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
File opened for modification	C:\Windows\SysWOW64\Nejkmdnf.exe	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Midmcack.dll	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Noopjmnl.exe	Nghgipmj.exe
File opened for modification	C:\Windows\SysWOW64\Noopjmnl.exe	Nghgipmj.exe
File opened for modification	C:\Windows\SysWOW64\Obphlhkm.exe	Noalpmli.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Fbepgcne.dll	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Nghgipmj.exe	Nejkmdnf.exe
File opened for modification	C:\Windows\SysWOW64\Nghgipmj.exe	Nejkmdnf.exe
File created	C:\Windows\SysWOW64\Nnbpfj32.exe	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Eecngcdn.dll	Nomcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjdopkg.exe	Nqqlbe32.exe
File opened for modification	C:\Windows\SysWOW64\Noalpmli.exe	Ngjdopkg.exe
File opened for modification	C:\Windows\SysWOW64\Nicjhchb.exe	Nqlbgfhp.exe
File created	C:\Windows\SysWOW64\Nqqlbe32.exe	Nnbpfj32.exe
File created	C:\Windows\SysWOW64\Bpghfp32.dll	Noalpmli.exe
File created	C:\Windows\SysWOW64\Jmfijb32.dll	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Pmkcjf32.dll	Obphlhkm.exe
File opened for modification	C:\Windows\SysWOW64\Nkagdoge.exe	Nicjhchb.exe
File opened for modification	C:\Windows\SysWOW64\Nomcen32.exe	Nkagdoge.exe
File created	C:\Windows\SysWOW64\Nbkoai32.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Nejkmdnf.exe	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Kpiecl32.dll	Nghgipmj.exe
File created	C:\Windows\SysWOW64\Oendhdjq.exe	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Nqlbgfhp.exe	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
File opened for modification	C:\Windows\SysWOW64\Nqlbgfhp.exe	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
File created	C:\Windows\SysWOW64\Lbcojfeb.dll	Nkagdoge.exe
File opened for modification	C:\Windows\SysWOW64\Nbkoai32.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Ngjdopkg.exe	Nqqlbe32.exe
File created	C:\Windows\SysWOW64\Nkagdoge.exe	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Nomcen32.exe	Nkagdoge.exe
File created	C:\Windows\SysWOW64\Lcmbkd32.dll	Nejkmdnf.exe
File opened for modification	C:\Windows\SysWOW64\Oendhdjq.exe	Obphlhkm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1644 2128 WerFault.exe

pid	pid_target	process
1644	2128	WerFault.exe

Modifies registry class 48 IoCs

Processes:

6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exeNomcen32.exeNghgipmj.exeNoopjmnl.exeNejkmdnf.exeNnbpfj32.exeNqlbgfhp.exeNgjdopkg.exeOendhdjq.exeObphlhkm.exeNbkoai32.exeNqqlbe32.exeNicjhchb.exeNkagdoge.exeNoalpmli.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjljm32.dll"	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnbpfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpiecl32.dll"	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnbpfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfijb32.dll"	Ngjdopkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obphlhkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecngcdn.dll"	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midmcack.dll"	Nbkoai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nejkmdnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pminhodj.dll"	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minigl32.dll"	Nqqlbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkcjf32.dll"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbepgcne.dll"	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcojfeb.dll"	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpghfp32.dll"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmbkd32.dll"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noggbepn.dll"	Nnbpfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhdhd32.dll"	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqqlbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqqlbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjdopkg.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exeNqlbgfhp.exeNicjhchb.exeNkagdoge.exeNomcen32.exeNbkoai32.exeNejkmdnf.exeNghgipmj.exeNoopjmnl.exeNnbpfj32.exeNqqlbe32.exeNgjdopkg.exeNoalpmli.exeObphlhkm.exeOendhdjq.exe

description	pid	process	target process
PID 4540 wrote to memory of 2708	4540	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe	Nqlbgfhp.exe
PID 4540 wrote to memory of 2708	4540	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe	Nqlbgfhp.exe
PID 4540 wrote to memory of 2708	4540	6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe	Nqlbgfhp.exe
PID 2708 wrote to memory of 1932	2708	Nqlbgfhp.exe	Nicjhchb.exe
PID 2708 wrote to memory of 1932	2708	Nqlbgfhp.exe	Nicjhchb.exe
PID 2708 wrote to memory of 1932	2708	Nqlbgfhp.exe	Nicjhchb.exe
PID 1932 wrote to memory of 3504	1932	Nicjhchb.exe	Nkagdoge.exe
PID 1932 wrote to memory of 3504	1932	Nicjhchb.exe	Nkagdoge.exe
PID 1932 wrote to memory of 3504	1932	Nicjhchb.exe	Nkagdoge.exe
PID 3504 wrote to memory of 3016	3504	Nkagdoge.exe	Nomcen32.exe
PID 3504 wrote to memory of 3016	3504	Nkagdoge.exe	Nomcen32.exe
PID 3504 wrote to memory of 3016	3504	Nkagdoge.exe	Nomcen32.exe
PID 3016 wrote to memory of 3360	3016	Nomcen32.exe	Nbkoai32.exe
PID 3016 wrote to memory of 3360	3016	Nomcen32.exe	Nbkoai32.exe
PID 3016 wrote to memory of 3360	3016	Nomcen32.exe	Nbkoai32.exe
PID 3360 wrote to memory of 1188	3360	Nbkoai32.exe	Nejkmdnf.exe
PID 3360 wrote to memory of 1188	3360	Nbkoai32.exe	Nejkmdnf.exe
PID 3360 wrote to memory of 1188	3360	Nbkoai32.exe	Nejkmdnf.exe
PID 1188 wrote to memory of 612	1188	Nejkmdnf.exe	Nghgipmj.exe
PID 1188 wrote to memory of 612	1188	Nejkmdnf.exe	Nghgipmj.exe
PID 1188 wrote to memory of 612	1188	Nejkmdnf.exe	Nghgipmj.exe
PID 612 wrote to memory of 4604	612	Nghgipmj.exe	Noopjmnl.exe
PID 612 wrote to memory of 4604	612	Nghgipmj.exe	Noopjmnl.exe
PID 612 wrote to memory of 4604	612	Nghgipmj.exe	Noopjmnl.exe
PID 4604 wrote to memory of 4956	4604	Noopjmnl.exe	Nnbpfj32.exe
PID 4604 wrote to memory of 4956	4604	Noopjmnl.exe	Nnbpfj32.exe
PID 4604 wrote to memory of 4956	4604	Noopjmnl.exe	Nnbpfj32.exe
PID 4956 wrote to memory of 2604	4956	Nnbpfj32.exe	Nqqlbe32.exe
PID 4956 wrote to memory of 2604	4956	Nnbpfj32.exe	Nqqlbe32.exe
PID 4956 wrote to memory of 2604	4956	Nnbpfj32.exe	Nqqlbe32.exe
PID 2604 wrote to memory of 3168	2604	Nqqlbe32.exe	Ngjdopkg.exe
PID 2604 wrote to memory of 3168	2604	Nqqlbe32.exe	Ngjdopkg.exe
PID 2604 wrote to memory of 3168	2604	Nqqlbe32.exe	Ngjdopkg.exe
PID 3168 wrote to memory of 3180	3168	Ngjdopkg.exe	Noalpmli.exe
PID 3168 wrote to memory of 3180	3168	Ngjdopkg.exe	Noalpmli.exe
PID 3168 wrote to memory of 3180	3168	Ngjdopkg.exe	Noalpmli.exe
PID 3180 wrote to memory of 3524	3180	Noalpmli.exe	Obphlhkm.exe
PID 3180 wrote to memory of 3524	3180	Noalpmli.exe	Obphlhkm.exe
PID 3180 wrote to memory of 3524	3180	Noalpmli.exe	Obphlhkm.exe
PID 3524 wrote to memory of 4292	3524	Obphlhkm.exe	Oendhdjq.exe
PID 3524 wrote to memory of 4292	3524	Obphlhkm.exe	Oendhdjq.exe
PID 3524 wrote to memory of 4292	3524	Obphlhkm.exe	Oendhdjq.exe
PID 4292 wrote to memory of 2128	4292	Oendhdjq.exe	Ogmado32.exe
PID 4292 wrote to memory of 2128	4292	Oendhdjq.exe	Ogmado32.exe
PID 4292 wrote to memory of 2128	4292	Oendhdjq.exe	Ogmado32.exe

C:\Users\Admin\AppData\Local\Temp\6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe
"C:\Users\Admin\AppData\Local\Temp\6e110f7e74763992fd82aa37563926d5767b134bf02e300ca35a42ec4cafc20c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\Nqlbgfhp.exe
C:\Windows\system32\Nqlbgfhp.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Nicjhchb.exe
C:\Windows\system32\Nicjhchb.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\Nkagdoge.exe
C:\Windows\system32\Nkagdoge.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\Nomcen32.exe
C:\Windows\system32\Nomcen32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\Nbkoai32.exe
C:\Windows\system32\Nbkoai32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\Nejkmdnf.exe
C:\Windows\system32\Nejkmdnf.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\Nghgipmj.exe
C:\Windows\system32\Nghgipmj.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\Noopjmnl.exe
C:\Windows\system32\Noopjmnl.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\Nnbpfj32.exe
C:\Windows\system32\Nnbpfj32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\Nqqlbe32.exe
C:\Windows\system32\Nqqlbe32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\Ngjdopkg.exe
C:\Windows\system32\Ngjdopkg.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\Noalpmli.exe
C:\Windows\system32\Noalpmli.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\Obphlhkm.exe
C:\Windows\system32\Obphlhkm.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\Oendhdjq.exe
C:\Windows\system32\Oendhdjq.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\Ogmado32.exe
C:\Windows\system32\Ogmado32.exe
16⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 408
17⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2128 -ip 2128
1⤵
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkoai32.exe
Filesize
96KB

MD5
ff25b42787279b8d38a1f37f75b44d16

SHA1
84973432cfab883d5d56d4500925d7805e406f8f

SHA256
32fcb615d17d9c4e97a5acb5335b33dc9a05e48800f89bd3639eac647ac86e8c

SHA512
eb8e7caff65af01598f939b609149a2055e92334a2ea96d8ba2e982c7431fcb54e2173fef44df7fe1b01ec43b8e1cdedcab8761bce0228f03af88d03fbf973db

Download Submit
C:\Windows\SysWOW64\Nejkmdnf.exe
Filesize
96KB

MD5
30bd7900873a2147cef3056899138c8d

SHA1
ec7017fac9a02734edbeb288eea756c23b1d8a16

SHA256
48599ad0e2b374ba9d0e8a5f99bcebd12b0c66a579b092e505f5687bc72cd088

SHA512
289f0478cb14c019018f7f2d40eaeccf66a28f722a9dc81990b3d72c83a6214cea8d8b5f81e2ac98c8a6324f5f1cd2820b63fc72adcdec93804c17569bedad7b

Download Submit
C:\Windows\SysWOW64\Nghgipmj.exe
Filesize
96KB

MD5
57ffa8f623e683eb5ce684e77511997d

SHA1
48db68acd1784e47317f8033b8a0a132f70f6518

SHA256
73ba5f3e2ff9b1b35fa5c9a6ef35a4e099aac0503e684fc484ea2b079a3fa190

SHA512
19066dc88801dc01b31fa55e3b6fd3d8f9840a4c250ca3132f895c7f61fec9b3520684e13a6659156afef80ac070f7dd430d4b4784619d769c4a777f26505b12

Download Submit
C:\Windows\SysWOW64\Ngjdopkg.exe
Filesize
96KB

MD5
0eb075fc93fe262b885442957f81ed5b

SHA1
4ee41ce3dce5c0a081768c19bb5540f1f1e09b11

SHA256
02aaaf3bcb4ce9472bcdf7b5e75cac2f33c52b77965c99621d08c7bf8884d105

SHA512
36fe7b63e9a19bb66655e3cdd8eb2993126e22be674bd6fd075076b6fb62acda8973607b68eed9f669aceeab0c2d3d2b898058ffe085aab3da313e000d9e9b7a

Download Submit
C:\Windows\SysWOW64\Ngjdopkg.exe
Filesize
96KB

MD5
fc7ccc3d2478194a7528a1b768291926

SHA1
c794bf12c30410a0c7fedae18aebe0a31a8c9739

SHA256
580d85ce00156a2308e88031df91ac37c6afdae5ab6047cf475c12fa8f81d148

SHA512
3d7d5c7e070b3eb37262671002b571c993a3e08e39a70caa0184b134def3b6ef095920e1c347d19ff56de1f9125a921215146930af93bf0b03823e3079c9a844

Download Submit
C:\Windows\SysWOW64\Nicjhchb.exe
Filesize
96KB

MD5
de5d3601b0921135d45973586189aff8

SHA1
7399fc2aa1b86b76152b12caa4b7ae838fd5371c

SHA256
d1f7d6ac0135a002c2ba55974b18bc2e239b7b611fd50fbbfa7cb3ea1eebc254

SHA512
c03b8968995131bd1b4e0ea127f1b2de2473507fb95c716108e79b86780354d4042336b4238add0dcda4fc0fac8054ceb8d6c84fe05682858b52949f4f463e65

Download Submit
C:\Windows\SysWOW64\Nkagdoge.exe
Filesize
96KB

MD5
39668743fcce583d43783b80e9fbceaf

SHA1
cf4fb45005cc2118d24e9eaa72d0176add72f5ee

SHA256
0a66b565948175d302206924d9a53130b7971573f9512363c3dd3615e1137f5a

SHA512
e3d20cb630e42abe4bb90b5f77cbb3a990b529748cd10ce0ebd26caa6859184387edb462b27a168e6c897dd1147162fa16e1973aa46d8219bdb8de6768de8637

Download Submit
C:\Windows\SysWOW64\Nnbpfj32.exe
Filesize
96KB

MD5
f4e156bfff967b89416a5b3a80312d8f

SHA1
520e6e8500b1c0fcfb3c4d3f6d4389ac936aad67

SHA256
14d3bfe31b300f998cd162cab41130a00e975c6e2cb3e2b41aaa8c1e9950e216

SHA512
c8929b383fb29b0939f5e73b03f57ae1d3d335464015a936ee8f2f94a37b43071d43678edab506699c959293087c9b8a96ee32e27298fa6b920c862e00f5f346

Download Submit
C:\Windows\SysWOW64\Noalpmli.exe
Filesize
96KB

MD5
156cee528b9cc55a39be1ff37c2044f3

SHA1
cc07d749d085e637e65752fef02fbac922114b4b

SHA256
e6bd1683eb4b2b9586a412110bdc1416f7aa221a0fcce1c25c798c4afc7cd057

SHA512
90be9b5d158548ca92e20f42354cb4b097b99f5ddda7792e54fd65a9e6b27f242f275e6e76c3c9be90b31c5b96bdded60b840e3309e9ffa21b7b8d7a0ca753b5

Download Submit
C:\Windows\SysWOW64\Nomcen32.exe
Filesize
96KB

MD5
06e09029da55911ba1e99137dcb793e0

SHA1
83b93769b60cab47651a017419b5a30732cb095f

SHA256
ac7dd56c967c2010edc989b37f07439c7576a10593504ed3d7f097a607601a83

SHA512
c2a51de1f777b6cbd0298cd16eaaa61f9f8e21d040a60f06a71640f8b1125124873e571e351ace0438bc0e083f482af382ad9006a1871f663ac2caa92de5cf95

Download Submit
C:\Windows\SysWOW64\Noopjmnl.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Noopjmnl.exe
Filesize
96KB

MD5
b05546ca8d0d1903f4c5b6a56049a682

SHA1
1c57ff588bb5b035cbe37a7877aded68b8304280

SHA256
ba57f8e7a4a8629cd763c85a44d118cfe6b5fc858a25b62df8cfb308ad869fe0

SHA512
f150b0c4234c64885fea763d348bce091808ffb225ad7853fe703127fb5e9c1ebdbb2a0b552abf4a7382de43951f1bf67fcd48c632d850fe4a5fcc4dfbf7bc87

Download Submit
C:\Windows\SysWOW64\Nqlbgfhp.exe
Filesize
96KB

MD5
1a28d88a2458c2f48925c768c1ae5c6f

SHA1
f090c5e0a81211740d1e511baafc342767f2069f

SHA256
6f0d58339fb0e402daf2e7f59cb8bb38b363d739a99e22fecb9b58673423c916

SHA512
992e90e774242ddb38ef8d339b1f139287c0588ffe6b3eb3e84dfde5b277c8dde303fb2af2da1aa9077716dcc82a06e3346a85b2974318e4a4989fb76ef8e992

Download Submit
C:\Windows\SysWOW64\Obphlhkm.exe
Filesize
96KB

MD5
3aac9262333ca644d4668f657f2b131c

SHA1
6eabc8844fc84ef9bd0abc0f687ec7f68b403a2c

SHA256
79687728010214b5cd7fcc50585c0f6604101d023288992906915a610ef7d9bd

SHA512
95d566b2718633f1c3f12dd9c57439a66e3a0f2c9ddc908cd058202173afc60fbd9cb8e92c40a072a5b57e371a977099fec99416bf49b62a47bb81dabfc2de56

Download Submit
C:\Windows\SysWOW64\Oendhdjq.exe
Filesize
96KB

MD5
780ff2135a1f1037206cf371c67dfec3

SHA1
2d03d3fa7bbaa098d44f35cbd53f223767269d59

SHA256
4761dda0e9108d3dac30cdd1621dde6ca01a45aff3ac9d8eafcf9c029d48e124

SHA512
c6c4016d910b145538ada0fc647060d640757aa53a6e48ff581ddd5cf7307637de13dd43e68efe1977c19fb062b4491ec7c54e4f2eeba45c952973e9a075b3cb

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe
Filesize
96KB

MD5
018662e207f207ed193c238b41dbbb69

SHA1
82d37acac109a46763da281748e0b254986caa49

SHA256
7fb10e419eca7844dc65b30a899afb7fa3ed05ce329a8621bebb4774a9539997

SHA512
ec76b7685b285b43ec3f73ab7554653efb05ac328c093b42859cf675c74626e6e7549e507d690bf257165e407d1146a914b7a3af59cb113676739e262b07a7d7

Download Submit
memory/612-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4540-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download