gozi | e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3

Analysis

max time kernel
132s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe
Size

163KB
MD5

a7b9b914007f623333c417480133c325
SHA1

d248a6ada8086dab59b918a52ed64fbcdbbd1193
SHA256

e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3
SHA512

8bc494927d0f8abdaec9eb72dd9a40777d9053672aac7288775b8a9e385f7217759273d7899d691061e58635cae31e155d4a9a9d98774edb39c8c13126bc4c58
SSDEEP

3072:sOs7wBO4h0nF3rjBO5Mli0ltOrWKDBr+yJb:sbwNh+rjBJU0LOf

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mamleegg.exeNklfoi32.exeNcihikcg.exeNqmhbpba.exeJaljgidl.exeMcklgm32.exeMkbchk32.exeJagqlj32.exeLdkojb32.exeLkiqbl32.exeLgpagm32.exeMgnnhk32.exeKaqcbi32.exeKdopod32.exeKgfoan32.exeNnhfee32.exeLcgblncm.exeMkepnjng.exeMpmokb32.exeLmqgnhmp.exeLpcmec32.exeLknjmkdo.exeNkncdifl.exeKgphpo32.exeKphmie32.exeMdkhapfj.exeMcpebmkb.exeNafokcol.exee2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exeLkdggmlj.exeLnhmng32.exeMkgmcjld.exeNqfbaq32.exeNddkgonp.exeKbapjafe.exeKmjqmi32.exeKmlnbi32.exeJigollag.exeMnlfigcc.exeKdaldd32.exeKkbkamnl.exeLgkhlnbn.exeJpjqhgol.exeMjhqjg32.exeKmgdgjek.exeLcbiao32.exeMkpgck32.exeNbhkac32.exeKpmfddnf.exeLcpllo32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Jagqlj32.exeJpjqhgol.exeJibeql32.exeJaimbj32.exeJbkjjblm.exeJjbako32.exeJaljgidl.exeJfhbppbc.exeJigollag.exeJpaghf32.exeJbocea32.exeJiikak32.exeKaqcbi32.exeKdopod32.exeKbapjafe.exeKmgdgjek.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKphmie32.exeKknafn32.exeKmlnbi32.exeKpjjod32.exeKkpnlm32.exeKpmfddnf.exeKgfoan32.exeKkbkamnl.exeLmqgnhmp.exeLdkojb32.exeLkdggmlj.exeLmccchkn.exeLpappc32.exeLcpllo32.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLgneampk.exeLkiqbl32.exeLnhmng32.exeLpfijcfl.exeLgpagm32.exeLjnnch32.exeLaefdf32.exeLcgblncm.exeLknjmkdo.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMnocof32.exeMpmokb32.exeMcklgm32.exeMkbchk32.exeMamleegg.exeMdkhapfj.exeMkepnjng.exeMjhqjg32.exeMaohkd32.exeMcpebmkb.exeMkgmcjld.exeMjjmog32.exeMpdelajl.exe

pid	process
2004	Jagqlj32.exe
4444	Jpjqhgol.exe
3196	Jibeql32.exe
1652	Jaimbj32.exe
4508	Jbkjjblm.exe
2008	Jjbako32.exe
3876	Jaljgidl.exe
3284	Jfhbppbc.exe
3200	Jigollag.exe
2876	Jpaghf32.exe
4908	Jbocea32.exe
4892	Jiikak32.exe
4876	Kaqcbi32.exe
4904	Kdopod32.exe
4912	Kbapjafe.exe
5060	Kmgdgjek.exe
3340	Kdaldd32.exe
4080	Kgphpo32.exe
2268	Kmjqmi32.exe
4920	Kphmie32.exe
4784	Kknafn32.exe
4420	Kmlnbi32.exe
1156	Kpjjod32.exe
3572	Kkpnlm32.exe
3320	Kpmfddnf.exe
4260	Kgfoan32.exe
4600	Kkbkamnl.exe
1428	Lmqgnhmp.exe
4748	Ldkojb32.exe
3192	Lkdggmlj.exe
1488	Lmccchkn.exe
1368	Lpappc32.exe
4648	Lcpllo32.exe
3652	Lgkhlnbn.exe
4460	Lkgdml32.exe
1556	Lnepih32.exe
1752	Lpcmec32.exe
900	Lcbiao32.exe
1528	Lgneampk.exe
1152	Lkiqbl32.exe
1716	Lnhmng32.exe
2640	Lpfijcfl.exe
1484	Lgpagm32.exe
4372	Ljnnch32.exe
8	Laefdf32.exe
2692	Lcgblncm.exe
1704	Lknjmkdo.exe
4436	Mnlfigcc.exe
4812	Mpkbebbf.exe
1508	Mciobn32.exe
760	Mkpgck32.exe
3224	Mnocof32.exe
2360	Mpmokb32.exe
4060	Mcklgm32.exe
3872	Mkbchk32.exe
3168	Mamleegg.exe
4476	Mdkhapfj.exe
2164	Mkepnjng.exe
4932	Mjhqjg32.exe
4440	Maohkd32.exe
2028	Mcpebmkb.exe
4832	Mkgmcjld.exe
1464	Mjjmog32.exe
1452	Mpdelajl.exe

Drops file in System32 directory 64 IoCs

Processes:

Kkpnlm32.exeKgfoan32.exeLpappc32.exeMcpebmkb.exeNddkgonp.exeKpmfddnf.exeNklfoi32.exeJagqlj32.exeKmgdgjek.exeLjnnch32.exeMpmokb32.exeKpjjod32.exeLmqgnhmp.exeMcklgm32.exeJpjqhgol.exeJaimbj32.exeJfhbppbc.exeKphmie32.exeLmccchkn.exeMnlfigcc.exeMnocof32.exeLnepih32.exeMjjmog32.exeNnhfee32.exeNkqpjidj.exeNnolfdcn.exeLpfijcfl.exeLcgblncm.exeNceonl32.exeLkgdml32.exeNqmhbpba.exeKaqcbi32.exeLgneampk.exeNcihikcg.exeJbkjjblm.exeLkdggmlj.exeKdaldd32.exeMkbchk32.exeKbapjafe.exeLkiqbl32.exeMkgmcjld.exeJpaghf32.exeKmjqmi32.exeLgkhlnbn.exeLknjmkdo.exeJjbako32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kphmie32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1708 1144 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1708	1144	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mpdelajl.exeNklfoi32.exeKpjjod32.exeJjbako32.exeMdkhapfj.exeNkncdifl.exeNcihikcg.exeKdopod32.exeKkpnlm32.exeKkbkamnl.exeLmqgnhmp.exeLaefdf32.exeLknjmkdo.exeNbhkac32.exeKmjqmi32.exeLmccchkn.exeLgkhlnbn.exeLjnnch32.exee2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exeMamleegg.exeJbocea32.exeLpcmec32.exeMnocof32.exeMkepnjng.exeNnolfdcn.exeJbkjjblm.exeJfhbppbc.exeMgnnhk32.exeNnhfee32.exeMnlfigcc.exeMcpebmkb.exeMpmokb32.exeLcpllo32.exeLkgdml32.exeNkqpjidj.exeLkdggmlj.exeLpfijcfl.exeMkgmcjld.exeNddkgonp.exeKphmie32.exeLkiqbl32.exeMcklgm32.exeMjhqjg32.exeLgpagm32.exeLcbiao32.exeJiikak32.exeKaqcbi32.exeLpappc32.exeLcgblncm.exeNnmopdep.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exeJagqlj32.exeJpjqhgol.exeJibeql32.exeJaimbj32.exeJbkjjblm.exeJjbako32.exeJaljgidl.exeJfhbppbc.exeJigollag.exeJpaghf32.exeJbocea32.exeJiikak32.exeKaqcbi32.exeKdopod32.exeKbapjafe.exeKmgdgjek.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKphmie32.exeKknafn32.exe

description	pid	process	target process
PID 1296 wrote to memory of 2004	1296	e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe	Jagqlj32.exe
PID 1296 wrote to memory of 2004	1296	e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe	Jagqlj32.exe
PID 1296 wrote to memory of 2004	1296	e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe	Jagqlj32.exe
PID 2004 wrote to memory of 4444	2004	Jagqlj32.exe	Jpjqhgol.exe
PID 2004 wrote to memory of 4444	2004	Jagqlj32.exe	Jpjqhgol.exe
PID 2004 wrote to memory of 4444	2004	Jagqlj32.exe	Jpjqhgol.exe
PID 4444 wrote to memory of 3196	4444	Jpjqhgol.exe	Jibeql32.exe
PID 4444 wrote to memory of 3196	4444	Jpjqhgol.exe	Jibeql32.exe
PID 4444 wrote to memory of 3196	4444	Jpjqhgol.exe	Jibeql32.exe
PID 3196 wrote to memory of 1652	3196	Jibeql32.exe	Jaimbj32.exe
PID 3196 wrote to memory of 1652	3196	Jibeql32.exe	Jaimbj32.exe
PID 3196 wrote to memory of 1652	3196	Jibeql32.exe	Jaimbj32.exe
PID 1652 wrote to memory of 4508	1652	Jaimbj32.exe	Jbkjjblm.exe
PID 1652 wrote to memory of 4508	1652	Jaimbj32.exe	Jbkjjblm.exe
PID 1652 wrote to memory of 4508	1652	Jaimbj32.exe	Jbkjjblm.exe
PID 4508 wrote to memory of 2008	4508	Jbkjjblm.exe	Jjbako32.exe
PID 4508 wrote to memory of 2008	4508	Jbkjjblm.exe	Jjbako32.exe
PID 4508 wrote to memory of 2008	4508	Jbkjjblm.exe	Jjbako32.exe
PID 2008 wrote to memory of 3876	2008	Jjbako32.exe	Jaljgidl.exe
PID 2008 wrote to memory of 3876	2008	Jjbako32.exe	Jaljgidl.exe
PID 2008 wrote to memory of 3876	2008	Jjbako32.exe	Jaljgidl.exe
PID 3876 wrote to memory of 3284	3876	Jaljgidl.exe	Jfhbppbc.exe
PID 3876 wrote to memory of 3284	3876	Jaljgidl.exe	Jfhbppbc.exe
PID 3876 wrote to memory of 3284	3876	Jaljgidl.exe	Jfhbppbc.exe
PID 3284 wrote to memory of 3200	3284	Jfhbppbc.exe	Jigollag.exe
PID 3284 wrote to memory of 3200	3284	Jfhbppbc.exe	Jigollag.exe
PID 3284 wrote to memory of 3200	3284	Jfhbppbc.exe	Jigollag.exe
PID 3200 wrote to memory of 2876	3200	Jigollag.exe	Jpaghf32.exe
PID 3200 wrote to memory of 2876	3200	Jigollag.exe	Jpaghf32.exe
PID 3200 wrote to memory of 2876	3200	Jigollag.exe	Jpaghf32.exe
PID 2876 wrote to memory of 4908	2876	Jpaghf32.exe	Jbocea32.exe
PID 2876 wrote to memory of 4908	2876	Jpaghf32.exe	Jbocea32.exe
PID 2876 wrote to memory of 4908	2876	Jpaghf32.exe	Jbocea32.exe
PID 4908 wrote to memory of 4892	4908	Jbocea32.exe	Jiikak32.exe
PID 4908 wrote to memory of 4892	4908	Jbocea32.exe	Jiikak32.exe
PID 4908 wrote to memory of 4892	4908	Jbocea32.exe	Jiikak32.exe
PID 4892 wrote to memory of 4876	4892	Jiikak32.exe	Kaqcbi32.exe
PID 4892 wrote to memory of 4876	4892	Jiikak32.exe	Kaqcbi32.exe
PID 4892 wrote to memory of 4876	4892	Jiikak32.exe	Kaqcbi32.exe
PID 4876 wrote to memory of 4904	4876	Kaqcbi32.exe	Kdopod32.exe
PID 4876 wrote to memory of 4904	4876	Kaqcbi32.exe	Kdopod32.exe
PID 4876 wrote to memory of 4904	4876	Kaqcbi32.exe	Kdopod32.exe
PID 4904 wrote to memory of 4912	4904	Kdopod32.exe	Kbapjafe.exe
PID 4904 wrote to memory of 4912	4904	Kdopod32.exe	Kbapjafe.exe
PID 4904 wrote to memory of 4912	4904	Kdopod32.exe	Kbapjafe.exe
PID 4912 wrote to memory of 5060	4912	Kbapjafe.exe	Kmgdgjek.exe
PID 4912 wrote to memory of 5060	4912	Kbapjafe.exe	Kmgdgjek.exe
PID 4912 wrote to memory of 5060	4912	Kbapjafe.exe	Kmgdgjek.exe
PID 5060 wrote to memory of 3340	5060	Kmgdgjek.exe	Kdaldd32.exe
PID 5060 wrote to memory of 3340	5060	Kmgdgjek.exe	Kdaldd32.exe
PID 5060 wrote to memory of 3340	5060	Kmgdgjek.exe	Kdaldd32.exe
PID 3340 wrote to memory of 4080	3340	Kdaldd32.exe	Kgphpo32.exe
PID 3340 wrote to memory of 4080	3340	Kdaldd32.exe	Kgphpo32.exe
PID 3340 wrote to memory of 4080	3340	Kdaldd32.exe	Kgphpo32.exe
PID 4080 wrote to memory of 2268	4080	Kgphpo32.exe	Kmjqmi32.exe
PID 4080 wrote to memory of 2268	4080	Kgphpo32.exe	Kmjqmi32.exe
PID 4080 wrote to memory of 2268	4080	Kgphpo32.exe	Kmjqmi32.exe
PID 2268 wrote to memory of 4920	2268	Kmjqmi32.exe	Kphmie32.exe
PID 2268 wrote to memory of 4920	2268	Kmjqmi32.exe	Kphmie32.exe
PID 2268 wrote to memory of 4920	2268	Kmjqmi32.exe	Kphmie32.exe
PID 4920 wrote to memory of 4784	4920	Kphmie32.exe	Kknafn32.exe
PID 4920 wrote to memory of 4784	4920	Kphmie32.exe	Kknafn32.exe
PID 4920 wrote to memory of 4784	4920	Kphmie32.exe	Kknafn32.exe
PID 4784 wrote to memory of 4420	4784	Kknafn32.exe	Kmlnbi32.exe

C:\Users\Admin\AppData\Local\Temp\e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe
"C:\Users\Admin\AppData\Local\Temp\e2003163079e31aed7450619794d534d7a74e08115ca91f702f75d4d23ae21c3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4420

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1156

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3572

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3320

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4260

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1428

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3192

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1368

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4648

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3652

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4460

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1752

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:900

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1152

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2640

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1484

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4372

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
46⤵
- Executes dropped EXE
- Modifies registry class
PID:8

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1704

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4436

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
50⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
51⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3224

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4060

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3872

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4476

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4932

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
61⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2028

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1464

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
65⤵
- Executes dropped EXE
- Modifies registry class
PID:1452

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
66⤵
PID:4692

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4308

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4764

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
70⤵
- Drops file in System32 directory
PID:2948

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2056

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:772

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
75⤵
- Modifies registry class
PID:1224

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2380

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4596

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
78⤵
- Drops file in System32 directory
- Modifies registry class
PID:5100

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2468

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2452

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
81⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 408
82⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1144 -ip 1144
1⤵
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jagqlj32.exe
Filesize
163KB

MD5
8f533ef002b1c9472b7117c14136c08a

SHA1
0971c289caed24dd4566814220f7ed6ea2b95f5b

SHA256
e817d9baf789d4e685aa75bf6399a7e047e0a992b7a30efdbaae0595f5c398f6

SHA512
6ca9b19928c9ad0b4abb6bdecc08c7d667a3badaa48d133d1b0b10a516a084d4ecb17d2ea5f30fcdb75df68c75832001b49034e7dd5a6af48c2739de2045a6e3

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
163KB

MD5
86991538872011a4012f041a287c1d06

SHA1
526fe1dc917deca92538de96058e19b0d90e9865

SHA256
21edb3ee3dffbd9b23ba114bba04e362b5b4d399af0b1c4a6716c9cc7d7d2657

SHA512
af4ac20281b81a6c8b8b6ade6211cf0905fc5b2320345eec83a39bf73076a2bc237a634fe8600b8122b88358e91d6e867573fc7a45a0c0f45d005475be7aa3bc

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe
Filesize
163KB

MD5
f8adeba05f42ac8dd94e16233b170960

SHA1
d517fe87a9d2de335160ee9888950a7bbee0431a

SHA256
cce866d323d5da2ece41cc20665d95155b4ed22d40972d73b7e8620fdf05d663

SHA512
f4124cb4e72b0c46e41d0601b068f1fc01922fbe3777dccd789be59ba640a08bc7a54b0ec332c1220ef1a69065fc119890f62faaf9d3a9e59ea63e71a7da9cf2

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe
Filesize
163KB

MD5
048f48cd77b68702b0c9c0aac979d735

SHA1
9c4261a3796cc0c7c87397f30896d7a76990385f

SHA256
5ead12ee94e17ddd433b6b270fe5ca952c439fbef8d18eb28666e6b0c79c9c6a

SHA512
eaced5df2c687219593b6b096d0fdac0c866b3c9102915eda5fb44a871bffc66d857d0aa6b899b81d831932e23ee1c8b2a67b1930cf170397ba2e6c8e227bbff

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe
Filesize
163KB

MD5
c01d65b061746187d47ad146d67ff872

SHA1
edcf656f72fb06848f3ea3193e90dddb4799909f

SHA256
26444f8dec44d4c56fe304fd6f1dbae29e9129fa0885b0c735acbf49c6ba5c90

SHA512
7fb6b77b96f8b40ca3234861a6c59210c500d3a1d9608f297a67fea6d3151d0eb831414990f59446b68af006c5216f4537beb4de5897cdb22cfdef7017d642af

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe
Filesize
163KB

MD5
8f14915806ebc7d32a16194ce92ca8f3

SHA1
2e34afdca03e14bd9a84a78565738d0e73218e1e

SHA256
7488cd25fae7f859f92e119ab5f09c1b4b5e863dfa4c33a0cc1803055c574c73

SHA512
f8fbd6ac847b046dbda9d6dcb69552f80db97900c310e5afc6bd22a329b22f78424bb7bf91e1920463099984be755a14f5e97dfa791f7bbb349d30bde924c6d9

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
163KB

MD5
f69a4e72ce1e2c936350527890afce52

SHA1
aa6ad76b3bdb28f5d016e0d6ba09268de5fc4274

SHA256
dd8eef33ee1edf9e79604ac40f1e837a7b8157ee72b9c7baa7d07193cb67d1e0

SHA512
24a453523e3c69b72841df60c64c1ed307ddeddb282d555a1cda2b373a7575e47c0ff029ed385054f21ac6d86572ef566945d2580b3a12b5a41e29a6b7e2ed78

Download Submit
C:\Windows\SysWOW64\Jigollag.exe
Filesize
163KB

MD5
38213323f5e97536c5e2bd5a2d7ec041

SHA1
5f6e2c71dec8699811de64747727d3b80559fd99

SHA256
c9c9d06ecf02ea735534db1efffeccd57d32b689c2506ece66fcdbf1d8391b89

SHA512
8b5f41cae3eaa6061320a524af2ef42ff2aeedcf6ff28de83be0cc2ae551553e22c68d8a6d12dea33cbea5e7c9ae4eabb1ef3711475851f71f0bd817c6daa444

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe
Filesize
163KB

MD5
409120e25779ebe2654b4de2ab25334c

SHA1
c35519d3bcbb7c131d14254d7afe08263b6012c0

SHA256
6a1e971b975256ca85babe44ae3ee2ccdadb54a01cea74e0b547fd3b27653492

SHA512
82901a1c010e3e109fc46e83d000ee4a2d4ac60002959deb8a6f594bd95a5b514bf54193afd138d57b8db0defdab873c7eaad50c62b63e5d2d8dc34a708bded0

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe
Filesize
163KB

MD5
cd3aac07f349a6013a33e0aae656f537

SHA1
f950cd4662b47bcfdb805d01a6b8eb90e3a76956

SHA256
b11ae88b8c88b70de6c762cdd8c9f3a55cabccdd48cecc95ac3821caea79fcd3

SHA512
9b9ffe9f8cf566a73514cabd9598ca367394d39bb1e59df5c0cd8304901a7e192b7ba0701dac98e61cf3e2e117e54022686920c5789263572682671df179b647

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
163KB

MD5
b899c49a7a1023feda25b8a4ca44d4ab

SHA1
692931941e67b9264f3840d6c26d05f63cae8ab7

SHA256
75a1ba9f84d254587e6e28addd0a87a4e802752da03a75c976dd80a8a325663c

SHA512
995d1904d610c5193216de80e36ad12b6c28ea4ae927db57568657b18336918cdb3b6fed215d9ba3cc552ebeff995267b278e207a0cd2cdfed40e80a6440d163

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe
Filesize
163KB

MD5
7e70b01b66defc3a65367b701148bc67

SHA1
35d2cf883f1984e994d2d973ca03d2f5e0f4e6e6

SHA256
b9a52b49786a9e8219c5e893def8cb4bdc916b706a37600b6b548beb46c4a070

SHA512
269b61b2d4105a563873c311715601b545f562ae618dd2a7113cb6b38a12f8bf48f381b89ddd1a3651c4b2d9356052bd15a655c3e9d0970b2270bcc560c7ddc5

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe
Filesize
163KB

MD5
1e3dcd47e190fd742dfc4c7b4a005b4d

SHA1
5c1caaba6175b59ab6dbbc9aece5d7595dff82fa

SHA256
c7a37fb37c2a018ad54367ac50a027bf69cccb15e2fa1207fcc5c4a22e8e9324

SHA512
93e21250f06568e98c4948fa59979d0240b8a9f2846d4484ab086405a8d19d62e285a54879dbaf109c7bdab704cea9eb0bf03b8ff3890a787dacc4118aa848c2

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
163KB

MD5
1b0076b5ea8443f14f352e4f6c1babf4

SHA1
a584af4863a529c40acb9ea668269e83b41047df

SHA256
3dcb05b5a7d055858b470ae8855f192b11cfde5725bdde42a9e92739bc6108b9

SHA512
a8a75f385984657cdbd5f9425157125605dafbcd6a1c77a8f18f997c4e8ff2c66d8195665bd795fc9821d53d6f794472c5d620871f14d3ef85cabe4efc29e3e8

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
163KB

MD5
02ccfd6d389e534391bbb27a772522e3

SHA1
1f6171513217f62761e49ef1036f8d0edf7dbc06

SHA256
27744eee0179f3085430f1a3c21638aa044b645f10befb95dcdd293162b0a0f8

SHA512
7d1cec4352bc284018589c40026047d110101f05bedfe5823e34bfde97bbf6249a95603227e83dd2e2acaf998dd7b1c13a5fd1f5eb310b0f8f39e332c9921e7f

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe
Filesize
163KB

MD5
1554a6782149e5ccdb44638720927667

SHA1
ceeb9b3d1d99204614c6ecf97fdfe876f8c7fc41

SHA256
59cde52e481b86dfe95106082c19cdc9a0a7ba42d5ec76881e22cb8559faa0ad

SHA512
ec37a3ebcfe51f9623547dabad650ef121438a28227ed6bf5d75226d819fce8aaf3fd1592bdd16f853889d74a6e53e82f56f0d6dcb45b334c73335800eec2ed1

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe
Filesize
163KB

MD5
2a73db17f07f7710739f47d0a90def5d

SHA1
56677359b8e39973b69f1b1057f54726a59a35b1

SHA256
c63cbc6ac1a999af77415d5c5aa1a0c96391d54087b08760cc74500553ea7090

SHA512
b39d65b581c7d88370ce75cbd9bb05b4514f8dd096cdf4c6baab256583cb64637e37e2668fcdfdc800a04d5a5245a5771c4838d6e1e33a31a38a6b8709876057

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
163KB

MD5
c2daf4267fe8202cf9df5bc176b907c2

SHA1
c467e7441c366458cc380995ecb9e8a6c57c2e0f

SHA256
6cf43a9f966e06913dec7aa373bd1a11278062b22f13976b5d96a90ada2305ba

SHA512
2aaa56a3f797ea4b0b2d5ce85194ab7048b777feb79e3c19f1d92ac55cae919cc9cd9f1adfe25d9d8373888b99c55805f1ce823018bbec108d1a97dd48ee2e51

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
163KB

MD5
3f557b9dc181654820d153ec2613f2dc

SHA1
c50a22f315764a51ecbf530ce0ff5a43db4d7b60

SHA256
b3c6778396fc7aa813dcd347eac0106f982289a6ce48f4f6a3206ebe1ceca89b

SHA512
7fa9ed18139f100c9e003bd09995d3f4f1a39df7de72ef98164ec926df52c8625ffaaf3de3614a7eb4d88c0029c7be439454520f51b1305b44c39896b7aeaeda

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe
Filesize
163KB

MD5
c662ad771c4fa16ed7970476209cf0f0

SHA1
bf736ea35e8fc525c889313c71958e2c56a1304f

SHA256
ba309296a5809fab93566beb5c55fa2945c82188f38ee6bec986a4cd44bfc65d

SHA512
7418fc25069ebe0ff4c6d207bc483f2d22c49ae7a3286ffc416bbfcc3acd9918e48b24a2012672d7452943969e7ed5a7592f9cd2b4f5943d400d310fe4c74477

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
163KB

MD5
ab924f00831e57dcb9b5218f4f04669c

SHA1
cbf08c74a8f32e08cfc2887e7f27991f655ab54e

SHA256
ff0088993280c857e01fcab87c44c84126ef1b649ee4e0cb62258a22b6c541c2

SHA512
f6d86b1b1d29e3af2f11e8306aeddade1f36274f5cfce22157aecf474ee7a6ac952811460a537daa45702ddd4cead64994a2f22176ae052dd1aa1444399d530b

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe
Filesize
163KB

MD5
e9b860032422ee9e8a735f82ec1b9a6b

SHA1
65e7d92f87dc73f9a094882e6dc6f9a7998b7f11

SHA256
472c39683340ed0d385db5a855c42be7071393c760f96f4813888bda43914546

SHA512
0a76a5020c38e3b05f6e6da21b27254d8b682a38871be91a8db59d773364dba39507e90581146a48ba5aa282ed405e553c2df58d6c14fba445744fecb9baf4c4

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe
Filesize
163KB

MD5
69d98e826782f4156af1c92626f56db9

SHA1
c79c920a4bcffec9d09adcd96dcae6db687d3c1b

SHA256
086d64f6d4a1ec0e59d27df3de70b16dab683e57f4edfaa0a325cd9d5331e6ff

SHA512
2c0965050d7bc559b4854aa34dbe575a8c4c8f950ad7beaa88d26a952e2c485d10fc17debc9b33d77bd2aa219b461982a90867e79b307f4847bfbc996ab47707

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
163KB

MD5
d24fae6b2ab3dbf28862e15454b1610d

SHA1
504b717b632f70944ea9e13698ed4bc01fda77c6

SHA256
a7339fc43b6958e388ab7ce8a3248eca4c4b76d2a4b583402a816463bbe618b7

SHA512
5e3358a52e3c139c81e9c960d23d61942b4f7f659fedeffd8c288f7446d0194b336fd2120e413a06d1f5106aef43a4882718aa2d0288d69a25261a8ee013141b

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe
Filesize
163KB

MD5
ec735e33266f1e6c2ec6562337008e2e

SHA1
686c7b46b6a739c7630d7ebef38dc22b2f2a0d17

SHA256
6a4f8c2978d1aac3f1bde6c1aca43dd410510668fa89c4aed486c5c98dcce24e

SHA512
35a0b0145a4932edcfab2f60335d777efce42e772b1b12201fe8b77f1082fdfa7c0f141e7bf546946664903859d70e71c5112dbb2c3497dc893ea1c7acec1854

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
163KB

MD5
e9d6e9e42093e79ddb4311b08b303cb5

SHA1
97cea7a03fda533cc70bd7610c6a1f5fe5c62e56

SHA256
52839c8b21f0809db4e01eeced4540c0cc2f3bbc5423c29d6e8b474d52a6a312

SHA512
737052dc3bddd16bfb3f00211f3862d47712edbf1cfb047e577f524817eb0e2757ef86b5939837156a8a933c66cc4cf2e80e4681183c74184874378600a832f4

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe
Filesize
163KB

MD5
f551e96d7207100cefccfdf4f85bf07d

SHA1
7bfdb784f2a45a1ac5dfde0674c26f6655b49993

SHA256
a9cb8317ac60e7614d85dd64c477a1168e7de107aa1f239b5def885b49539b76

SHA512
8e088171054698e344f0285678e51f669fd9413ee641e534869dc4c0a3d1bbad087d6bedd0d1fa841c4a7eae664912381b7bf8c26e880f9d4c96759111a640c2

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe
Filesize
163KB

MD5
410850ee50e64ea05a81a37fbb35c4a7

SHA1
20b2ef836d098a8af8eeb4aa2baf464fb169a3b7

SHA256
94ab329e7e633b82404f058fd637def2bf1303ca56324746dd51bc4f43cf825f

SHA512
a11b4bc24df7eb90c09460d34952a0bc10988bd14a0338afb082fa3052e7bc1a51c2a859e09cb5b3ef7ff1f830a0e0035cfa37a88a609e79f62abe4a5aa2a247

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe
Filesize
163KB

MD5
7137b9140ca4cbe6cbb31e9fe02cd66d

SHA1
a75557509c077312828185076cd1923f5cfcdeef

SHA256
abca11b499806002043d916ae08df5aead56fd2038869fd013331775c69d0b56

SHA512
e6e2b004eb75533095a5ec99cf98a8c31a41cbf56dd5b16892f72ef10d0df2eed66f0953b00c6582ff02ac31d6014bff604cd8085bb266e083ed05d50d1eb06e

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe
Filesize
163KB

MD5
028d8a83ed61bf627c592ff02fd5c1a3

SHA1
95f0287b9be6ff6dccb33e937971867d72b40b66

SHA256
afa71c832fae1fc7c6047068eea37765101207344a4fc165bc6e060fc6bd046c

SHA512
5fe483e6d7aba7e5ae251679f226a818fc8bbd299b7590e1beca0547449988c38b73d3e6065abf786944836e45cddca01bf4c2cefbafa9f346cafc22030626f6

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe
Filesize
163KB

MD5
ed30cf3e43768a7e65dec790fb9fae70

SHA1
1b80fc3fa073e3101b34c3f7114fa4de992894c3

SHA256
f0f84201ac90af19a6b1b47585e665b88e5b152956df7ada2e75fe1407b3ceae

SHA512
36a7597cd0f0dad00e4bd08992fcf73d959bddff4b74170f2281ec2d9cbb7da77128c8a111fdd75ef7fb0478c24d6a0e0e7fc5d14fe5c4e823d7f16010b7dbb3

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
163KB

MD5
ed7a620125dd2d36fb33d5e93456bcb4

SHA1
e31b44e7055b8703d25eadaf835abbae79e1a551

SHA256
10a8998f0b94341d56224491865a5e3cbf0eb34049e6818d42ea1905b6c0e406

SHA512
dd3d344451b654a5afb4276614a69f3eed4e2089381b46a034d938e21b3dd2c55f05b6fa78b9c4003939cd4e3f94dfa2b840697de97071af5bb7a4fb459b69d6

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe
Filesize
163KB

MD5
7fb8f9bb4d27da73e2978a7300c79451

SHA1
f7fef732dc0ca2218283c20ad7aa10c1fb649fe2

SHA256
f2fb3fe9fa527765585fe2717b14811466a8c98576bc2747cb2323da4625d084

SHA512
809a2af651f03ba0c24dde4ff0d365433562b08c45a7c7fcc7c1d1f3f0e23d370be3ad20d052b60ae7f64d99eee485795d95ca8dd8a5ed94d43a2a6d77745ee0

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe
Filesize
163KB

MD5
b8ac9fd866a37ff8cff057f896f83503

SHA1
b00d358d2bccd8195079c1b6782bd4feb6386ce2

SHA256
f3055dbfb191b719caa0a9f6514db12348845f3eae8b1d3139297275e9410cfb

SHA512
48effaa0a3dfe6aabb27f2a28803f54834b70dc01bac07224fdae95eb0368b98cb7f3078c54f019ab29960126281147b5f4974236b5c9ea27b0042ec12ad4dc3

Download Submit
memory/8-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/228-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/228-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/760-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/772-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/772-486-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/900-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1144-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1144-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1156-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-556-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1368-254-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1428-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1452-568-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-570-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1484-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1488-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1556-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2004-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2056-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2056-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-549-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2380-545-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2380-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2452-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2452-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2640-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-560-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2876-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2948-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3168-397-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3168-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3196-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3224-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3284-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3320-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3340-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3572-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3876-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4060-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4080-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-178-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-576-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4444-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4476-582-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4600-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4648-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-566-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4748-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-562-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4784-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4832-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4832-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4876-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4892-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4904-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4908-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4912-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4932-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4932-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-542-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download