60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
62s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropper/Berbew.exe
Size

109KB
MD5

331d4664aaa1e426075838bac0ba0e80
SHA1

b5825947ed101a498fadd55ed128172773f014e3
SHA256

90a4b2cba38cde1495721ebc965e888440e212585cb565acf18b6216631d13d1
SHA512

9da4eb7b4fee5956f9ad0444c362fb884295d0a8e087ee7f6ed5d3f9e54422730f8c75553edf6ebf57435f2588e9045573f23879d2d8ec1d3843d80c75cd91ec
SSDEEP

3072:vZYeP+XEYkuuHbJ9GLCqwzBu1DjHLMVDqqkSpR:vPUk3J9Cwtu1DjrFqhz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jbojlfdp.exeEpdime32.exeEkngemhd.exeBpjmph32.exeEklajcmc.exeFbplml32.exeObqanjdb.exePmhbqbae.exeLplfcf32.exeBmidnm32.exeCdaile32.exeBerbew.exeFkofga32.exeIlfennic.exeLaiipofp.exeQikbaaml.exeDnljkk32.exeEnfckp32.exeEhlhih32.exeEiekog32.exeDajbaika.exeFjocbhbo.exeFbbicl32.exeHppeim32.exeIpkdek32.exeLhcali32.exeHpmhdmea.exeAfhfaddk.exeBbaclegm.exeBdcmkgmm.exeCdjblf32.exeJbagbebm.exeLllagh32.exeNbebbk32.exePplhhm32.exeDggkipii.exeEcdbop32.exeFnbcgn32.exeBmbnnn32.exeAcccdj32.exeEkqckmfb.exeQjffpe32.exeBjfogbjb.exeHlkfbocp.exeMfkkqmiq.exeNckkfp32.exeAjohfcpj.exeCdhffg32.exeJbepme32.exeLhnhajba.exeLhgkgijg.exeMpeiie32.exeOifppdpd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Berbew.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehlhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlkfbocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe

Executes dropped EXE 64 IoCs

Processes:

Dojqjdbl.exeEnfckp32.exeEhlhih32.exeEklajcmc.exeEkonpckp.exeEkajec32.exeEiekog32.exeFnbcgn32.exeFbplml32.exeFbbicl32.exeFniihmpf.exeFohfbpgi.exeFkofga32.exeGlfmgp32.exeGbbajjlp.exeHlkfbocp.exeHhaggp32.exeHehdfdek.exeHpmhdmea.exeHppeim32.exeIlfennic.exeIeojgc32.exeIlkoim32.exeIhbponja.exeIpkdek32.exeJoqafgni.exeJbojlfdp.exeJbagbebm.exeJpegkj32.exeJbepme32.exeKheekkjl.exeKekbjo32.exeKemooo32.exeKcapicdj.exeLhnhajba.exeLllagh32.exeLaiipofp.exeLhcali32.exeLplfcf32.exeLhgkgijg.exeMfkkqmiq.exeMbdiknlb.exeMpeiie32.exeNjbgmjgl.exeNckkfp32.exeNmfmde32.exeNbebbk32.exeObgohklm.exeOiccje32.exeOblhcj32.exeOifppdpd.exeOckdmmoj.exeOmdieb32.exeObqanjdb.exePqbala32.exePmhbqbae.exePplhhm32.exeQjffpe32.exeQikbaaml.exeAimogakj.exeAcccdj32.exeAagdnn32.exeAjohfcpj.exeAplaoj32.exe

pid	process
4028	Dojqjdbl.exe
3616	Enfckp32.exe
788	Ehlhih32.exe
1836	Eklajcmc.exe
1176	Ekonpckp.exe
3556	Ekajec32.exe
1656	Eiekog32.exe
1164	Fnbcgn32.exe
2756	Fbplml32.exe
3592	Fbbicl32.exe
4628	Fniihmpf.exe
412	Fohfbpgi.exe
3752	Fkofga32.exe
764	Glfmgp32.exe
4224	Gbbajjlp.exe
2976	Hlkfbocp.exe
3740	Hhaggp32.exe
3008	Hehdfdek.exe
648	Hpmhdmea.exe
1784	Hppeim32.exe
2916	Ilfennic.exe
4400	Ieojgc32.exe
4964	Ilkoim32.exe
4700	Ihbponja.exe
220	Ipkdek32.exe
4184	Joqafgni.exe
2068	Jbojlfdp.exe
1548	Jbagbebm.exe
3088	Jpegkj32.exe
4416	Jbepme32.exe
3404	Kheekkjl.exe
3568	Kekbjo32.exe
4460	Kemooo32.exe
3344	Kcapicdj.exe
1536	Lhnhajba.exe
5072	Lllagh32.exe
492	Laiipofp.exe
3356	Lhcali32.exe
4320	Lplfcf32.exe
2824	Lhgkgijg.exe
3340	Mfkkqmiq.exe
3076	Mbdiknlb.exe
760	Mpeiie32.exe
2132	Njbgmjgl.exe
4664	Nckkfp32.exe
3432	Nmfmde32.exe
1492	Nbebbk32.exe
792	Obgohklm.exe
2224	Oiccje32.exe
948	Oblhcj32.exe
4988	Oifppdpd.exe
1132	Ockdmmoj.exe
4356	Omdieb32.exe
2260	Obqanjdb.exe
4556	Pqbala32.exe
4208	Pmhbqbae.exe
1980	Pplhhm32.exe
1552	Qjffpe32.exe
4352	Qikbaaml.exe
3640	Aimogakj.exe
2800	Acccdj32.exe
3608	Aagdnn32.exe
5004	Ajohfcpj.exe
4420	Aplaoj32.exe

Drops file in System32 directory 64 IoCs

Processes:

Joqafgni.exeMfkkqmiq.exeMpeiie32.exeNjbgmjgl.exeBpjmph32.exeEklajcmc.exeLllagh32.exeQjffpe32.exeBdcmkgmm.exeEpdime32.exeKemooo32.exeCkidcpjl.exeEafbmgad.exeFjocbhbo.exeKekbjo32.exeGlfmgp32.exeOmdieb32.exeDnljkk32.exeEhlhih32.exeOblhcj32.exeDggkipii.exeAimogakj.exeEkonpckp.exeJpegkj32.exeMbdiknlb.exeNbebbk32.exePplhhm32.exeFnbcgn32.exeHhaggp32.exeAplaoj32.exeAfhfaddk.exeBiklho32.exeCdhffg32.exeEjlnfjbd.exeLhnhajba.exeLhcali32.exeBbaclegm.exeBgdemb32.exeEnfckp32.exeOifppdpd.exeQikbaaml.exeBjfogbjb.exeFbplml32.exeNmfmde32.exeBmbnnn32.exeDajbaika.exeDdklbd32.exeEcdbop32.exeEkajec32.exeJbojlfdp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Dbkqqe32.dll	Joqafgni.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Nckkfp32.exe	Njbgmjgl.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Ekonpckp.exe	Eklajcmc.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lllagh32.exe
File opened for modification	C:\Windows\SysWOW64\Qikbaaml.exe	Qjffpe32.exe
File opened for modification	C:\Windows\SysWOW64\Bpjmph32.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Ljkgblln.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Kldgkp32.dll	Kemooo32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Eafbmgad.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Kemooo32.exe	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Kemooo32.exe	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbajjlp.exe	Glfmgp32.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lllagh32.exe
File created	C:\Windows\SysWOW64\Obqanjdb.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Npdhdlin.dll	Ehlhih32.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Obhmcdfq.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Aimogakj.exe
File created	C:\Windows\SysWOW64\Nlbkmokh.dll	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Ekajec32.exe	Ekonpckp.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Jpegkj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpeiie32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Obgohklm.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Bcomgibl.dll	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Lfojfj32.dll	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Njbgmjgl.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Ampaho32.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Dfbjkg32.dll	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Biklho32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Cdhffg32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Pabcflhd.dll	Lhnhajba.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Njbgmjgl.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Bbaclegm.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Ehlhih32.exe	Enfckp32.exe
File opened for modification	C:\Windows\SysWOW64\Hehdfdek.exe	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Aimogakj.exe	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Fbbicl32.exe	Fbplml32.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jpegkj32.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Kemooo32.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Caaimlpo.dll	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dajbaika.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Ddklbd32.exe
File created	C:\Windows\SysWOW64\Aolphl32.dll	Ecdbop32.exe
File opened for modification	C:\Windows\SysWOW64\Eiekog32.exe	Ekajec32.exe
File created	C:\Windows\SysWOW64\Hehdfdek.exe	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Jbagbebm.exe	Jbojlfdp.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Mfkkqmiq.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5528 5192 WerFault.exe Gddgpqbe.exe

pid	pid_target	process	target process
5528	5192	WerFault.exe	Gddgpqbe.exe

Modifies registry class 64 IoCs

Processes:

Oifppdpd.exePmhbqbae.exeHhaggp32.exeHpmhdmea.exeIhbponja.exeMbdiknlb.exeDdklbd32.exeDojqjdbl.exeIeojgc32.exeDmjmekgn.exeObqanjdb.exeFniihmpf.exeIlfennic.exeIlkoim32.exeJbagbebm.exeJpegkj32.exeAfhfaddk.exeEpdime32.exeLhcali32.exeBmidnm32.exeEkqckmfb.exeBerbew.exeFnbcgn32.exeFbplml32.exeFbbicl32.exeBpjmph32.exeCkidcpjl.exeEjlnfjbd.exeEcdbop32.exeOblhcj32.exeOmdieb32.exeAimogakj.exeBgdemb32.exeFkofga32.exeGbbajjlp.exeJbojlfdp.exeHppeim32.exeOckdmmoj.exeCdjblf32.exeAjohfcpj.exeHehdfdek.exeFohfbpgi.exeAagdnn32.exeAplaoj32.exeIpkdek32.exeLllagh32.exeEnfckp32.exeKcapicdj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojfj32.dll"	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fniihmpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjpkd32.dll"	Fniihmpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll"	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll"	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimogakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgqfld.dll"	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll"	Jbojlfdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkhop32.dll"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picoja32.dll"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fniihmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enfckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Aagdnn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Berbew.exeDojqjdbl.exeEnfckp32.exeEhlhih32.exeEklajcmc.exeEkonpckp.exeEkajec32.exeEiekog32.exeFnbcgn32.exeFbplml32.exeFbbicl32.exeFniihmpf.exeFohfbpgi.exeFkofga32.exeGlfmgp32.exeGbbajjlp.exeHlkfbocp.exeHhaggp32.exeHehdfdek.exeHpmhdmea.exeHppeim32.exeIlfennic.exe

description	pid	process	target process
PID 3176 wrote to memory of 4028	3176	Berbew.exe	Dojqjdbl.exe
PID 3176 wrote to memory of 4028	3176	Berbew.exe	Dojqjdbl.exe
PID 3176 wrote to memory of 4028	3176	Berbew.exe	Dojqjdbl.exe
PID 4028 wrote to memory of 3616	4028	Dojqjdbl.exe	Enfckp32.exe
PID 4028 wrote to memory of 3616	4028	Dojqjdbl.exe	Enfckp32.exe
PID 4028 wrote to memory of 3616	4028	Dojqjdbl.exe	Enfckp32.exe
PID 3616 wrote to memory of 788	3616	Enfckp32.exe	Ehlhih32.exe
PID 3616 wrote to memory of 788	3616	Enfckp32.exe	Ehlhih32.exe
PID 3616 wrote to memory of 788	3616	Enfckp32.exe	Ehlhih32.exe
PID 788 wrote to memory of 1836	788	Ehlhih32.exe	Eklajcmc.exe
PID 788 wrote to memory of 1836	788	Ehlhih32.exe	Eklajcmc.exe
PID 788 wrote to memory of 1836	788	Ehlhih32.exe	Eklajcmc.exe
PID 1836 wrote to memory of 1176	1836	Eklajcmc.exe	Ekonpckp.exe
PID 1836 wrote to memory of 1176	1836	Eklajcmc.exe	Ekonpckp.exe
PID 1836 wrote to memory of 1176	1836	Eklajcmc.exe	Ekonpckp.exe
PID 1176 wrote to memory of 3556	1176	Ekonpckp.exe	Ekajec32.exe
PID 1176 wrote to memory of 3556	1176	Ekonpckp.exe	Ekajec32.exe
PID 1176 wrote to memory of 3556	1176	Ekonpckp.exe	Ekajec32.exe
PID 3556 wrote to memory of 1656	3556	Ekajec32.exe	Eiekog32.exe
PID 3556 wrote to memory of 1656	3556	Ekajec32.exe	Eiekog32.exe
PID 3556 wrote to memory of 1656	3556	Ekajec32.exe	Eiekog32.exe
PID 1656 wrote to memory of 1164	1656	Eiekog32.exe	Fnbcgn32.exe
PID 1656 wrote to memory of 1164	1656	Eiekog32.exe	Fnbcgn32.exe
PID 1656 wrote to memory of 1164	1656	Eiekog32.exe	Fnbcgn32.exe
PID 1164 wrote to memory of 2756	1164	Fnbcgn32.exe	Fbplml32.exe
PID 1164 wrote to memory of 2756	1164	Fnbcgn32.exe	Fbplml32.exe
PID 1164 wrote to memory of 2756	1164	Fnbcgn32.exe	Fbplml32.exe
PID 2756 wrote to memory of 3592	2756	Fbplml32.exe	Fbbicl32.exe
PID 2756 wrote to memory of 3592	2756	Fbplml32.exe	Fbbicl32.exe
PID 2756 wrote to memory of 3592	2756	Fbplml32.exe	Fbbicl32.exe
PID 3592 wrote to memory of 4628	3592	Fbbicl32.exe	Fniihmpf.exe
PID 3592 wrote to memory of 4628	3592	Fbbicl32.exe	Fniihmpf.exe
PID 3592 wrote to memory of 4628	3592	Fbbicl32.exe	Fniihmpf.exe
PID 4628 wrote to memory of 412	4628	Fniihmpf.exe	Fohfbpgi.exe
PID 4628 wrote to memory of 412	4628	Fniihmpf.exe	Fohfbpgi.exe
PID 4628 wrote to memory of 412	4628	Fniihmpf.exe	Fohfbpgi.exe
PID 412 wrote to memory of 3752	412	Fohfbpgi.exe	Fkofga32.exe
PID 412 wrote to memory of 3752	412	Fohfbpgi.exe	Fkofga32.exe
PID 412 wrote to memory of 3752	412	Fohfbpgi.exe	Fkofga32.exe
PID 3752 wrote to memory of 764	3752	Fkofga32.exe	Glfmgp32.exe
PID 3752 wrote to memory of 764	3752	Fkofga32.exe	Glfmgp32.exe
PID 3752 wrote to memory of 764	3752	Fkofga32.exe	Glfmgp32.exe
PID 764 wrote to memory of 4224	764	Glfmgp32.exe	Gbbajjlp.exe
PID 764 wrote to memory of 4224	764	Glfmgp32.exe	Gbbajjlp.exe
PID 764 wrote to memory of 4224	764	Glfmgp32.exe	Gbbajjlp.exe
PID 4224 wrote to memory of 2976	4224	Gbbajjlp.exe	Hlkfbocp.exe
PID 4224 wrote to memory of 2976	4224	Gbbajjlp.exe	Hlkfbocp.exe
PID 4224 wrote to memory of 2976	4224	Gbbajjlp.exe	Hlkfbocp.exe
PID 2976 wrote to memory of 3740	2976	Hlkfbocp.exe	Hhaggp32.exe
PID 2976 wrote to memory of 3740	2976	Hlkfbocp.exe	Hhaggp32.exe
PID 2976 wrote to memory of 3740	2976	Hlkfbocp.exe	Hhaggp32.exe
PID 3740 wrote to memory of 3008	3740	Hhaggp32.exe	Hehdfdek.exe
PID 3740 wrote to memory of 3008	3740	Hhaggp32.exe	Hehdfdek.exe
PID 3740 wrote to memory of 3008	3740	Hhaggp32.exe	Hehdfdek.exe
PID 3008 wrote to memory of 648	3008	Hehdfdek.exe	Hpmhdmea.exe
PID 3008 wrote to memory of 648	3008	Hehdfdek.exe	Hpmhdmea.exe
PID 3008 wrote to memory of 648	3008	Hehdfdek.exe	Hpmhdmea.exe
PID 648 wrote to memory of 1784	648	Hpmhdmea.exe	Hppeim32.exe
PID 648 wrote to memory of 1784	648	Hpmhdmea.exe	Hppeim32.exe
PID 648 wrote to memory of 1784	648	Hpmhdmea.exe	Hppeim32.exe
PID 1784 wrote to memory of 2916	1784	Hppeim32.exe	Ilfennic.exe
PID 1784 wrote to memory of 2916	1784	Hppeim32.exe	Ilfennic.exe
PID 1784 wrote to memory of 2916	1784	Hppeim32.exe	Ilfennic.exe
PID 2916 wrote to memory of 4400	2916	Ilfennic.exe	Ieojgc32.exe

C:\Users\Admin\AppData\Local\Temp\Dropper\Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper\Berbew.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\Enfckp32.exe
C:\Windows\system32\Enfckp32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\Ehlhih32.exe
C:\Windows\system32\Ehlhih32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\Eklajcmc.exe
C:\Windows\system32\Eklajcmc.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\Ekonpckp.exe
C:\Windows\system32\Ekonpckp.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\Ekajec32.exe
C:\Windows\system32\Ekajec32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\Eiekog32.exe
C:\Windows\system32\Eiekog32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\Fnbcgn32.exe
C:\Windows\system32\Fnbcgn32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\Fbplml32.exe
C:\Windows\system32\Fbplml32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\Fbbicl32.exe
C:\Windows\system32\Fbbicl32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\Fniihmpf.exe
C:\Windows\system32\Fniihmpf.exe
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\Fohfbpgi.exe
C:\Windows\system32\Fohfbpgi.exe
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\Fkofga32.exe
C:\Windows\system32\Fkofga32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\Glfmgp32.exe
C:\Windows\system32\Glfmgp32.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\Gbbajjlp.exe
C:\Windows\system32\Gbbajjlp.exe
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\Hlkfbocp.exe
C:\Windows\system32\Hlkfbocp.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\Hhaggp32.exe
C:\Windows\system32\Hhaggp32.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\Hehdfdek.exe
C:\Windows\system32\Hehdfdek.exe
19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Hpmhdmea.exe
C:\Windows\system32\Hpmhdmea.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\Hppeim32.exe
C:\Windows\system32\Hppeim32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\Ilfennic.exe
C:\Windows\system32\Ilfennic.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\Ieojgc32.exe
C:\Windows\system32\Ieojgc32.exe
23⤵
- Executes dropped EXE
- Modifies registry class
PID:4400

C:\Windows\SysWOW64\Ilkoim32.exe
C:\Windows\system32\Ilkoim32.exe
24⤵
- Executes dropped EXE
- Modifies registry class
PID:4964

C:\Windows\SysWOW64\Ihbponja.exe
C:\Windows\system32\Ihbponja.exe
25⤵
- Executes dropped EXE
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\Ipkdek32.exe
C:\Windows\system32\Ipkdek32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:220

C:\Windows\SysWOW64\Joqafgni.exe
C:\Windows\system32\Joqafgni.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4184

C:\Windows\SysWOW64\Jbojlfdp.exe
C:\Windows\system32\Jbojlfdp.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2068

C:\Windows\SysWOW64\Jbagbebm.exe
C:\Windows\system32\Jbagbebm.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1548

C:\Windows\SysWOW64\Jpegkj32.exe
C:\Windows\system32\Jpegkj32.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3088

C:\Windows\SysWOW64\Jbepme32.exe
C:\Windows\system32\Jbepme32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4416

C:\Windows\SysWOW64\Kheekkjl.exe
C:\Windows\system32\Kheekkjl.exe
32⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWOW64\Kekbjo32.exe
C:\Windows\system32\Kekbjo32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568

C:\Windows\SysWOW64\Kemooo32.exe
C:\Windows\system32\Kemooo32.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4460

C:\Windows\SysWOW64\Kcapicdj.exe
C:\Windows\system32\Kcapicdj.exe
35⤵
- Executes dropped EXE
- Modifies registry class
PID:3344

C:\Windows\SysWOW64\Lhnhajba.exe
C:\Windows\system32\Lhnhajba.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1536

C:\Windows\SysWOW64\Lllagh32.exe
C:\Windows\system32\Lllagh32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5072

C:\Windows\SysWOW64\Laiipofp.exe
C:\Windows\system32\Laiipofp.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:492

C:\Windows\SysWOW64\Lhcali32.exe
C:\Windows\system32\Lhcali32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3356

C:\Windows\SysWOW64\Lplfcf32.exe
C:\Windows\system32\Lplfcf32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320

C:\Windows\SysWOW64\Lhgkgijg.exe
C:\Windows\system32\Lhgkgijg.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824

C:\Windows\SysWOW64\Mfkkqmiq.exe
C:\Windows\system32\Mfkkqmiq.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3340

C:\Windows\SysWOW64\Mbdiknlb.exe
C:\Windows\system32\Mbdiknlb.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3076

C:\Windows\SysWOW64\Mpeiie32.exe
C:\Windows\system32\Mpeiie32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:760

C:\Windows\SysWOW64\Njbgmjgl.exe
C:\Windows\system32\Njbgmjgl.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132

C:\Windows\SysWOW64\Nckkfp32.exe
C:\Windows\system32\Nckkfp32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4664

C:\Windows\SysWOW64\Nmfmde32.exe
C:\Windows\system32\Nmfmde32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3432

C:\Windows\SysWOW64\Nbebbk32.exe
C:\Windows\system32\Nbebbk32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1492

C:\Windows\SysWOW64\Obgohklm.exe
C:\Windows\system32\Obgohklm.exe
49⤵
- Executes dropped EXE
PID:792

C:\Windows\SysWOW64\Oiccje32.exe
C:\Windows\system32\Oiccje32.exe
50⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\Oblhcj32.exe
C:\Windows\system32\Oblhcj32.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:948

C:\Windows\SysWOW64\Oifppdpd.exe
C:\Windows\system32\Oifppdpd.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4988

C:\Windows\SysWOW64\Ockdmmoj.exe
C:\Windows\system32\Ockdmmoj.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:1132

C:\Windows\SysWOW64\Omdieb32.exe
C:\Windows\system32\Omdieb32.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4356

C:\Windows\SysWOW64\Obqanjdb.exe
C:\Windows\system32\Obqanjdb.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2260

C:\Windows\SysWOW64\Pqbala32.exe
C:\Windows\system32\Pqbala32.exe
56⤵
- Executes dropped EXE
PID:4556

C:\Windows\SysWOW64\Pmhbqbae.exe
C:\Windows\system32\Pmhbqbae.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4208

C:\Windows\SysWOW64\Pplhhm32.exe
C:\Windows\system32\Pplhhm32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1980

C:\Windows\SysWOW64\Qjffpe32.exe
C:\Windows\system32\Qjffpe32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1552

C:\Windows\SysWOW64\Qikbaaml.exe
C:\Windows\system32\Qikbaaml.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4352

C:\Windows\SysWOW64\Aimogakj.exe
C:\Windows\system32\Aimogakj.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3640

C:\Windows\SysWOW64\Acccdj32.exe
C:\Windows\system32\Acccdj32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800

C:\Windows\SysWOW64\Aagdnn32.exe
C:\Windows\system32\Aagdnn32.exe
63⤵
- Executes dropped EXE
- Modifies registry class
PID:3608

C:\Windows\SysWOW64\Ajohfcpj.exe
C:\Windows\system32\Ajohfcpj.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\Aplaoj32.exe
C:\Windows\system32\Aplaoj32.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4420

C:\Windows\SysWOW64\Ampaho32.exe
C:\Windows\system32\Ampaho32.exe
66⤵
PID:2236

C:\Windows\SysWOW64\Afhfaddk.exe
C:\Windows\system32\Afhfaddk.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4848

C:\Windows\SysWOW64\Bmbnnn32.exe
C:\Windows\system32\Bmbnnn32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:700

C:\Windows\SysWOW64\Bjfogbjb.exe
C:\Windows\system32\Bjfogbjb.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3324

C:\Windows\SysWOW64\Bbaclegm.exe
C:\Windows\system32\Bbaclegm.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4860

C:\Windows\SysWOW64\Biklho32.exe
C:\Windows\system32\Biklho32.exe
71⤵
- Drops file in System32 directory
PID:5156

C:\Windows\SysWOW64\Bmidnm32.exe
C:\Windows\system32\Bmidnm32.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5200

C:\Windows\SysWOW64\Bdcmkgmm.exe
C:\Windows\system32\Bdcmkgmm.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5240

C:\Windows\SysWOW64\Bpjmph32.exe
C:\Windows\system32\Bpjmph32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5280

C:\Windows\SysWOW64\Bgdemb32.exe
C:\Windows\system32\Bgdemb32.exe
75⤵
- Drops file in System32 directory
- Modifies registry class
PID:5320

C:\Windows\SysWOW64\Cdhffg32.exe
C:\Windows\system32\Cdhffg32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5352

C:\Windows\SysWOW64\Cienon32.exe
C:\Windows\system32\Cienon32.exe
77⤵
PID:5396

C:\Windows\SysWOW64\Cdjblf32.exe
C:\Windows\system32\Cdjblf32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5436

C:\Windows\SysWOW64\Cmbgdl32.exe
C:\Windows\system32\Cmbgdl32.exe
79⤵
PID:5472

C:\Windows\SysWOW64\Cdmoafdb.exe
C:\Windows\system32\Cdmoafdb.exe
80⤵
PID:5508

C:\Windows\SysWOW64\Ckidcpjl.exe
C:\Windows\system32\Ckidcpjl.exe
81⤵
- Drops file in System32 directory
- Modifies registry class
PID:5564

C:\Windows\SysWOW64\Cdaile32.exe
C:\Windows\system32\Cdaile32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604

C:\Windows\SysWOW64\Dmjmekgn.exe
C:\Windows\system32\Dmjmekgn.exe
83⤵
- Modifies registry class
PID:5640

C:\Windows\SysWOW64\Dnljkk32.exe
C:\Windows\system32\Dnljkk32.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5692

C:\Windows\SysWOW64\Ddfbgelh.exe
C:\Windows\system32\Ddfbgelh.exe
85⤵
PID:5724

C:\Windows\SysWOW64\Dajbaika.exe
C:\Windows\system32\Dajbaika.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5768

C:\Windows\SysWOW64\Dggkipii.exe
C:\Windows\system32\Dggkipii.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5808

C:\Windows\SysWOW64\Ddklbd32.exe
C:\Windows\system32\Ddklbd32.exe
88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5864

C:\Windows\SysWOW64\Epdime32.exe
C:\Windows\system32\Epdime32.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5896

C:\Windows\SysWOW64\Ejlnfjbd.exe
C:\Windows\system32\Ejlnfjbd.exe
90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5940

C:\Windows\SysWOW64\Ecdbop32.exe
C:\Windows\system32\Ecdbop32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5984

C:\Windows\SysWOW64\Eafbmgad.exe
C:\Windows\system32\Eafbmgad.exe
92⤵
- Drops file in System32 directory
PID:6024

C:\Windows\SysWOW64\Ekngemhd.exe
C:\Windows\system32\Ekngemhd.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076

C:\Windows\SysWOW64\Ekqckmfb.exe
C:\Windows\system32\Ekqckmfb.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6132

C:\Windows\SysWOW64\Fjocbhbo.exe
C:\Windows\system32\Fjocbhbo.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2244

C:\Windows\SysWOW64\Gddgpqbe.exe
C:\Windows\system32\Gddgpqbe.exe
96⤵
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 412
97⤵
- Program crash
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5192 -ip 5192
1⤵
PID:5340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UnblockCompare.vbe"
1⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:5140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\DenyBackup.vbs"
1⤵
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
109KB

MD5
b99888caa0f0019adbf48704b8930f59

SHA1
3f7819f2efa6b63b5b5f948deb7f2468f3a8695f

SHA256
c9b45417411954bda0af202c7f86687e32a9e20795ecb6cc6ece2f9faf890947

SHA512
a988931ce6089bcc91bcb4ab0cb651145af4dabb95e8d888376b52efe31c997e1fbeda07afb9aecac50ff49d833c031f2e12341a48d5d97a44ef5896767c54db

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe

Filesize
109KB

MD5
6166966fb410848912c66dae16f19db6

SHA1
771ea9b4bfc479ef73e884fc9842d152a6b90e06

SHA256
39c40cd9b2b73d9d43353ecbd447f26c46b04719916785b18c98064ea851ab06

SHA512
7ed2798141c489d2f9d31a66c43c6a331488af01c32bb656cd985f94658efd2daf47e31e6380663364bb419c2f8d5c4ea25b835da6fea3ea0e4bfee3fc009fbf

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
109KB

MD5
6b4208c480dc387feef1c3affe4636e4

SHA1
bcfd80ebcc937750b4e81714b3bca3074a2a5102

SHA256
d1de771918a32869bc8a7155c8bf882afea740996cf2dac55f42de83a593829a

SHA512
176172bfbc78b39b8729fcbbea5fed27a311882542c915134bd342f2387a4499e999dd3c8f78c8f7086db43c4c976dfb0175927b24b4ee1e8273cb1e9d130bf8

Download Submit
C:\Windows\SysWOW64\Ekajec32.exe

Filesize
109KB

MD5
07c3486496f4b10ddb4106ef82a97df5

SHA1
1d7e7a68c9b5500d14e4a77f0c860c76d48aac87

SHA256
282d0f2757ff05ec3d80a50d6d66129067aa5f9027b93964f8cecb71090efa0e

SHA512
1fc94963e59601b5350df7b62b0e20e72c54946125cf38f33759a1f563d9b589905026c988765913cda1d3885477627f1dce7a9b851c08094e432e9207754948

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
109KB

MD5
caa45f0e6f2e24254076009dcc8bfbcf

SHA1
42cd1a9c0d16b2a299a030592b741e0a16e38684

SHA256
c373456f154e5f537126728395d46bbb39c9486485409063c38a61d184fc5d1f

SHA512
b2b780e4a09b8d3cad94a124960774792fc4ce1eee2eaef50aee8fce6e0f35555d39de8bfaeb3a131b0fdacf3b50e429e7bcdb428d3338591010c9738c376352

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
109KB

MD5
b0baa197cc2e2045cfaf191c65080b9e

SHA1
61b4eea2c850488b697c6cb2892d88ab81da890c

SHA256
5ff8f2f4e3665c7ab2421f5a6bb6d1d1391416dab8df394c2c4015281fbf4929

SHA512
e1daebce850368aecfd33ed0d23d9ecd1d6a1639847ad115cbd306ff12b2043104730a81418d561340d337245d4b73ed9a84bba1ef6a788d888cc4ec90bca28d

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
109KB

MD5
cd5bf407b640ba8e7601d942dfa2fc26

SHA1
acc023faf5a5ce3dd23f6fbe9a8281c925c89910

SHA256
d9f1098f046e5b2815fab4cc839f5bf6e1b892f0cac44d507f05fe4a15723ce4

SHA512
90bd1c99b151b7a7ed134dd3b2938dd2cb17f99d1541ce04608d1b034e1c79c61634f09a0968631b5501bec9465a9a1c2436a2eb79026021299924735352f9b5

Download Submit
C:\Windows\SysWOW64\Enfckp32.exe

Filesize
109KB

MD5
dce221cc9948f737ab60a58cc8d3c0e7

SHA1
156a099679f205a3d4f3669a4a5f484a6c9b5bb4

SHA256
f64d02a34fd49d8157d3c97ee8877ca32a406e2a6a19d9bfec95aee827df68ba

SHA512
f28abe361aec4ed285504b5408305acef80f21410ca9a9c20d7fad80794e30fa05aa8857bc92ddbac13eed1185948024b0b108623228cecb12629f0fb2bc91ba

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
109KB

MD5
9256d63d95a36b8b5b6e49c4bf07527e

SHA1
c4108fc5ce11a8c30cefb31ba07e9fc8ed9cc0c1

SHA256
25a628917fd59dc2e732e599d6c2cc3448440569019d8120549816f8779c28e8

SHA512
40e9cf0027cea087ff8940516f7959a88e56e16889e34342f06e6ae6823b577ed456c7dc65f1b833ce92942f0c13785b63a2cdfc81365b79180dbe25cc6be340

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
109KB

MD5
eb695137446e0cfaf341a85c12cb8734

SHA1
47a7054902bb85f0caaf4c8dc7bd427254c5b364

SHA256
aebf61a8058ddc32026ee5dca668f59b067aca22dd2e5dac3a4306afdc7428c8

SHA512
25b550207d66939956830a9475bbe178a5e077d29c45e6d202cb4d5c479821af5b6c1c0b730fc3c30ab61aaf9afc59e898e3a8f07d25010039942b600add2d52

Download Submit
C:\Windows\SysWOW64\Fkofga32.exe

Filesize
109KB

MD5
8ea2cd6db5a6644ceb84438086e76fdb

SHA1
bd78afd6563631d8812d22a5ab5c92050b0702dc

SHA256
7f1d478753e7d37083bc8a177e31e4f8dc156ac779245dd55d172846d625a129

SHA512
ff02282e35f60860a8bf854b9f697864ad18291577025036e9efe7d55d2d5d64e5f47aa1988f9779314ad6efd9b5c4e21b47f9a8cc5a57ff59348684dae52ce4

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
109KB

MD5
645311de96687a114caa5a94e6ad716d

SHA1
ed72adcdbcee6b81049d8c093e202aa3bba24b61

SHA256
83e5efc7f7dec30ab142adf49db3dbbd22a80e11b32c383f84bb260ba99b5772

SHA512
a7b511deb196da0df510483dd39305cc57b8a6344c31e49283163759bb35526afc75c6c76fc0d80e595f6e764f5c692262910dd2e6bb35ee8b25a7a5ac955fc5

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
109KB

MD5
4f2faf89a18d4fcee36a1c997426e859

SHA1
62cde972b8fabdeb88cc4c66c82f6b0e54cb6fd9

SHA256
c833d0111b5f25b3717e6aa7afd955284fe01a47b996913ab1c53676516e4376

SHA512
8f1f3a0ebbbb3b6834e114db5fd345e267daa10012859f6c628dec65ac62a10e6625930cbb0ba8bc6d51f768df8df57447008ecf9341a3f29c1881a55f6a4ded

Download Submit
C:\Windows\SysWOW64\Fohfbpgi.exe

Filesize
109KB

MD5
e40cedff8c7a4d2c3eecd82d780b4647

SHA1
d9edf6ab54cc9c55f30b4528c4a424ade8d59ea2

SHA256
4a010998273e97fb6bd8ba45aa93a4c18651b169b3145d5126374894016ec0e0

SHA512
51341c68a84eefe989a2cec093fbcb7ed9cf54f6853122ec7f680d3925a93466f60b7013e18f099fe4407e446427b699d87a9de34550240a22bacf0ed6e14a64

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
109KB

MD5
9eaff2db7f91fab6053bdc9b77af8008

SHA1
57babfa9ed68d344da77b416daf157db60cb1245

SHA256
e41b0604412bef78515fc0367502dd9209c5d5f7870ed73e1bd209ceab3980f2

SHA512
7a595151602f126080ebb4d512fcb28cb1d0b51cfa694d23ae44cf7df55553fefcfa75e778c7a7b8056d1e9c07b95c84f90e4556d60adeb18ce145800221635d

Download Submit
C:\Windows\SysWOW64\Glfmgp32.exe

Filesize
109KB

MD5
f081658ab0c266319f09742fc74f2f73

SHA1
25d02018b88f5763929733748405b506dcb55018

SHA256
15672a0a97273a7a7d2d9d47b0feb50078ed4ad2c694ceff4c9cd032d6596520

SHA512
41bbfa3df0592d4ff00457985755ce2b315f0606090602718860cd92a11d1899ea244641d277a437f576820d0f71a486fdcd7771aaf723f95f07fb21830f05de

Download Submit
C:\Windows\SysWOW64\Hehdfdek.exe

Filesize
109KB

MD5
80f89088dd1bda22b04964a430b3c5c4

SHA1
d435cea646f373d618400284f94509ef05c8d38d

SHA256
1f9db9e3fc17e7eb9a0bdca86fb5e3f0d6eb9c112db05c9c181acd2fc1b19b19

SHA512
05c5920228368dad2b947d33526ceed6b81019bb80cc01c074a88b3e38d046e6a3f1ca280fbda593d056ae8f618d99d92a370c26eeab73d843fa266ebd211a60

Download Submit
C:\Windows\SysWOW64\Hhaggp32.exe

Filesize
109KB

MD5
7d7132471a31647b309ce6c0f81b1b05

SHA1
227dcfdb985d7b6305c688e2a924583c6dbe6167

SHA256
497856fac88537bb23ea86891b15b44007ae417dee29601917681ca5b7beb299

SHA512
151fa5e941733c29f72fead480f6ff4ee29bab79445884e22b5ab1b76203f52143753b4b1df5c3a496c3cc5025223dc5520ac50fa2e181b64ba07c219d00b47d

Download Submit
C:\Windows\SysWOW64\Hlkfbocp.exe

Filesize
109KB

MD5
796bf199e777ef2a69d077dda9ed1209

SHA1
da05a83033a1078e392d073334a961166a44ef1b

SHA256
2648507ad27a79c2bd7a627b2296b996b66b064d1ff3d3e702e74c2814ea7475

SHA512
8162e2eb53f3173af84655495a1044a1be9911400ba7fdae890510153f34eab8b8aea6e9a30e2e1a230981c3a2cc8fb0952bab24643e51185b2bfdaf80cfdb6b

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
109KB

MD5
6639205723b75e55a92ba22455d552fa

SHA1
23e61e80f690f3bd1811475e35ad626ea7fc2088

SHA256
3a43db77cfbfed425f616cd81148c2616275bee2b13f0a798e9a136c586aa933

SHA512
b54b0db7c3e259b91a48b0390c60e3fcbcf9adaccfd8f364cbd7c279ca882a1122f96ce735d434518440467e31572d4fe8b2d1f1a5f128b46b02e72157d50d86

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
109KB

MD5
f3a260eb6c6b5e2a91ac5b533886857b

SHA1
d07bf620964f777c0518e710cdb68fdceeb2f148

SHA256
8e2acfc9cfdadf2aeb9a2db7ea945bf20617dc7528774b576c9705841576d4eb

SHA512
9694cefa70e27f475a274993b9e01f4629392b7d76e6bbfa5f80ac399f0fc0922a25edd8cca97c393612bdd5ef13a8df5c10cc4ff6112640b76c2e8a380e6107

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
109KB

MD5
bcf55e040a0d4bb98107b9d80466084e

SHA1
7eec372584c49974d2eff0d7aee9bce5723ad199

SHA256
003bf4ccf0882db5d15ec7083a9286fa65c24f7a6411ba8968b5f2652af04574

SHA512
fc18865e0d5822a01b24d0fd61de36190f807954ffba6e7575824efc67c3b1967fc4e230adf0eaf4d77f94a79f07382097f594c9dc82b5240d9a916b32ffc2a5

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
109KB

MD5
d917121d1674106e57477fd8a27941f4

SHA1
0130c5f9b10cffdf3225397b0a720382c8efba52

SHA256
b6e86475f35e6f97c6e93b5a0f6c24107fb566c54913f8938612847c8bee1be0

SHA512
758592c7a4a93ae2f901ea47e8e2b6b5a127c481adeca4f2338f7c6f3246c192a896aed6a647c7392d7bc7345ce92ae05c329a66f94d028582698cd93e89a54f

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
109KB

MD5
8cb643995925993f7c53d8991df1e6b3

SHA1
6055b26c7cf2efacb91da516ae27852252cc6121

SHA256
155510c46255517e23bec848f9cd99a12fe1be1107c37c9d21da336e28a65fd5

SHA512
341f930c5d4d5861b4d6b1d9a368801b3ab3517701b80a049bc34a72336492a0f8d29d3d7e9ef09cdfdd9c0788e4493282f837b1dd9ad78791157201908a75bf

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
109KB

MD5
1d67414f2536aad2ac13ad0d6c4f5028

SHA1
b1cf4bc241bda7336a61fe6472f31e1c3751e292

SHA256
20e5280bdcd8ab59a48724711330df04e7ebb657064d15cb5e3a2baf7bead1db

SHA512
051e389b45c7420bd920e840c523b62f6dcf226a4b03de3cf76ffe563af9e20d2dc916b7459f6632c2b456925926465c7a1957c0514a5c26f33011efbc42598c

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
109KB

MD5
3400c7e4c2c10e9e090175dfe4293834

SHA1
d963c83572c4d6a28463b27ba6792cfd2a332190

SHA256
11765beacecf03cfd7b1afcf349b301a4515792895b299d43f5579a19471be3a

SHA512
c909dbee868e1d52511d0771f7d6c3b3aa4db6079de6048b831c8829116e43738dc26fe3d2424a57bf9ecf61067cfcc35c0b172ca4223d023d3b44fee4d17de4

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
109KB

MD5
8fe6b84281e0f7615ecb81b3af1dfa81

SHA1
2a8184b55c141acafa6797e5b315ce97794e9832

SHA256
d3a30c8efa7e459e99ba0969ad0419b83a698f7019927a4738455ce2bcdb6e7e

SHA512
3f2a0c05d2a022629254f9fafd61f4ea94414e374c04f6b51ddce4497ea4413c7eb38c9bb4dd65c68f83f184482b7182a2a0f817639071e1e2d7df44bb4702c9

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
109KB

MD5
1fa7c1e55373f5829f7e8ca79cb1424f

SHA1
feb07580df3eb7377a2da5f1be38c330c96e4e90

SHA256
5aac4ce5f353e2cef89715f415ff74d1de0fe43311fcf317c0357610fa3f0c36

SHA512
580cb6b3197cfffe733a7bd57f99b2f977d7d9c0cf484780450e34fdd3e95eb352c4b5bf69aa42bfb3c9bb5130b0e5ad25a1d372b4970d0a31911a82760db388

Download Submit
C:\Windows\SysWOW64\Jbojlfdp.exe

Filesize
109KB

MD5
5bf734cf494cfb01d278145ab31f7f27

SHA1
794270d3299d3fbca25b7deddbc50d5cf33b05ba

SHA256
2e4ba4fbe2c25221edc9ecc7c479848d68bd1160b55edbcc04a325c90dc0d82d

SHA512
4e9ad743b7c52bda8bf6ae2d6e2a89cda6477e079b963d77b7092f02273906732c06e181233a8da55c7bb91db1ffe16b3db5c5649c03fa602cd8fa8229071585

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
109KB

MD5
32958bd2a012ee5ecb33fbc240110a65

SHA1
d90b4b96ce2f4aa2d08152018854ceae78463051

SHA256
28e5fbfa649285defa82c8544703d00d0b064f15db13761086a29fdfe5fea57b

SHA512
f2f70ba1b73e46fb8809b717d61cfb882e55152bca66b108f76f1c0ece6138454bcc4b044ba7dd0a08262b47ac7c37238182073c0db2d36b6f0ce423182526a9

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
109KB

MD5
fe114ca63c61122106250c16a15f17c5

SHA1
c686763ffb82fc2dda54a0ab3d5b81447d0008db

SHA256
ff4133826f2217bdb4d2096c77a2ba75b33f93282872b29cd0587db5c37c0ddc

SHA512
c41e1313f4135629051264230aed87e5d68d29acb1bf2753771061cd4646d93841fc24fd3563af550ef3f94c3db064b3b16d72bcc4d6a501dba2a69ffd5fa56b

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
109KB

MD5
ec30efdb5e021d72f24197e4890fd1e4

SHA1
4b6c90e6a290a7764678e9de13a3abc105fe1d0e

SHA256
402abc64a219bdd2bb91bb5cc4cddb5f0eac56a76cfb9f16063946866f7ccec3

SHA512
98d4a36ce56587eaab28b6ce1d76b98e80d1fbabd5a5b7639396361271eba9395eb46aaa9663837eaaa5ef873c2a19662df9e909a63735ce4d3818f72fb8b0a7

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
109KB

MD5
63de564b61f9b90425042b3481ceba11

SHA1
fe7c7f9dd383e0bbf2e3c786d157b23b0bad02a6

SHA256
6a7883b12694543269baef325df85f874998bd8bd4b2c91e5edc6b60b1873adc

SHA512
f6c32895a58c90a557a2c09afde7da414cfe9656e74e1fd2baf0e34af5e944f19a5a40e7c6d6dd0b3507be2cef4de27e0362a04831b867a91ba7af01e79ee48f

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
109KB

MD5
207bf7cad512386f183f5b074d01285a

SHA1
a100ea92d6db69570903a8c93d4231b7557e2917

SHA256
460a3caf2624c341663e244721081cd24ef6708dd50738834a992b5e68cfb1b3

SHA512
dd2b0890db89f9e7763cf032fbcde97389f39fdd9fac313de51e35280aa9b305cb016aa85eea6b9472a865c0a0dc686722ef80604044d12a6743f52bfc621331

Download Submit
C:\Windows\SysWOW64\Nlbkmokh.dll

Filesize
7KB

MD5
1f2684a293c9f03df7b5bc698c95d2c4

SHA1
1c29e8b17b3a5a1931624f180c836c9b34c4e9a6

SHA256
69ef4fd527bef5059b9813e75c893aace80b3ebf173be1cc5a013c6da3e96630

SHA512
61281a21c39ba009cf44532be94c475bddc6997d74dce64b9121b5ebc0d8c969b5939b93f13b64dbc3d39b4a636ae64693fc1c7c120874ceafe40ce6834ee2d7

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
109KB

MD5
c5d9c2262a595444d24b30007095d931

SHA1
ab30118890cec981c7f70bae4a67b9d0421755c5

SHA256
445e8e87b2f80fc5a92c56d0fea9beeb7c270ec35362d74137f863c63fcb4c38

SHA512
633a86035f3438b9169457a984664f05c2a48a2eb3c920dad6e8ae5806522248a5a51dc06acdcd615e8ab5682ee2f96ed6eb1e623269901854e1c87fcc1b9656

Download Submit
memory/220-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/492-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/648-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/700-471-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/764-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-570-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/792-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1164-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1164-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1176-583-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1176-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1548-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1552-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-597-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2224-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2236-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2756-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2824-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2976-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3076-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3176-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3176-537-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3324-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3340-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3344-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3404-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3556-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3556-589-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3592-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3640-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4400-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4416-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4556-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-483-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5156-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5200-494-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5240-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5280-506-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5320-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5352-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5396-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5436-536-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5472-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5508-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5564-549-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5604-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5640-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5692-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5724-577-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5768-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5808-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5864-598-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download