berbew | 51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Size

163KB
MD5

e70d08c88fdee160b9168a7c1c4461bd
SHA1

a38059cadb2a3ef97daa06090860853c10135119
SHA256

51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633
SHA512

1a6bf2a28144d89f34c2dc59c1775a4aa5ec3f86552462c1a1a6d4dcfe15fb38d942bd9cb108eac897f1498fcf1dfac7a195ff79b95e4b7ab018b0de82a3cae1
SSDEEP

1536:PzqGFXyKZDiT06o1eefaeMlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:bqGFofY7faNltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ieeqpi32.exeJngkdj32.exeMbginomj.exeNeohqicc.exeMfebdm32.exeIokhcodo.exeJddqgdii.exeKnoaeimg.exeKcpcho32.exeLbjjekhl.exeLlbnnq32.exeNlbgkgcc.exeMaocekoo.exeNpiiafpa.exeNejkdm32.exe51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exeKbqgolpf.exeLimhpihl.exeMhkhgd32.exeJclnnmic.exeKckjmpko.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngkdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbginomj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neohqicc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neohqicc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iokhcodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddqgdii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knoaeimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knoaeimg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjjekhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maocekoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iokhcodo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbqgolpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Limhpihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jclnnmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jclnnmic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddqgdii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjjekhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nejkdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckjmpko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maocekoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckjmpko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Limhpihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlbgkgcc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

Processes:

Iokhcodo.exeIeeqpi32.exeJclnnmic.exeJngkdj32.exeJddqgdii.exeKnoaeimg.exeKckjmpko.exeKbqgolpf.exeKcpcho32.exeLbjjekhl.exeLlbnnq32.exeLimhpihl.exeMbginomj.exeMfebdm32.exeMaocekoo.exeMhkhgd32.exeNeohqicc.exeNpiiafpa.exeNlbgkgcc.exeNejkdm32.exeOpblgehg.exe

pid	Process
2288	Iokhcodo.exe
3060	Ieeqpi32.exe
2488	Jclnnmic.exe
2792	Jngkdj32.exe
2784	Jddqgdii.exe
2368	Knoaeimg.exe
2516	Kckjmpko.exe
2548	Kbqgolpf.exe
2512	Kcpcho32.exe
2344	Lbjjekhl.exe
936	Llbnnq32.exe
1336	Limhpihl.exe
436	Mbginomj.exe
2180	Mfebdm32.exe
2084	Maocekoo.exe
3000	Mhkhgd32.exe
1964	Neohqicc.exe
1604	Npiiafpa.exe
1580	Nlbgkgcc.exe
2952	Nejkdm32.exe
1272	Opblgehg.exe

Loads dropped DLL 46 IoCs

Processes:

51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exeIokhcodo.exeIeeqpi32.exeJclnnmic.exeJngkdj32.exeJddqgdii.exeKnoaeimg.exeKckjmpko.exeKbqgolpf.exeKcpcho32.exeLbjjekhl.exeLlbnnq32.exeLimhpihl.exeMbginomj.exeMfebdm32.exeMaocekoo.exeMhkhgd32.exeNeohqicc.exeNpiiafpa.exeNlbgkgcc.exeNejkdm32.exeWerFault.exe

pid	Process
3012	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
3012	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
2288	Iokhcodo.exe
2288	Iokhcodo.exe
3060	Ieeqpi32.exe
3060	Ieeqpi32.exe
2488	Jclnnmic.exe
2488	Jclnnmic.exe
2792	Jngkdj32.exe
2792	Jngkdj32.exe
2784	Jddqgdii.exe
2784	Jddqgdii.exe
2368	Knoaeimg.exe
2368	Knoaeimg.exe
2516	Kckjmpko.exe
2516	Kckjmpko.exe
2548	Kbqgolpf.exe
2548	Kbqgolpf.exe
2512	Kcpcho32.exe
2512	Kcpcho32.exe
2344	Lbjjekhl.exe
2344	Lbjjekhl.exe
936	Llbnnq32.exe
936	Llbnnq32.exe
1336	Limhpihl.exe
1336	Limhpihl.exe
436	Mbginomj.exe
436	Mbginomj.exe
2180	Mfebdm32.exe
2180	Mfebdm32.exe
2084	Maocekoo.exe
2084	Maocekoo.exe
3000	Mhkhgd32.exe
3000	Mhkhgd32.exe
1964	Neohqicc.exe
1964	Neohqicc.exe
1604	Npiiafpa.exe
1604	Npiiafpa.exe
1580	Nlbgkgcc.exe
1580	Nlbgkgcc.exe
2952	Nejkdm32.exe
2952	Nejkdm32.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe

Drops file in System32 directory 63 IoCs

Processes:

Mfebdm32.exeMaocekoo.exeMhkhgd32.exeJddqgdii.exeKbqgolpf.exeIeeqpi32.exeNlbgkgcc.exeKckjmpko.exeNpiiafpa.exeKcpcho32.exeLbjjekhl.exeLlbnnq32.exeNejkdm32.exeJclnnmic.exeNeohqicc.exeIokhcodo.exeLimhpihl.exeMbginomj.exeKnoaeimg.exeJngkdj32.exe51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Maocekoo.exe	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Mhkhgd32.exe	Maocekoo.exe
File created	C:\Windows\SysWOW64\Hlaegk32.dll	Mhkhgd32.exe
File opened for modification	C:\Windows\SysWOW64\Knoaeimg.exe	Jddqgdii.exe
File created	C:\Windows\SysWOW64\Kcpcho32.exe	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Jclnnmic.exe	Ieeqpi32.exe
File created	C:\Windows\SysWOW64\Noplll32.dll	Nlbgkgcc.exe
File opened for modification	C:\Windows\SysWOW64\Nejkdm32.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Kbqgolpf.exe	Kckjmpko.exe
File opened for modification	C:\Windows\SysWOW64\Nlbgkgcc.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Lbjjekhl.exe	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Llbnnq32.exe	Lbjjekhl.exe
File created	C:\Windows\SysWOW64\Limhpihl.exe	Llbnnq32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Nejkdm32.exe
File opened for modification	C:\Windows\SysWOW64\Jngkdj32.exe	Jclnnmic.exe
File opened for modification	C:\Windows\SysWOW64\Kbqgolpf.exe	Kckjmpko.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Neohqicc.exe
File created	C:\Windows\SysWOW64\Fpdopknp.dll	Iokhcodo.exe
File created	C:\Windows\SysWOW64\Jjamcall.dll	Kckjmpko.exe
File created	C:\Windows\SysWOW64\Iocpgbkc.dll	Limhpihl.exe
File opened for modification	C:\Windows\SysWOW64\Mfebdm32.exe	Mbginomj.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Nejkdm32.exe
File opened for modification	C:\Windows\SysWOW64\Jclnnmic.exe	Ieeqpi32.exe
File created	C:\Windows\SysWOW64\Kckjmpko.exe	Knoaeimg.exe
File created	C:\Windows\SysWOW64\Geiabo32.dll	Jngkdj32.exe
File created	C:\Windows\SysWOW64\Knoaeimg.exe	Jddqgdii.exe
File opened for modification	C:\Windows\SysWOW64\Jddqgdii.exe	Jngkdj32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjjekhl.exe	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mbginomj.exe
File opened for modification	C:\Windows\SysWOW64\Iokhcodo.exe	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
File created	C:\Windows\SysWOW64\Jngkdj32.exe	Jclnnmic.exe
File created	C:\Windows\SysWOW64\Ljfnnkkc.dll	Jddqgdii.exe
File created	C:\Windows\SysWOW64\Ekbglc32.dll	Llbnnq32.exe
File opened for modification	C:\Windows\SysWOW64\Mbginomj.exe	Limhpihl.exe
File opened for modification	C:\Windows\SysWOW64\Maocekoo.exe	Mfebdm32.exe
File opened for modification	C:\Windows\SysWOW64\Mhkhgd32.exe	Maocekoo.exe
File created	C:\Windows\SysWOW64\Jdbmjldj.dll	Npiiafpa.exe
File opened for modification	C:\Windows\SysWOW64\Ieeqpi32.exe	Iokhcodo.exe
File created	C:\Windows\SysWOW64\Ohomgb32.dll	Jclnnmic.exe
File opened for modification	C:\Windows\SysWOW64\Kcpcho32.exe	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Nlbgkgcc.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Neohqicc.exe	Mhkhgd32.exe
File created	C:\Windows\SysWOW64\Beofli32.dll	Knoaeimg.exe
File created	C:\Windows\SysWOW64\Adlqbf32.dll	Lbjjekhl.exe
File created	C:\Windows\SysWOW64\Mfebdm32.exe	Mbginomj.exe
File created	C:\Windows\SysWOW64\Gjpldngk.dll	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Iokhcodo.exe	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
File created	C:\Windows\SysWOW64\Jddqgdii.exe	Jngkdj32.exe
File created	C:\Windows\SysWOW64\Gkbafe32.dll	Maocekoo.exe
File opened for modification	C:\Windows\SysWOW64\Neohqicc.exe	Mhkhgd32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Nejkdm32.exe
File opened for modification	C:\Windows\SysWOW64\Llbnnq32.exe	Lbjjekhl.exe
File opened for modification	C:\Windows\SysWOW64\Limhpihl.exe	Llbnnq32.exe
File created	C:\Windows\SysWOW64\Cjchollj.dll	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Mbginomj.exe	Limhpihl.exe
File created	C:\Windows\SysWOW64\Npiiafpa.exe	Neohqicc.exe
File created	C:\Windows\SysWOW64\Nejkdm32.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Fammqaeq.dll	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
File opened for modification	C:\Windows\SysWOW64\Kckjmpko.exe	Knoaeimg.exe
File created	C:\Windows\SysWOW64\Caolfcmm.dll	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Neohqicc.exe
File created	C:\Windows\SysWOW64\Ieeqpi32.exe	Iokhcodo.exe
File created	C:\Windows\SysWOW64\Hnlalbhe.dll	Ieeqpi32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1112	1272	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Llbnnq32.exeMbginomj.exeMhkhgd32.exeNeohqicc.exeJclnnmic.exeJddqgdii.exeKcpcho32.exeNlbgkgcc.exeNejkdm32.exe51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exeJngkdj32.exeKckjmpko.exeKbqgolpf.exeLbjjekhl.exeLimhpihl.exeMfebdm32.exeIeeqpi32.exeKnoaeimg.exeMaocekoo.exeNpiiafpa.exeOpblgehg.exeIokhcodo.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbnnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbginomj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhkhgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neohqicc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jclnnmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddqgdii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpcho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlbgkgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nejkdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jngkdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kckjmpko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbqgolpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjjekhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Limhpihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeqpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knoaeimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maocekoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iokhcodo.exe

Modifies registry class 64 IoCs

Processes:

Kcpcho32.exeMfebdm32.exeNeohqicc.exeNlbgkgcc.exeNpiiafpa.exeIeeqpi32.exeJngkdj32.exeJddqgdii.exeLlbnnq32.exeMbginomj.exeKnoaeimg.exeKckjmpko.exeMhkhgd32.exeLbjjekhl.exeJclnnmic.exeLimhpihl.exe51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exeIokhcodo.exeKbqgolpf.exeMaocekoo.exeNejkdm32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll"	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neohqicc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noplll32.dll"	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiabo32.dll"	Jngkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfnnkkc.dll"	Jddqgdii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbglc32.dll"	Llbnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbginomj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knoaeimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckjmpko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll"	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlaegk32.dll"	Mhkhgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlalbhe.dll"	Ieeqpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jngkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddqgdii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll"	Lbjjekhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohomgb32.dll"	Jclnnmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jngkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beofli32.dll"	Knoaeimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Limhpihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjjekhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbginomj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iokhcodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjjekhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neohqicc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fammqaeq.dll"	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamcall.dll"	Kckjmpko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jddqgdii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocpgbkc.dll"	Limhpihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll"	Neohqicc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckjmpko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maocekoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Nejkdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knoaeimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jclnnmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caolfcmm.dll"	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jclnnmic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Limhpihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpldngk.dll"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maocekoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nejkdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iokhcodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdopknp.dll"	Iokhcodo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 3012 wrote to memory of 2288	3012	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe	30
PID 3012 wrote to memory of 2288	3012	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe	30
PID 3012 wrote to memory of 2288	3012	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe	30
PID 3012 wrote to memory of 2288	3012	51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe	30
PID 2288 wrote to memory of 3060	2288	Iokhcodo.exe	31
PID 2288 wrote to memory of 3060	2288	Iokhcodo.exe	31
PID 2288 wrote to memory of 3060	2288	Iokhcodo.exe	31
PID 2288 wrote to memory of 3060	2288	Iokhcodo.exe	31
PID 3060 wrote to memory of 2488	3060	Ieeqpi32.exe	32
PID 3060 wrote to memory of 2488	3060	Ieeqpi32.exe	32
PID 3060 wrote to memory of 2488	3060	Ieeqpi32.exe	32
PID 3060 wrote to memory of 2488	3060	Ieeqpi32.exe	32
PID 2488 wrote to memory of 2792	2488	Jclnnmic.exe	33
PID 2488 wrote to memory of 2792	2488	Jclnnmic.exe	33
PID 2488 wrote to memory of 2792	2488	Jclnnmic.exe	33
PID 2488 wrote to memory of 2792	2488	Jclnnmic.exe	33
PID 2792 wrote to memory of 2784	2792	Jngkdj32.exe	34
PID 2792 wrote to memory of 2784	2792	Jngkdj32.exe	34
PID 2792 wrote to memory of 2784	2792	Jngkdj32.exe	34
PID 2792 wrote to memory of 2784	2792	Jngkdj32.exe	34
PID 2784 wrote to memory of 2368	2784	Jddqgdii.exe	35
PID 2784 wrote to memory of 2368	2784	Jddqgdii.exe	35
PID 2784 wrote to memory of 2368	2784	Jddqgdii.exe	35
PID 2784 wrote to memory of 2368	2784	Jddqgdii.exe	35
PID 2368 wrote to memory of 2516	2368	Knoaeimg.exe	36
PID 2368 wrote to memory of 2516	2368	Knoaeimg.exe	36
PID 2368 wrote to memory of 2516	2368	Knoaeimg.exe	36
PID 2368 wrote to memory of 2516	2368	Knoaeimg.exe	36
PID 2516 wrote to memory of 2548	2516	Kckjmpko.exe	37
PID 2516 wrote to memory of 2548	2516	Kckjmpko.exe	37
PID 2516 wrote to memory of 2548	2516	Kckjmpko.exe	37
PID 2516 wrote to memory of 2548	2516	Kckjmpko.exe	37
PID 2548 wrote to memory of 2512	2548	Kbqgolpf.exe	38
PID 2548 wrote to memory of 2512	2548	Kbqgolpf.exe	38
PID 2548 wrote to memory of 2512	2548	Kbqgolpf.exe	38
PID 2548 wrote to memory of 2512	2548	Kbqgolpf.exe	38
PID 2512 wrote to memory of 2344	2512	Kcpcho32.exe	39
PID 2512 wrote to memory of 2344	2512	Kcpcho32.exe	39
PID 2512 wrote to memory of 2344	2512	Kcpcho32.exe	39
PID 2512 wrote to memory of 2344	2512	Kcpcho32.exe	39
PID 2344 wrote to memory of 936	2344	Lbjjekhl.exe	40
PID 2344 wrote to memory of 936	2344	Lbjjekhl.exe	40
PID 2344 wrote to memory of 936	2344	Lbjjekhl.exe	40
PID 2344 wrote to memory of 936	2344	Lbjjekhl.exe	40
PID 936 wrote to memory of 1336	936	Llbnnq32.exe	41
PID 936 wrote to memory of 1336	936	Llbnnq32.exe	41
PID 936 wrote to memory of 1336	936	Llbnnq32.exe	41
PID 936 wrote to memory of 1336	936	Llbnnq32.exe	41
PID 1336 wrote to memory of 436	1336	Limhpihl.exe	42
PID 1336 wrote to memory of 436	1336	Limhpihl.exe	42
PID 1336 wrote to memory of 436	1336	Limhpihl.exe	42
PID 1336 wrote to memory of 436	1336	Limhpihl.exe	42
PID 436 wrote to memory of 2180	436	Mbginomj.exe	43
PID 436 wrote to memory of 2180	436	Mbginomj.exe	43
PID 436 wrote to memory of 2180	436	Mbginomj.exe	43
PID 436 wrote to memory of 2180	436	Mbginomj.exe	43
PID 2180 wrote to memory of 2084	2180	Mfebdm32.exe	44
PID 2180 wrote to memory of 2084	2180	Mfebdm32.exe	44
PID 2180 wrote to memory of 2084	2180	Mfebdm32.exe	44
PID 2180 wrote to memory of 2084	2180	Mfebdm32.exe	44
PID 2084 wrote to memory of 3000	2084	Maocekoo.exe	45
PID 2084 wrote to memory of 3000	2084	Maocekoo.exe	45
PID 2084 wrote to memory of 3000	2084	Maocekoo.exe	45
PID 2084 wrote to memory of 3000	2084	Maocekoo.exe	45

C:\Users\Admin\AppData\Local\Temp\51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe
"C:\Users\Admin\AppData\Local\Temp\51bbccd10d018264d8894a4c732e59383c526d6f9a0e6a75bd51e4e22094e633.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Iokhcodo.exe
  C:\Windows\system32\Iokhcodo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Ieeqpi32.exe
    C:\Windows\system32\Ieeqpi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Jclnnmic.exe
      C:\Windows\system32\Jclnnmic.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\Jngkdj32.exe
        
        C:\Windows\system32\Jngkdj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Jddqgdii.exe
        
        C:\Windows\system32\Jddqgdii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Knoaeimg.exe
        
        C:\Windows\system32\Knoaeimg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Kckjmpko.exe
        
        C:\Windows\system32\Kckjmpko.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Kbqgolpf.exe
        
        C:\Windows\system32\Kbqgolpf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Kcpcho32.exe
        
        C:\Windows\system32\Kcpcho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Lbjjekhl.exe
        
        C:\Windows\system32\Lbjjekhl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Llbnnq32.exe
        
        C:\Windows\system32\Llbnnq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Limhpihl.exe
        
        C:\Windows\system32\Limhpihl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Mbginomj.exe
        
        C:\Windows\system32\Mbginomj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Mfebdm32.exe
        
        C:\Windows\system32\Mfebdm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Maocekoo.exe
        
        C:\Windows\system32\Maocekoo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Mhkhgd32.exe
        
        C:\Windows\system32\Mhkhgd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Neohqicc.exe
        
        C:\Windows\system32\Neohqicc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Nlbgkgcc.exe
        
        C:\Windows\system32\Nlbgkgcc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Nejkdm32.exe
        
        C:\Windows\system32\Nejkdm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 140
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbqgolpf.exe

Filesize
163KB

MD5
0d899d912c1bda2d9951360ea9b92fc2

SHA1
858aa64935f751eee4c81398dc276e24fc224c38

SHA256
5caa9a9cb3c7fbabb8309929849a73e692ab6fe50e8f6fe54a0bab29a9d74208

SHA512
8707f3096a6d62052a95b59aff7d01df528eccffafab92bb513969050e2baf5d1be1105506b380c8dafb396aee24be9ec8168829837157ca525cd871e66a4bd3

Download Submit
C:\Windows\SysWOW64\Kcpcho32.exe

Filesize
163KB

MD5
bb0b1695d018c302b04076704c7aca9e

SHA1
cd12ffaceb4c5b9e7206b04bd149e985bda9dbd5

SHA256
152e9c2e8fc63f42bbdf9baf3276aa80ddcea9032d36651aab909146c307e5e5

SHA512
c3c0b8e4abe9e570f9d10d03070daaa71ad78441114cc682b4d4c1f6a524b642f17fbcaca20bf35d485e6e3f5e1807cf1a3ed5cd0450881e67b31014847025e8

Download Submit
C:\Windows\SysWOW64\Knoaeimg.exe

Filesize
163KB

MD5
e2a607a915f5ac887c6fb7ee9ac6f79c

SHA1
b4a9409d83c393e9d8d70ebec6b9147a65182de8

SHA256
3eb9537ad9ec699a8d32fad548c48e1ea5210fc89846b907664ea28ba285112a

SHA512
169ddf7f80b53de618e409386cdeee0558c5dbf6a71dd9540f5557de458e58938614554326a589ec1a3c449c7f3a9ec3b7b78ddf2543e0e16bf3a8333ac5d937

Download Submit
C:\Windows\SysWOW64\Nejkdm32.exe

Filesize
163KB

MD5
3936befc8f16422d68a5897b1cc68dc8

SHA1
52bec4a78c48bb9c3dab08528f1fb224993b949c

SHA256
90b8d5785bcb0bebc2c2a738103ca97f962d224d3909f9bc8053ece984c58a67

SHA512
e02d20538b73ec326c0a8142417faec6bedb7afedd4900963b11610099523bd20e00abcc157dabb5bcbdb7692f0d253f052081198cb02c4d08844f7e48d890fe

Download Submit
C:\Windows\SysWOW64\Neohqicc.exe

Filesize
163KB

MD5
ce547be83a9e90f7c871160081e56787

SHA1
5fc493b2e853b0a72b40954eb40ea56916b1e53b

SHA256
b739d47107f402e217c7057a3ca65a58a393f903690d2c367c157a1c23c2d6c8

SHA512
bde20350b09703ac38d569408acfc338ea11d2fccebe3490040c28fb69407025c4350731b5ac2119b6e9de42518686634ca7450c664ffe5b95d8f6432c3c5713

Download Submit
C:\Windows\SysWOW64\Nlbgkgcc.exe

Filesize
163KB

MD5
5f23ddf2b67a953e3d485815af959b6c

SHA1
b3efcbc245afea00141abdb1a49864e3715796d7

SHA256
1980834d7b85662e5fb60d11e403264c7fa2a360aba8fd0ffb4ab0af7b86641d

SHA512
5ddeddbde423da145005988b825f789d964d10b0d88a01dd7868bde35a2cdbc65b1d8bc1261d0f428c23ed4a11b741e39a8281abb5bd4dfff7f1fcbc8b1fd093

Download Submit
C:\Windows\SysWOW64\Npiiafpa.exe

Filesize
163KB

MD5
e52c03befbbab47f62e77c6f6eceaf45

SHA1
f3de7861ad97179fd90a5b38a4f0050dbe2e4ac0

SHA256
2ef5a6c5265fa2af9fe34fd80a496b30b5d692637a0ae4c5d09ad6a7ad29f06a

SHA512
026fe187d2bf6a6d2fe53085043d2584a72fc46a1dcb160e97fbe5ea7489d071bec0e86026dca41611fca235e3902a5badc85f74e475a02e27d0d180771c2498

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
163KB

MD5
4d024c4205f055fd3ff5b3a9c2c50b3f

SHA1
007b4f4468babb30c5ab0a1026dba6971d813332

SHA256
4c1d49d7ea9cc4a594aae6446aaa973b9e19e4bcf1bac00b471fb554394c5fb0

SHA512
0f73ba546a3a1be6f9e6eda1cdee42431b8e978260744e768bb2bc0e70ecd812be97b7959d4353c7d2221c17451dbc20070c7b093570c396eb9af1749b050010

Download Submit
\Windows\SysWOW64\Ieeqpi32.exe

Filesize
163KB

MD5
935aec749c7dbb34b9492e84a94fe160

SHA1
147667e8dbb88516f1d411a823fa772d24b556d1

SHA256
f08d508ab5db6a52bb5db4029ed8966f80fc105d882dda6d7145df7bc6e8983b

SHA512
db7d02e47951199d943a0e7dbd4c1ca92442249926dc523a077acc76c55542c1110ad3312bdff13394293f9cc783f6cbb811e0a178c18aa7b1ea4be26184f411

Download Submit
\Windows\SysWOW64\Iokhcodo.exe

Filesize
163KB

MD5
b914e422e44c334f51498984889d3351

SHA1
27c381423e793c356824e2f050881f317ae7ee74

SHA256
5e497839b6a3a8b3b5f3b1e79acfc8117067885bdbeb0e219fd0f10b2010f6f2

SHA512
21e41991ef761b01ee8b62a05873a3d8e1900f518f8a21a78a9aeb88713aef64bb316d0b145f163c57c1bbd896a2c4002bd366eabd49a822bdf283b7bd859713

Download Submit
\Windows\SysWOW64\Jclnnmic.exe

Filesize
163KB

MD5
0a0b5c4f8f761ccd9c9b79e53bdefaa6

SHA1
86fe1a396ad3978560b0c3bf78de395e44403f4e

SHA256
b2aa4ff26ee860523f6614481da2327a38a39558159a567376c676a5236358c9

SHA512
0959d6cd154b002904cd89095d7c6c894a15cd7afd96b386efd537b19ad852eacbf538da09ce106d6f984f9f3dbd25990e13fffa7a4247ca927b5323cb987642

Download Submit
\Windows\SysWOW64\Jddqgdii.exe

Filesize
163KB

MD5
ac32da398dfaf18d584dfeb41cd877b3

SHA1
eb05757ad594bf48c623d529e107893c25cc2ad4

SHA256
450aeed689e0ccd26a0069b9e9d365a855d8b5e5647cb96c239c3596f1847e81

SHA512
792208c27a1703c4544b121e38fe83eb9499d3c7f12c11af4b3e0d62424301d6d65356715b60c0124409c2ad03f611ef263b47cced3a0b849a99cf7a4451495d

Download Submit
\Windows\SysWOW64\Jngkdj32.exe

Filesize
163KB

MD5
4c02fae44295c41a85ba30d6ef45814e

SHA1
e0d19d01585a2b15e6378dd8e3150390439eab96

SHA256
0f0da6bf86f093155171f8800cd720f8486b788723b1aa2fd2506c6a0a854a0f

SHA512
507b71e85d028b8b350b590484c2b6d4c2cfeff1a5af6cfd7d4af83bde6617dba25357f85d9cce0df11f8ed690240a9e59395dbda8b9ed4ac9466bf8b1e32ab0

Download Submit
\Windows\SysWOW64\Kckjmpko.exe

Filesize
163KB

MD5
683648694ea5ba9fcd17a548c3b3f186

SHA1
b2a51fdf37bdda9d4cd16a6fd27942c47708cf93

SHA256
efb9cba9285fa1d9592f3874eca45daac2b283ee2cd3d38dd5a47901d39b6966

SHA512
29b116cf6c292f28ffcf1bb71f1d829ccfa37c05324f9faed11b7064e7ca2a2c025b6a5efdde887329bf68a13985d0e388ccaf03dc16e4d2fbeff030b257aa7b

Download Submit
\Windows\SysWOW64\Lbjjekhl.exe

Filesize
163KB

MD5
646c5bc11bd07a4b77628391fd4ea4a3

SHA1
216750f6b50812268bd0857096be0aa2eea536d4

SHA256
5df4489498f547f6059ccf88c712780f2e0c03c64a4505bf5e8af161f5cdbabc

SHA512
5f61a7f5607e72aa29ed0bc2806b730f9fcde2d8ca80b73687b1b3db1a7568cfd08df54bd2227119d92d26b38da90d4a31468f8bc6259553ee63911a777d2ce8

Download Submit
\Windows\SysWOW64\Limhpihl.exe

Filesize
163KB

MD5
a6f80cfceabe1e1ab6a58df74b38cb38

SHA1
dc082b76735579ace817fce6cf43a688d69bea0d

SHA256
6895fbe831c26b44dd45bc29f8e452bcff5040c485ab01cfed9575f551c3fec5

SHA512
181861f53da1438fdf29e8c7ba9b612574452813a0dc9d81dfc0f52fffe0570df0c34da85d7e2fd4768e5847726f5ca9081ab5bd4266764a522cdd6ddf094979

Download Submit
\Windows\SysWOW64\Llbnnq32.exe

Filesize
163KB

MD5
0020c378d8662a432f437f66d98290b3

SHA1
2a2c5f8c31d80134704042976b7aa6368cbe0d2a

SHA256
211501f79818c8d80bd520243737efb92eed218574dc3a2c5e2b05d0cd771712

SHA512
8c2477c40354d2cd1e3d8d7767551ab3199884a3188c0379adf8d75abf452edfcf4611a20e6364ee15b5f0cf4c050ec68ffc9ad7ef90329c75ed7edcbe345b70

Download Submit
\Windows\SysWOW64\Maocekoo.exe

Filesize
163KB

MD5
b55dc2a07440b000e8ff8f4a0b8821c1

SHA1
836e78235ee8ed4e1f55bdb5feb97fbb2535864d

SHA256
b816428bc4c6be500c396aea1794d38725a0d5d9cfdd60a0d9a37644e1c75321

SHA512
cb107dda99fd462dfa2a78704a9346e26729a997a702df3d75a71c424b200ceeb3ad50415a671862869c6fd6b3c3182ac91eb7c22d063b57e99e2581cd48cfd7

Download Submit
\Windows\SysWOW64\Mbginomj.exe

Filesize
163KB

MD5
302474970ae4cbfbd24cbddc8431c8a2

SHA1
afb18e35e13b63a7b7a19f806f765b2c7b7d2c31

SHA256
f21400f8e5fbade5ae282fbfa0e5a637d159b522400cbcdc0d9a11f5158b4d10

SHA512
961495e632a782aa3339d6819a59a5a2c5f569702529bb8436b8829e0274763f3c3dce5939fc1d975072bb37c0e4fc9e4c4b1a33789026f2f6aab0c7ff4cf880

Download Submit
\Windows\SysWOW64\Mfebdm32.exe

Filesize
163KB

MD5
3d2dbc0ac4a5201be1490f3b088ba6b0

SHA1
b11be6400885fc292aaa963a8826accde5b6be7c

SHA256
c8ba72db09ff7509a6ecda8d8aac819432f5711b756b30a91fbd6aa8ce36dd47

SHA512
4bb15804ed06680d02a24037010ddb3b4e896aa3290e54407aab45dcda784cb9475dc4b27601d9d45fad80d1dc5f91fe956ecb29a7468b58320b6e114062781a

Download Submit
\Windows\SysWOW64\Mhkhgd32.exe

Filesize
163KB

MD5
349ee711db6641366dc00d8d035bcdd4

SHA1
d7653821a94833cfe0855cf71f116d5293c2b111

SHA256
1bc7392a32076732c3b49e3e2d79a063fa24b8c834b980aacac9c389276fa80e

SHA512
592ba414a94ca57e1e216fef9848dd63f865dc2e00209e856f4a13ba4387d048e81482e80eab11eeab826e4ba955c8a201d4204450e1eec046cf598fc4030631

Download Submit
memory/436-172-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-180-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/436-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-300-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-290-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-257-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1580-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-258-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1580-252-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1604-246-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/1604-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1604-251-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/1604-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-236-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/1964-230-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-232-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2084-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-207-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2084-219-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2180-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2180-197-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2180-272-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2288-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2288-26-0x0000000001B80000-0x0000000001BD3000-memory.dmp

Filesize
332KB

Download
memory/2288-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2288-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-308-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-48-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2512-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2512-131-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2512-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-106-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/2548-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-67-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-267-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2952-269-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/3000-229-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/3000-224-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/3000-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-12-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/3060-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download