berbew | b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fc

Analysis

max time kernel
72s
max time network
22s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Size

96KB
MD5

bd6e215d36b52964e8b7b6cb133a6200
SHA1

e77dfa0aa3b74d199f833eed7af6b0a5cf7d9175
SHA256

b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fc
SHA512

f1ee9eb6ecf1a9fbc5c5dd95a3b170e8748fbff47e4ce775cc0b34ac45b8679cabee67517c2bb4b4b45d6cfd410140cbcb7d6466c692ac831cf625cfc3a9d30c
SSDEEP

1536:yYtyQFIh8qvzJf9d6uOV2fwm/wrQ2LEO7RZObZUUWaegPYAm:yKyQFImcl1d6uOKqrB9ClUUWaet

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jnofgg32.exeKoaclfgl.exeHnmacpfj.exeJfohgepi.exeInojhc32.exeJnagmc32.exeJpbcek32.exeJedehaea.exeJpjifjdg.exeJlqjkk32.exeGaojnq32.exeHdpcokdo.exeJcqlkjae.exeKgcnahoo.exeHqnjek32.exeIamfdo32.exeIaimipjl.exeJggoqimd.exeKfodfh32.exeKmkihbho.exeHdbpekam.exeHjohmbpd.exeKdeaelok.exeHddmjk32.exeHgeelf32.exeIegeonpc.exeKeioca32.exeGglbfg32.exeIoeclg32.exeKablnadm.exeIeponofk.exeIkldqile.exeIjaaae32.exeKadica32.exeJikhnaao.exeKhjgel32.exeHiioin32.exeb1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exeHbofmcij.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaojnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdpcokdo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaimipjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdbpekam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjohmbpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hddmjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglbfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdbpekam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioeclg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hddmjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieponofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inojhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjohmbpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaojnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbofmcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 39 IoCs

Processes:

Gaojnq32.exeGglbfg32.exeHdpcokdo.exeHdbpekam.exeHjohmbpd.exeHddmjk32.exeHnmacpfj.exeHgeelf32.exeHqnjek32.exeHbofmcij.exeHiioin32.exeIeponofk.exeIoeclg32.exeIkldqile.exeIaimipjl.exeIjaaae32.exeIegeonpc.exeInojhc32.exeIamfdo32.exeJggoqimd.exeJnagmc32.exeJpbcek32.exeJikhnaao.exeJcqlkjae.exeJfohgepi.exeJedehaea.exeJpjifjdg.exeJlqjkk32.exeJnofgg32.exeKeioca32.exeKoaclfgl.exeKhjgel32.exeKablnadm.exeKfodfh32.exeKadica32.exeKmkihbho.exeKdeaelok.exeKgcnahoo.exeLbjofi32.exe

pid	Process
2740	Gaojnq32.exe
2176	Gglbfg32.exe
2848	Hdpcokdo.exe
2532	Hdbpekam.exe
2964	Hjohmbpd.exe
2352	Hddmjk32.exe
2120	Hnmacpfj.exe
2956	Hgeelf32.exe
1864	Hqnjek32.exe
2040	Hbofmcij.exe
1384	Hiioin32.exe
2228	Ieponofk.exe
2288	Ioeclg32.exe
1816	Ikldqile.exe
580	Iaimipjl.exe
1492	Ijaaae32.exe
2928	Iegeonpc.exe
2424	Inojhc32.exe
1556	Iamfdo32.exe
2032	Jggoqimd.exe
1932	Jnagmc32.exe
3024	Jpbcek32.exe
616	Jikhnaao.exe
760	Jcqlkjae.exe
2400	Jfohgepi.exe
2824	Jedehaea.exe
2544	Jpjifjdg.exe
2820	Jlqjkk32.exe
2540	Jnofgg32.exe
2580	Keioca32.exe
1752	Koaclfgl.exe
2368	Khjgel32.exe
1936	Kablnadm.exe
2296	Kfodfh32.exe
2036	Kadica32.exe
2024	Kmkihbho.exe
2256	Kdeaelok.exe
1772	Kgcnahoo.exe
2124	Lbjofi32.exe

Loads dropped DLL 64 IoCs

Processes:

b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exeGaojnq32.exeGglbfg32.exeHdpcokdo.exeHdbpekam.exeHjohmbpd.exeHddmjk32.exeHnmacpfj.exeHgeelf32.exeHqnjek32.exeHbofmcij.exeHiioin32.exeIeponofk.exeIoeclg32.exeIkldqile.exeIaimipjl.exeIjaaae32.exeIegeonpc.exeInojhc32.exeIamfdo32.exeJggoqimd.exeJnagmc32.exeJpbcek32.exeJikhnaao.exeJcqlkjae.exeJfohgepi.exeJedehaea.exeJpjifjdg.exeJlqjkk32.exeJnofgg32.exeKeioca32.exeKoaclfgl.exe

pid	Process
3028	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
3028	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
2740	Gaojnq32.exe
2740	Gaojnq32.exe
2176	Gglbfg32.exe
2176	Gglbfg32.exe
2848	Hdpcokdo.exe
2848	Hdpcokdo.exe
2532	Hdbpekam.exe
2532	Hdbpekam.exe
2964	Hjohmbpd.exe
2964	Hjohmbpd.exe
2352	Hddmjk32.exe
2352	Hddmjk32.exe
2120	Hnmacpfj.exe
2120	Hnmacpfj.exe
2956	Hgeelf32.exe
2956	Hgeelf32.exe
1864	Hqnjek32.exe
1864	Hqnjek32.exe
2040	Hbofmcij.exe
2040	Hbofmcij.exe
1384	Hiioin32.exe
1384	Hiioin32.exe
2228	Ieponofk.exe
2228	Ieponofk.exe
2288	Ioeclg32.exe
2288	Ioeclg32.exe
1816	Ikldqile.exe
1816	Ikldqile.exe
580	Iaimipjl.exe
580	Iaimipjl.exe
1492	Ijaaae32.exe
1492	Ijaaae32.exe
2928	Iegeonpc.exe
2928	Iegeonpc.exe
2424	Inojhc32.exe
2424	Inojhc32.exe
1556	Iamfdo32.exe
1556	Iamfdo32.exe
2032	Jggoqimd.exe
2032	Jggoqimd.exe
1932	Jnagmc32.exe
1932	Jnagmc32.exe
3024	Jpbcek32.exe
3024	Jpbcek32.exe
616	Jikhnaao.exe
616	Jikhnaao.exe
760	Jcqlkjae.exe
760	Jcqlkjae.exe
2400	Jfohgepi.exe
2400	Jfohgepi.exe
2824	Jedehaea.exe
2824	Jedehaea.exe
2544	Jpjifjdg.exe
2544	Jpjifjdg.exe
2820	Jlqjkk32.exe
2820	Jlqjkk32.exe
2540	Jnofgg32.exe
2540	Jnofgg32.exe
2580	Keioca32.exe
2580	Keioca32.exe
1752	Koaclfgl.exe
1752	Koaclfgl.exe

Drops file in System32 directory 64 IoCs

Processes:

Kdeaelok.exeGglbfg32.exeJpbcek32.exeKeioca32.exeKablnadm.exeKfodfh32.exeHjohmbpd.exeIamfdo32.exeKoaclfgl.exeJnagmc32.exeHiioin32.exeIoeclg32.exeIegeonpc.exeJggoqimd.exeHgeelf32.exeIeponofk.exeKadica32.exeKmkihbho.exeKgcnahoo.exeJedehaea.exeHqnjek32.exeJikhnaao.exeJcqlkjae.exeIjaaae32.exeIaimipjl.exeJnofgg32.exeb1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exeHddmjk32.exeGaojnq32.exeHdpcokdo.exeJlqjkk32.exeJfohgepi.exeHnmacpfj.exeKhjgel32.exeHbofmcij.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Hdpcokdo.exe	Gglbfg32.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Mjmkeb32.dll	Hjohmbpd.exe
File opened for modification	C:\Windows\SysWOW64\Jggoqimd.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Omfpmb32.dll	Jnagmc32.exe
File created	C:\Windows\SysWOW64\Ieponofk.exe	Hiioin32.exe
File opened for modification	C:\Windows\SysWOW64\Ikldqile.exe	Ioeclg32.exe
File opened for modification	C:\Windows\SysWOW64\Inojhc32.exe	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Jggoqimd.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Ekhnnojb.dll	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Hqnjek32.exe	Hgeelf32.exe
File created	C:\Windows\SysWOW64\Ifblipqh.dll	Ieponofk.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Jnagmc32.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Jnagmc32.exe	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Hbofmcij.exe	Hqnjek32.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Jfohgepi.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Hdpcokdo.exe	Gglbfg32.exe
File created	C:\Windows\SysWOW64\Hddmjk32.exe	Hjohmbpd.exe
File created	C:\Windows\SysWOW64\Iegeonpc.exe	Ijaaae32.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Ijaaae32.exe	Iaimipjl.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Gaojnq32.exe	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
File created	C:\Windows\SysWOW64\Kqacnpdp.dll	Hddmjk32.exe
File created	C:\Windows\SysWOW64\Jpbcek32.exe	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Hddmjk32.exe	Hjohmbpd.exe
File created	C:\Windows\SysWOW64\Kbclpfop.dll	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Baajep32.dll	Gaojnq32.exe
File created	C:\Windows\SysWOW64\Opjqff32.dll	Gglbfg32.exe
File created	C:\Windows\SysWOW64\Hdbpekam.exe	Hdpcokdo.exe
File created	C:\Windows\SysWOW64\Gkaobghp.dll	Iaimipjl.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Gglbfg32.exe	Gaojnq32.exe
File created	C:\Windows\SysWOW64\Hnmacpfj.exe	Hddmjk32.exe
File created	C:\Windows\SysWOW64\Ekdjjm32.dll	Hqnjek32.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Ieponofk.exe	Hiioin32.exe
File created	C:\Windows\SysWOW64\Ikldqile.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Hgeelf32.exe	Hnmacpfj.exe
File opened for modification	C:\Windows\SysWOW64\Iegeonpc.exe	Ijaaae32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Gaojnq32.exe	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
File created	C:\Windows\SysWOW64\Dllmckbg.dll	Hgeelf32.exe
File opened for modification	C:\Windows\SysWOW64\Hiioin32.exe	Hbofmcij.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
712	2124	WerFault.exe	68

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Gaojnq32.exeGglbfg32.exeIoeclg32.exeIkldqile.exeIamfdo32.exeKmkihbho.exeHbofmcij.exeIeponofk.exeInojhc32.exeJedehaea.exeJnagmc32.exeJpbcek32.exeJnofgg32.exeKoaclfgl.exeKfodfh32.exeKgcnahoo.exeIegeonpc.exeKhjgel32.exeKablnadm.exeKadica32.exeb1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exeHdbpekam.exeHddmjk32.exeHqnjek32.exeHiioin32.exeJggoqimd.exeJlqjkk32.exeLbjofi32.exeHdpcokdo.exeHnmacpfj.exeIaimipjl.exeIjaaae32.exeJikhnaao.exeJpjifjdg.exeHgeelf32.exeJfohgepi.exeKeioca32.exeKdeaelok.exeHjohmbpd.exeJcqlkjae.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaojnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gglbfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioeclg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbofmcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieponofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnagmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iegeonpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdbpekam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hddmjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdpcokdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmacpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaimipjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjohmbpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe

Modifies registry class 64 IoCs

Processes:

Hdpcokdo.exeHjohmbpd.exeHddmjk32.exeHqnjek32.exeHiioin32.exeIaimipjl.exeIamfdo32.exeJpbcek32.exeb1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exeJedehaea.exeHdbpekam.exeIoeclg32.exeIjaaae32.exeJpjifjdg.exeKoaclfgl.exeKhjgel32.exeKablnadm.exeJnagmc32.exeGglbfg32.exeJggoqimd.exeKadica32.exeInojhc32.exeJcqlkjae.exeIkldqile.exeJlqjkk32.exeKmkihbho.exeKdeaelok.exeHgeelf32.exeIegeonpc.exeJikhnaao.exeKeioca32.exeIeponofk.exeKfodfh32.exeGaojnq32.exeHnmacpfj.exeHbofmcij.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdpcokdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjohmbpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqacnpdp.dll"	Hddmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdjjm32.dll"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll"	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpkcb32.dll"	Hdpcokdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdbpekam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll"	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gglbfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hddmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hddmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdbpekam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll"	Hgeelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbclpfop.dll"	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll"	Ieponofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll"	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaojnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbofmcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll"	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 3028 wrote to memory of 2740	3028	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe	30
PID 3028 wrote to memory of 2740	3028	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe	30
PID 3028 wrote to memory of 2740	3028	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe	30
PID 3028 wrote to memory of 2740	3028	b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe	30
PID 2740 wrote to memory of 2176	2740	Gaojnq32.exe	31
PID 2740 wrote to memory of 2176	2740	Gaojnq32.exe	31
PID 2740 wrote to memory of 2176	2740	Gaojnq32.exe	31
PID 2740 wrote to memory of 2176	2740	Gaojnq32.exe	31
PID 2176 wrote to memory of 2848	2176	Gglbfg32.exe	32
PID 2176 wrote to memory of 2848	2176	Gglbfg32.exe	32
PID 2176 wrote to memory of 2848	2176	Gglbfg32.exe	32
PID 2176 wrote to memory of 2848	2176	Gglbfg32.exe	32
PID 2848 wrote to memory of 2532	2848	Hdpcokdo.exe	33
PID 2848 wrote to memory of 2532	2848	Hdpcokdo.exe	33
PID 2848 wrote to memory of 2532	2848	Hdpcokdo.exe	33
PID 2848 wrote to memory of 2532	2848	Hdpcokdo.exe	33
PID 2532 wrote to memory of 2964	2532	Hdbpekam.exe	34
PID 2532 wrote to memory of 2964	2532	Hdbpekam.exe	34
PID 2532 wrote to memory of 2964	2532	Hdbpekam.exe	34
PID 2532 wrote to memory of 2964	2532	Hdbpekam.exe	34
PID 2964 wrote to memory of 2352	2964	Hjohmbpd.exe	35
PID 2964 wrote to memory of 2352	2964	Hjohmbpd.exe	35
PID 2964 wrote to memory of 2352	2964	Hjohmbpd.exe	35
PID 2964 wrote to memory of 2352	2964	Hjohmbpd.exe	35
PID 2352 wrote to memory of 2120	2352	Hddmjk32.exe	36
PID 2352 wrote to memory of 2120	2352	Hddmjk32.exe	36
PID 2352 wrote to memory of 2120	2352	Hddmjk32.exe	36
PID 2352 wrote to memory of 2120	2352	Hddmjk32.exe	36
PID 2120 wrote to memory of 2956	2120	Hnmacpfj.exe	37
PID 2120 wrote to memory of 2956	2120	Hnmacpfj.exe	37
PID 2120 wrote to memory of 2956	2120	Hnmacpfj.exe	37
PID 2120 wrote to memory of 2956	2120	Hnmacpfj.exe	37
PID 2956 wrote to memory of 1864	2956	Hgeelf32.exe	38
PID 2956 wrote to memory of 1864	2956	Hgeelf32.exe	38
PID 2956 wrote to memory of 1864	2956	Hgeelf32.exe	38
PID 2956 wrote to memory of 1864	2956	Hgeelf32.exe	38
PID 1864 wrote to memory of 2040	1864	Hqnjek32.exe	39
PID 1864 wrote to memory of 2040	1864	Hqnjek32.exe	39
PID 1864 wrote to memory of 2040	1864	Hqnjek32.exe	39
PID 1864 wrote to memory of 2040	1864	Hqnjek32.exe	39
PID 2040 wrote to memory of 1384	2040	Hbofmcij.exe	40
PID 2040 wrote to memory of 1384	2040	Hbofmcij.exe	40
PID 2040 wrote to memory of 1384	2040	Hbofmcij.exe	40
PID 2040 wrote to memory of 1384	2040	Hbofmcij.exe	40
PID 1384 wrote to memory of 2228	1384	Hiioin32.exe	41
PID 1384 wrote to memory of 2228	1384	Hiioin32.exe	41
PID 1384 wrote to memory of 2228	1384	Hiioin32.exe	41
PID 1384 wrote to memory of 2228	1384	Hiioin32.exe	41
PID 2228 wrote to memory of 2288	2228	Ieponofk.exe	42
PID 2228 wrote to memory of 2288	2228	Ieponofk.exe	42
PID 2228 wrote to memory of 2288	2228	Ieponofk.exe	42
PID 2228 wrote to memory of 2288	2228	Ieponofk.exe	42
PID 2288 wrote to memory of 1816	2288	Ioeclg32.exe	43
PID 2288 wrote to memory of 1816	2288	Ioeclg32.exe	43
PID 2288 wrote to memory of 1816	2288	Ioeclg32.exe	43
PID 2288 wrote to memory of 1816	2288	Ioeclg32.exe	43
PID 1816 wrote to memory of 580	1816	Ikldqile.exe	44
PID 1816 wrote to memory of 580	1816	Ikldqile.exe	44
PID 1816 wrote to memory of 580	1816	Ikldqile.exe	44
PID 1816 wrote to memory of 580	1816	Ikldqile.exe	44
PID 580 wrote to memory of 1492	580	Iaimipjl.exe	45
PID 580 wrote to memory of 1492	580	Iaimipjl.exe	45
PID 580 wrote to memory of 1492	580	Iaimipjl.exe	45
PID 580 wrote to memory of 1492	580	Iaimipjl.exe	45

C:\Users\Admin\AppData\Local\Temp\b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe
"C:\Users\Admin\AppData\Local\Temp\b1586847d1f783bcba0598341fb1a8b97cf06ee5853a19ea9c44cc3c543527fcN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\Gaojnq32.exe
  C:\Windows\system32\Gaojnq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Gglbfg32.exe
    C:\Windows\system32\Gglbfg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\Hdpcokdo.exe
      C:\Windows\system32\Hdpcokdo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Hdbpekam.exe
        
        C:\Windows\system32\Hdbpekam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Hjohmbpd.exe
        
        C:\Windows\system32\Hjohmbpd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Hddmjk32.exe
        
        C:\Windows\system32\Hddmjk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Hnmacpfj.exe
        
        C:\Windows\system32\Hnmacpfj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Hgeelf32.exe
        
        C:\Windows\system32\Hgeelf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Hqnjek32.exe
        
        C:\Windows\system32\Hqnjek32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Hbofmcij.exe
        
        C:\Windows\system32\Hbofmcij.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ieponofk.exe
        
        C:\Windows\system32\Ieponofk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ioeclg32.exe
        
        C:\Windows\system32\Ioeclg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Iaimipjl.exe
        
        C:\Windows\system32\Iaimipjl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Iegeonpc.exe
        
        C:\Windows\system32\Iegeonpc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Jnagmc32.exe
        
        C:\Windows\system32\Jnagmc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 140
        41⤵
        Program crash
        
        PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gglbfg32.exe

Filesize
96KB

MD5
614989c23bf8536a8b7dd51a7957fcd6

SHA1
d1c6e99f0782dffa8eceecb5545fd517ca92c477

SHA256
e7291131be418c4f55abb84664520a9995b191f933d29adb5cfdc08bf7d8082a

SHA512
25d38a729efd29ce6832ae2db3b1836542442c52e9077c28b8041956ed870cc0d582d9b696dd00947a9a58c612005b8e5ae1e1f60fb85ab959908865eb78b47e

Download Submit
C:\Windows\SysWOW64\Hdpcokdo.exe

Filesize
96KB

MD5
da2feba19821722319fe80154e7d274e

SHA1
9feef625740a6da46df3565d21968763e0854cee

SHA256
84e535849f80bfe24be1838ab53f367e4de81e20a78494f9755dd370d240182c

SHA512
b17556da63da1c5537993062254b9dac7be703e07eb9611a692b04524fa6dfdfafa5110a349c35de1fb7e23b27d56f036eda5973f990e22616e487ea1607a4c3

Download Submit
C:\Windows\SysWOW64\Hiioin32.exe

Filesize
96KB

MD5
c3a1fb44cc5251e7f3500342b9f66a45

SHA1
7aaf557fc4ed05847fb1e2a3aac413e46390c146

SHA256
c4aef3e84054201402619d2a9e8e9afe57eb89cf36a841f48b87edbf45761a6b

SHA512
54287ec424c06ca764ec363cddaf795d33435ed5be75dbd09cd8f8d7027d00f59d0b200405bbb64941818fb21e518da501c7dc85e31f2be59e996b94b0c81995

Download Submit
C:\Windows\SysWOW64\Iamfdo32.exe

Filesize
96KB

MD5
1712a5f5b84009e2da2e088fd22c55e5

SHA1
845226805df4ab75bbef47f3646b7b98767e9517

SHA256
86d22c14e625cd81514cf3af9686d03843ea1a9f396f94d125c37fba0bd01509

SHA512
08366c9c4de418c440c9e3e58400be5ad65f124d26b88de91d0141566660562fc34cea735a502b601ab2ae8d740ae958ed8b3ef1b1848bac91b2c1f83cce0b21

Download Submit
C:\Windows\SysWOW64\Iegeonpc.exe

Filesize
96KB

MD5
2b6ceb2dc9ee8d7c61d415a61de9536e

SHA1
3204cfa6b2e3ca51f07f01f948384a14fced59f8

SHA256
19004208648b52db1c9f56017aee748b582b1631713852f083a6159a0014947e

SHA512
2fd482ab57d1797b2a4bcbeed5862719e3b77fea8a93dbdc28851868d535dc26be1aa984a0129b8e6b3099a1fccd99895d3e7b19360aa1ba9b9a5f2c2d23b308

Download Submit
C:\Windows\SysWOW64\Inojhc32.exe

Filesize
96KB

MD5
0eeda749f743382692e2f56ff828b9e2

SHA1
136377c8d9684231c909f185ff484362f94cc4dd

SHA256
9ee76eb287a65e0b16b98e52faea6ca145d928e08af2ebf780f68d0c083601ec

SHA512
8bb8be30162dad50c2f56ca23ddd11469cbdddf2b4c2a2b463324bb4ffa3e69c64da5badec991d4bfee1222f633d981cb2c78da105f72b9355895c3f0df0f313

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
96KB

MD5
4a6c6015a3e9d60617b3d3810910157e

SHA1
bb0553ac96c7abcfdf99c23b7152f9968bfb38c5

SHA256
add641a75dfa90b223a077a0edad9b366afb7778283b8d679a7b71baed5c46f8

SHA512
4ca8a9dc601e0ce44d12b246c0324252dd74e3937ec5de979a32995bf02b7025f65732e029b15b4f8216555edfbd7b279b6b1f196222a7ce9d84fb48f30a978b

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
96KB

MD5
4198aeb0048096e1eee8a518098064c0

SHA1
078ea4580979a0fde7970920c54b127dc9890907

SHA256
1d9b7ba8aa3cea732ac0a9f0ea1715c95db66fcc6acb10c63e01f8ccce1a02c6

SHA512
55c21e80de9a64291e4f6042125f79de5b2f115116514498ae6cd560cd8a233eb012c4423f681449d33bc93a4c987e2d932013466df21d541a1b22e498dc1060

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
96KB

MD5
79d5f5238e2a163ab189842c56d5dc60

SHA1
a02197a295a3d035586dcddaf96cc5b50316df1c

SHA256
61c32b9278ffc38d824194dbbbcaac9e5cd7dd2742b58d147c4bcfddf2cfdab6

SHA512
1f7b6a87318d016c440435fb4d6ce54a61c292ca4730e1b3261d4701fbd0a7bbe5bf7fcecb4a7e1f597fc9161940652e4c31f8513baa91229ead6fb831cd0583

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
96KB

MD5
13c33190db97940723a7f275b758754d

SHA1
ec3b48588bc33e26dbdcfe40f977736e3d78de05

SHA256
7f78471a754b8f7f2f68b3659a381d40cd63f57a5e588a1b2d7ca315d5f5294a

SHA512
639f027f65e8485bb018f2ad903a9f837ffdb2552c96fe7262830d2424468f42beffd753340c5a527df06bc95aedbe6084d932fdb80a8f0c09ee9522dc26735f

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
96KB

MD5
f2be5ab505d8dd7c331f8b39bfcc54d1

SHA1
ecdbc8a0244a6ea61605e826fa49440686989ba9

SHA256
01093fb067b5de24efa7f56a97ff0f0dad451bf2e96294f5052dda66e06269d5

SHA512
666849cf858287f49a11a9d3307cd6d63c5ab3ebfb46d3874cd99add8036c75456c8e3ae530e5831e5418940657132a16d98dd0750963cef34e9e28d9ee7f144

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
96KB

MD5
8c8b2509c132b6787686a1c6881c105c

SHA1
b1fc6fecd15a7debb1907511c7b36015dbe43e8e

SHA256
443d69e3b7bb694219e9b7c70ce68822d730f80018089fdebf45769611ff99c3

SHA512
5fa4581c803ace6066f195560fbd8e7e3a79e02067080ee56295b0e9c1fe6951f59a4eaf7925075fca98b7f01261dc9a0cbd6f1481ccc621faf212e729069ea9

Download Submit
C:\Windows\SysWOW64\Jnagmc32.exe

Filesize
96KB

MD5
c42fed411d4fc703d980041e3634a990

SHA1
d26998b131a7bf46b2f8430c097970e94b5ba036

SHA256
4cc49b2ed4b846391330cbc87abff1cd52bc5f6eea26a3acdcbb53b16132351f

SHA512
27478c72111307bd9e17b9099139ebf4df67aa39a754ca3f8674bdf70a37c79a60d3c950c9cf6b35af0578abc9cdc554e91922de12d4abffd6ae2ed0f34a35c0

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
96KB

MD5
437d9ba5a450ae22df390a788115e82e

SHA1
fb8b7b33a40cfe00fb0856bad64cd50a14e154bf

SHA256
2dc409b93daa0c734f37059fc81ec28e7a22eb259a9a2ec00a44edd2eab429e1

SHA512
74c4577c8dee1c4b392b08724459a6ff2b5d1c3527edb6692c4a4cef91b4122d7d901806ade310facb489755d1c4ef5d33dbb6e3fa58012d146b745ad54beb30

Download Submit
C:\Windows\SysWOW64\Jpbcek32.exe

Filesize
96KB

MD5
581d7998b669cb12f57a7600b75544ca

SHA1
db3ec326bc340be8b2b90f9f40476fe539377363

SHA256
69f269a826579672999d0200730e3f06964fd49437bcb8b4505585fb64e2e710

SHA512
fe85c96209fecb758a9eccbe04733bdfcf6acf663ed959f2ce3c83582f35bf0e78f99baede91b172c224d40ae4c71ab8fe6fd36f85ae1405ffdea17a8b7d032f

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
96KB

MD5
7e931e92ef674f4a05777a1be269f5c2

SHA1
76d2bd4a8aae6de27aa9ecdda1695a59c3945704

SHA256
5626dfc3b0e6ef93a1af60a8a8320e1638ebcd5a19c8351094440d3b63a14697

SHA512
a19cfc6dbddb4b81f661aa4cd442fe801eb0d63737237a7f65779df1b8b503efdbc504b2e8d3e3f271f1cb5054edb11b5c722b7076275c7a0d1c62c551bdff83

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
96KB

MD5
41d2c6c3be94c9de96428baa7de07ee9

SHA1
6e0b0cd662c1c863c5aa1d055b357daee79588da

SHA256
320ee970d2b36083f69f91976a17aa7d1576e331275f845bfd01ddfc2240e6e2

SHA512
337f146e145bd73d3de543dfd90bd169d15bbaaaf0acd66d923477bc6a2f4443abf102f71fa092c548884ae04037ffefe22f4658cc029f9b926af4fd19dca043

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
96KB

MD5
dad71c4dbb1abda4e2b6bad0682d582a

SHA1
d801abadb70c2079e801fb2d683d65af132f1807

SHA256
526cda0792424cc75318d1a3fb9fdcd3e702640ee57b84b85f02cfbf50d022eb

SHA512
2d6ed489200786852c8329df499857a45997f5b92ec8a49b34d953268ee029a86d88609895d5a4c58bc86b6ad766c754e0f37e0e5e5ae7145b32f8d4b73ca345

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
96KB

MD5
c622759445e19f7fc5a5cac846e65b25

SHA1
7bf7a4ee3346d484d300d654042ef8b3701d8cba

SHA256
522d3b9526cdb6e41cf755b5e639c9295ea88b9b8bc6493f0d229e60f5e29559

SHA512
b83a97640673985c9bb9c7a12a921e660568003a9022528c7803b3e6b5b169d391043ac6709f16a35e7ecb8523477d8f99d5fda35b526b1a8165c0856583ad3d

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
96KB

MD5
c5e40b6343244aaf81e3da99507e376b

SHA1
438ecb4bbbfe01f0e822f70cf8ee2ebe27f7570f

SHA256
d21036beb4be8719478095079d931cfec635f66eaee0c486fa9590ff59f05c85

SHA512
0259b0e408862992451b21da447df1f7269b2e413faee1463965ae56feefa89110328132db2b7596b1799322e86210c87db4a687631f219e598cf4e465fde0a6

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
96KB

MD5
4006de79ab61f2adf2058f44f7b39bf1

SHA1
fa9694ed56d60403ad1b809515517eaba93364f8

SHA256
abcac21ce8214f6f72caa9c4e627027e7b661e9eeba3688f3147c76f3e61811e

SHA512
ac95b020b178d9bf213d2cde433e5f1e944710f843c6c2e9719fe50731315d46a39bb7bf5fb0508a5ae6bfe66796c54c3f2ebefeb7378d54fb5a13e88386be2c

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
96KB

MD5
037dd503de5ab1400fd1255b586f29c5

SHA1
742474642687b04531d0d51d39239205169a8e8e

SHA256
166066ded46b17fec9096d51647913790fe20ac10ea654dabab57fe709b331bd

SHA512
d3ca89c71cd84bfcd983b49039fd261540c5e2be5c14c132e6df19883c6a0690980591df5ddfb878decec7bcfe9596565f81f2a97e24a728c43f7a87a2a66a86

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
96KB

MD5
9330f17a04b0e03b50bc8d4f825f8cbf

SHA1
775261d298ebd6107ee516df6f9464601b847dcf

SHA256
eb2cb8d893a7fea424ccf854a657c870f2a8b1cb2c4b31e97428fb1d3e4a30e3

SHA512
f699dafc5d38abbcd414ccfd30156654a0e366a71f8fc867a5a36c74fbf3e404b3ab5d95cd48ef61ea2c681444e8d75a64fa9b9e08048e7eb84617dc8b865fe2

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
96KB

MD5
4066dc3338286d20884289fb3b04072e

SHA1
dc62f566f194dc7ef404444fd439941c5c1e84dc

SHA256
86c9e0924e31ee70bbc883cd73b7b35ee2d4e3b55beca740942724819804b5ed

SHA512
d4a5573b1924eece8c31080da778b49d2a6bf75da6fa6a848fcdb68d2b9a20208a21d1fe31ff2a26a3eb21e024a3fd5a470239c7a1a1cec04d1ac30d0f15340e

Download Submit
C:\Windows\SysWOW64\Koaclfgl.exe

Filesize
96KB

MD5
e02e16a21132451450b3eb65ea4785f2

SHA1
5b74582ac276bce51f2b2a504998876fd8f36a2a

SHA256
87d06e7393f2bbaab6d0884007f802a87dd98e24e7630af702901f4e3ac5a307

SHA512
d1cc2a0799bda4a6a57fb7f3de89e0a1918d786e62852f149df92b5f467f687bf73581f6bdade69817155fe5dd28421c72e185bd43373f0843f71a96ce8a0787

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
96KB

MD5
f23d0941f5672ae073c2b471e2263b3e

SHA1
52efbb9859aeb3b140e3b72f3613c20c60ff6381

SHA256
fdf43e3c95859c724400fd99a35540e1b59c27d4af715090e812d80363b74436

SHA512
cdae0e658b978eb64b84fffa200343b598d508a030755c9892cf2588e8f964a56178a246a7e36ab6a0de9a2b0409de5974c1a54becdf7a79e254970bc350e2fa

Download Submit
\Windows\SysWOW64\Gaojnq32.exe

Filesize
96KB

MD5
60a23e253ed4a46e6993bdc04aef3b38

SHA1
b65383ed87f4fa95e0cdb4a96ed567eccd62b26b

SHA256
239f0faf1a9da7b529de4f5cebffe0b50559f206c9e987d1dcceededac7ffee1

SHA512
e1dd46efdd8f9560e8bfa221c52475730addfd960f3f525ab2bc6e8f18bdafdc68fede17527d0927834ef3af73055c5c81e52aa575c1c695d5c4ec6898e64ed2

Download Submit
\Windows\SysWOW64\Hbofmcij.exe

Filesize
96KB

MD5
78ada27f3f69f854ce83e107dcbd0b18

SHA1
8a69ec703daa7f84593592366bf504b954c5e8af

SHA256
8033eeab842f69d35e3bbf4adab21c233be6923f840f95ecf7c01f856f6028f3

SHA512
75a46a8a8cf468a775717059ea63ba227cf2b51e6317351c1f049940fb6dfa14e70d974e56a2edf20f23dea973f88c85591bf42a4ec9415dbfcac23f5aebad5c

Download Submit
\Windows\SysWOW64\Hdbpekam.exe

Filesize
96KB

MD5
9e1bbd14ccdadf585bfe83967a0db939

SHA1
25ef9d4843e46385abea50b4ee5200eaecf9e8e2

SHA256
d66decab99abcaf3853fbc37f3ba47f563028b2845c1fa7368eca9ef9b9a0aaa

SHA512
6010d600baf3b6b12b501f76b3eacf7a3daa533bfd3d7dfe6468364f476cee52a329ddb459a8c35073a432659aa3873b9e52f93e754e755bf99b95db5d388795

Download Submit
\Windows\SysWOW64\Hddmjk32.exe

Filesize
96KB

MD5
c008f2378904b007b089939b60e06d3a

SHA1
a34f55aac7b97210494bd7cae7b2c06ec032c2fe

SHA256
ec2fb41f8ef0d1b8e880ad83110cc0474c769bacce5c249d701d50701854ed60

SHA512
cdeb83ce6e63e7d9a520db552bf1f3cc49b314cd05bbb64d01b75efdda3d4c80a9d0eee5b0b203c32d908f353b6a23ceb9cbf10f412b04490b119513b66b025f

Download Submit
\Windows\SysWOW64\Hgeelf32.exe

Filesize
96KB

MD5
8c9a74ab9087c952fbabdb87ee8c0a32

SHA1
cbbf074eb88a8ed94f85a3cdbb8a3e1215a1cef4

SHA256
ea6e9d79812a7066e6cb137e2e70acff823062a158ffa22f375d2088b217d319

SHA512
055e026e63663e1e1f74929f888f9cea19276c9a2dd1bdb908601b4fddb535548d60102289e4d3efba30b1c5dab187cfb97ef160996bc569eef0964cd9bbe050

Download Submit
\Windows\SysWOW64\Hjohmbpd.exe

Filesize
96KB

MD5
54eff508023430d61e47df32e4a5f140

SHA1
8cd2509aeb7da4d442b2e90bbe5f945b90b30c6d

SHA256
39e1a5658735f4de78596e09b412987c228e55ad8e426458fffcc1b591cb60a3

SHA512
8a644f25609c73a747f49f7ccddf6a7826ce2c60b0679ed5af7231d337aafb36a4e1362c994e90f8ffb293abfd932596c718d43afffec24217aed96c73786561

Download Submit
\Windows\SysWOW64\Hnmacpfj.exe

Filesize
96KB

MD5
c76c0961020cb42c6d61e27faf467c11

SHA1
ca36cc3d281d3cdf1ca6c80e43d7e02bca779273

SHA256
79c4f1a8f8d6636cff37e2ff2b1424d82a50cddb2fde8898318cee0309412b59

SHA512
f797966bfee5145af2ca216a36a7016a928ccf6995509b00d9385ad65c01392400521a62e752230e58a9ae6de291058e68f6db35376cdaac94c0f9bbdbcb3c4c

Download Submit
\Windows\SysWOW64\Hqnjek32.exe

Filesize
96KB

MD5
4df2bcc2cd177bd6b806246ebdc08102

SHA1
cf1d2c242757d7843b6d6501a5a1da5b3da0dfcb

SHA256
0c287c385b383ba395b4811b67b7c33baa1b0ff428e8a065d0fe8191f0f8964b

SHA512
f16f431dfadd9d314e9d169f80a411c7fde1f4a7443734a24ef14efee76e07a343b6c2f54ea852c4a68ee0de17da3c525ddf892e3a14d7e287e282de44ab63be

Download Submit
\Windows\SysWOW64\Iaimipjl.exe

Filesize
96KB

MD5
f83652387a1390f0c00a4e5c5f902483

SHA1
b20edfea9e07c8ba8270e637f4118d6a8fd48cde

SHA256
e867a9a52f9505f87c42be3cd041094d67279ebac998efc253800c4ff9427e0d

SHA512
7efb1aeac6653a0d6edc83b276a048a8b28688b41a055801895bd8e2e7969e4a7f1dc21457baac1da4dab557826852f10913d264640a5aa79f7b17b25a467d70

Download Submit
\Windows\SysWOW64\Ieponofk.exe

Filesize
96KB

MD5
71a0e7a093419a670bbc88012d023661

SHA1
3005342bfbff35f6bd2ec03bd2b0072e5861224c

SHA256
5a4acb28edcd5c1a2177d2b8f24ecde3a21805279c4d2ca075abf5aa6d7e8d01

SHA512
91fde0a9d5df8cc75f370b5ce30cc01eac34aa1a169356a683bcefe49a2edbafe1b5ef5cf43ea2fde287f4754739966badceb94ddd90beee140bea0f41d06420

Download Submit
\Windows\SysWOW64\Ijaaae32.exe

Filesize
96KB

MD5
abc13d6a7799ae8d791c727d1f15238d

SHA1
a42dba75aeaa68d350574f0c8e83afc65cd0c6bd

SHA256
8987fab8b3334973b4d78e7cd70745076521fb7178647af55042a04ee980789d

SHA512
c4c7ed3e6864fa4f093a21170b89f093d405464aad2c33f620b4d1ac3367389396f68279aec02603e2236cdb1103aedca889f1df8e683093e11ed8e5aa8bb88c

Download Submit
\Windows\SysWOW64\Ikldqile.exe

Filesize
96KB

MD5
e7b307afbed3eeca8ecafb3b159744cf

SHA1
c98294433f935d8b9c3bbae072ebb143a0226adb

SHA256
a14d1eb8e99e81e2d5377d5d7b8163a94a7dc5e7e599fc2c88c60b7d49b72578

SHA512
9a8d0412517f50d981324d8bdca347a64db8032b6ae45a9edc857fdee72ba14aed884a946dd2e6f63420c209459abdf4cfcbce0cf2d2d63f8870520e6ea56cba

Download Submit
\Windows\SysWOW64\Ioeclg32.exe

Filesize
96KB

MD5
e28319aeaeca85e1a289dd0592fe9444

SHA1
a119836cfccef95035c1881207e25ef3b01f48ba

SHA256
e59c9d1f4ad8e2b91180f785c2dd9768ef41dd6c8707a589ebdec7ee7167b615

SHA512
075d904eba9b000e295554a487cf18e259d342459f69d35b55079241c1c754b412ba6553b5dd28e8bdee15bb5fba1e4d1e7bc8fa6919460b333e2edc64541d3f

Download Submit
memory/580-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-209-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/580-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/616-293-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/616-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-156-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1384-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-254-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1752-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-379-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1752-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-457-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1816-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-140-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1864-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-435-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2024-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-264-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2036-423-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2036-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-459-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2120-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-410-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2176-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-40-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2176-41-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2176-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-175-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2228-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-446-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2256-441-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2288-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-183-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2296-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-412-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2352-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-390-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2368-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-313-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2400-312-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2400-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-241-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2424-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-67-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2540-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-356-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2540-357-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2544-335-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2544-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2580-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-368-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2580-367-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2740-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-342-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2820-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-346-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2824-323-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2824-324-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2824-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-50-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-234-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2928-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-76-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2964-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-284-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-280-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3028-11-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3028-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-12-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download