de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Size

98KB
MD5

0290fc8cf5db37d9be8670aa126daa90
SHA1

0195d0770df9d5e01f993015569eb079dc47e507
SHA256

de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219
SHA512

017834872b656c7302af84a8eb5edcad9da396d1b62407a32d2ea5df092809726296d7cf03cbbaf12dd01700fa04d27b015b23af8f2cd81e4298a845e65207ef
SSDEEP

768:Pri8SQhF8w5h5Xy9lCCD6zFYR8cjMQ1WZB7G/VqJk7/1H5kgn71sxz8rQYcT8/1k:Pri8SQgSs9nKQQz2J2E1QZ+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdfeoqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmdfeoqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmjnegh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoqimhob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aldiflnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmgfllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknpbhoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmjnegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmgfllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beiaamcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknpbhoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bibpll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beiaamcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoqimhob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aldiflnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bibpll32.exe

Executes dropped EXE 9 IoCs

pid	Process
996	Aoqimhob.exe
1664	Aldiflnl.exe
1548	Bmgfllli.exe
1536	Bknpbhoo.exe
1292	Bibpll32.exe
1784	Beiaamcl.exe
940	Bmdfeoqg.exe
1040	Cfmjnegh.exe
1640	Cglghh32.exe

Loads dropped DLL 22 IoCs

pid	Process
272	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
272	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
996	Aoqimhob.exe
996	Aoqimhob.exe
1664	Aldiflnl.exe
1664	Aldiflnl.exe
1548	Bmgfllli.exe
1548	Bmgfllli.exe
1536	Bknpbhoo.exe
1536	Bknpbhoo.exe
1292	Bibpll32.exe
1292	Bibpll32.exe
1784	Beiaamcl.exe
1784	Beiaamcl.exe
940	Bmdfeoqg.exe
940	Bmdfeoqg.exe
1040	Cfmjnegh.exe
1040	Cfmjnegh.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bibpll32.exe	Bknpbhoo.exe
File opened for modification	C:\Windows\SysWOW64\Bmdfeoqg.exe	Beiaamcl.exe
File created	C:\Windows\SysWOW64\Bknpbhoo.exe	Bmgfllli.exe
File created	C:\Windows\SysWOW64\Kpohapfi.dll	Bmgfllli.exe
File created	C:\Windows\SysWOW64\Beiaamcl.exe	Bibpll32.exe
File created	C:\Windows\SysWOW64\Iqofakgj.dll	Bknpbhoo.exe
File opened for modification	C:\Windows\SysWOW64\Aoqimhob.exe	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
File opened for modification	C:\Windows\SysWOW64\Bmgfllli.exe	Aldiflnl.exe
File created	C:\Windows\SysWOW64\Kkpgfi32.dll	Aldiflnl.exe
File created	C:\Windows\SysWOW64\Kllnce32.dll	Beiaamcl.exe
File created	C:\Windows\SysWOW64\Cglghh32.exe	Cfmjnegh.exe
File created	C:\Windows\SysWOW64\Jclmia32.dll	Cfmjnegh.exe
File created	C:\Windows\SysWOW64\Fcmlcj32.dll	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
File created	C:\Windows\SysWOW64\Okmikjle.dll	Aoqimhob.exe
File created	C:\Windows\SysWOW64\Bmgfllli.exe	Aldiflnl.exe
File created	C:\Windows\SysWOW64\Aldiflnl.exe	Aoqimhob.exe
File created	C:\Windows\SysWOW64\Bibpll32.exe	Bknpbhoo.exe
File opened for modification	C:\Windows\SysWOW64\Aldiflnl.exe	Aoqimhob.exe
File created	C:\Windows\SysWOW64\Jmgajj32.dll	Bmdfeoqg.exe
File opened for modification	C:\Windows\SysWOW64\Beiaamcl.exe	Bibpll32.exe
File created	C:\Windows\SysWOW64\Bmdfeoqg.exe	Beiaamcl.exe
File opened for modification	C:\Windows\SysWOW64\Bknpbhoo.exe	Bmgfllli.exe
File opened for modification	C:\Windows\SysWOW64\Cfmjnegh.exe	Bmdfeoqg.exe
File opened for modification	C:\Windows\SysWOW64\Cglghh32.exe	Cfmjnegh.exe
File created	C:\Windows\SysWOW64\Aoqimhob.exe	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
File created	C:\Windows\SysWOW64\Jmmlbllk.dll	Bibpll32.exe
File created	C:\Windows\SysWOW64\Cfmjnegh.exe	Bmdfeoqg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
972	1640	WerFault.exe	36

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmikjle.dll"	Aoqimhob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqofakgj.dll"	Bknpbhoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beiaamcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmjnegh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpgfi32.dll"	Aldiflnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aldiflnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgajj32.dll"	Bmdfeoqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclmia32.dll"	Cfmjnegh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpohapfi.dll"	Bmgfllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknpbhoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bibpll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoqimhob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknpbhoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmdfeoqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllnce32.dll"	Beiaamcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmlcj32.dll"	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoqimhob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmlbllk.dll"	Bibpll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmdfeoqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aldiflnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmgfllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmgfllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bibpll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beiaamcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmjnegh.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 996	272	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe	28
PID 272 wrote to memory of 996	272	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe	28
PID 272 wrote to memory of 996	272	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe	28
PID 272 wrote to memory of 996	272	de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe	28
PID 996 wrote to memory of 1664	996	Aoqimhob.exe	29
PID 996 wrote to memory of 1664	996	Aoqimhob.exe	29
PID 996 wrote to memory of 1664	996	Aoqimhob.exe	29
PID 996 wrote to memory of 1664	996	Aoqimhob.exe	29
PID 1664 wrote to memory of 1548	1664	Aldiflnl.exe	30
PID 1664 wrote to memory of 1548	1664	Aldiflnl.exe	30
PID 1664 wrote to memory of 1548	1664	Aldiflnl.exe	30
PID 1664 wrote to memory of 1548	1664	Aldiflnl.exe	30
PID 1548 wrote to memory of 1536	1548	Bmgfllli.exe	31
PID 1548 wrote to memory of 1536	1548	Bmgfllli.exe	31
PID 1548 wrote to memory of 1536	1548	Bmgfllli.exe	31
PID 1548 wrote to memory of 1536	1548	Bmgfllli.exe	31
PID 1536 wrote to memory of 1292	1536	Bknpbhoo.exe	32
PID 1536 wrote to memory of 1292	1536	Bknpbhoo.exe	32
PID 1536 wrote to memory of 1292	1536	Bknpbhoo.exe	32
PID 1536 wrote to memory of 1292	1536	Bknpbhoo.exe	32
PID 1292 wrote to memory of 1784	1292	Bibpll32.exe	33
PID 1292 wrote to memory of 1784	1292	Bibpll32.exe	33
PID 1292 wrote to memory of 1784	1292	Bibpll32.exe	33
PID 1292 wrote to memory of 1784	1292	Bibpll32.exe	33
PID 1784 wrote to memory of 940	1784	Beiaamcl.exe	34
PID 1784 wrote to memory of 940	1784	Beiaamcl.exe	34
PID 1784 wrote to memory of 940	1784	Beiaamcl.exe	34
PID 1784 wrote to memory of 940	1784	Beiaamcl.exe	34
PID 940 wrote to memory of 1040	940	Bmdfeoqg.exe	35
PID 940 wrote to memory of 1040	940	Bmdfeoqg.exe	35
PID 940 wrote to memory of 1040	940	Bmdfeoqg.exe	35
PID 940 wrote to memory of 1040	940	Bmdfeoqg.exe	35
PID 1040 wrote to memory of 1640	1040	Cfmjnegh.exe	36
PID 1040 wrote to memory of 1640	1040	Cfmjnegh.exe	36
PID 1040 wrote to memory of 1640	1040	Cfmjnegh.exe	36
PID 1040 wrote to memory of 1640	1040	Cfmjnegh.exe	36
PID 1640 wrote to memory of 972	1640	Cglghh32.exe	37
PID 1640 wrote to memory of 972	1640	Cglghh32.exe	37
PID 1640 wrote to memory of 972	1640	Cglghh32.exe	37
PID 1640 wrote to memory of 972	1640	Cglghh32.exe	37

C:\Users\Admin\AppData\Local\Temp\de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe
"C:\Users\Admin\AppData\Local\Temp\de5dfb9594048f23691b4e23c543f1f620f47662addd9937c16ab593a7fdc219.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:272
- C:\Windows\SysWOW64\Aoqimhob.exe
  C:\Windows\system32\Aoqimhob.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\Aldiflnl.exe
    C:\Windows\system32\Aldiflnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\Bmgfllli.exe
      C:\Windows\system32\Bmgfllli.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\Bknpbhoo.exe
        
        C:\Windows\system32\Bknpbhoo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\Bibpll32.exe
        
        C:\Windows\system32\Bibpll32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Beiaamcl.exe
        
        C:\Windows\system32\Beiaamcl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Bmdfeoqg.exe
        
        C:\Windows\system32\Bmdfeoqg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Cfmjnegh.exe
        
        C:\Windows\system32\Cfmjnegh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Cglghh32.exe
        
        C:\Windows\system32\Cglghh32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aldiflnl.exe

Filesize
98KB

MD5
cdc820ef70596e0edd1f66f5a9b74c7c

SHA1
5d6c8877808e31bc66d463670c1c22684f6828e0

SHA256
f6c31bbf2739df9c2b89b6de1303241e8c09ad8eb91d8519dc1fff7c4521d7cd

SHA512
b8f5e0c4b9140ee62d071626dbfd892a3fbe6b234b9b291f4c8009ea44f05d6ab4e953350905f646d4c302370d03cb9da90bd87d946460527ce4856527bfb217

Download Submit
C:\Windows\SysWOW64\Aldiflnl.exe

Filesize
98KB

MD5
cdc820ef70596e0edd1f66f5a9b74c7c

SHA1
5d6c8877808e31bc66d463670c1c22684f6828e0

SHA256
f6c31bbf2739df9c2b89b6de1303241e8c09ad8eb91d8519dc1fff7c4521d7cd

SHA512
b8f5e0c4b9140ee62d071626dbfd892a3fbe6b234b9b291f4c8009ea44f05d6ab4e953350905f646d4c302370d03cb9da90bd87d946460527ce4856527bfb217

Download Submit
C:\Windows\SysWOW64\Aoqimhob.exe

Filesize
98KB

MD5
cded75874dabe5e9d2e32f5065582657

SHA1
c177ece173c3b60b83d1b91ada93debb09fc4e09

SHA256
c8d5981d7bf9b86bc0e4734869d3920b779a490fc37e38a46336446195ea647c

SHA512
2ba53f066fdf6957d0fe6b79f2afa99ca719400e1d5f5cf7ff1952d24ccc8a11ebe976a4fdeca1f0efdd7063bd767a525a0bcb1f0ea964f7d701c85114d071dc

Download Submit
C:\Windows\SysWOW64\Aoqimhob.exe

Filesize
98KB

MD5
cded75874dabe5e9d2e32f5065582657

SHA1
c177ece173c3b60b83d1b91ada93debb09fc4e09

SHA256
c8d5981d7bf9b86bc0e4734869d3920b779a490fc37e38a46336446195ea647c

SHA512
2ba53f066fdf6957d0fe6b79f2afa99ca719400e1d5f5cf7ff1952d24ccc8a11ebe976a4fdeca1f0efdd7063bd767a525a0bcb1f0ea964f7d701c85114d071dc

Download Submit
C:\Windows\SysWOW64\Beiaamcl.exe

Filesize
98KB

MD5
3b18b5a0f99a68c287ced02858654bfe

SHA1
7b2758c169ef151a69b0f6fe5cd741dfeb3dc1b3

SHA256
2b73ba76ef1a218e082716de090caab1b3dfa2e47e5711fba606b77951222492

SHA512
38b9c32178dea65041104b641ebbb5fdfa96b7e7e5c8b8c1f013a0e56fcf8ab96e920b1069ef45bc55bf11b834a5994aae9eeb5e1cf76e880e314abc74cd6aae

Download Submit
C:\Windows\SysWOW64\Beiaamcl.exe

Filesize
98KB

MD5
3b18b5a0f99a68c287ced02858654bfe

SHA1
7b2758c169ef151a69b0f6fe5cd741dfeb3dc1b3

SHA256
2b73ba76ef1a218e082716de090caab1b3dfa2e47e5711fba606b77951222492

SHA512
38b9c32178dea65041104b641ebbb5fdfa96b7e7e5c8b8c1f013a0e56fcf8ab96e920b1069ef45bc55bf11b834a5994aae9eeb5e1cf76e880e314abc74cd6aae

Download Submit
C:\Windows\SysWOW64\Bibpll32.exe

Filesize
98KB

MD5
c4ae35a9dcbacdc4f71ef61b9e8dc028

SHA1
150cdc7592c6da4da4793c3d3ac6e6726c3f6ac5

SHA256
149913c8cdc42085bca2be5caed2c734ac8c864d08594301ab13162f341a6a0d

SHA512
ee551100d90120b6a03181a0ed845030e58bc25b7ca6db6e35e847343671911fb5f6da2e6c9b2f09c63bc81ba6270e638d66f5d26050d6fa2fbbecf7883d540a

Download Submit
C:\Windows\SysWOW64\Bibpll32.exe

Filesize
98KB

MD5
c4ae35a9dcbacdc4f71ef61b9e8dc028

SHA1
150cdc7592c6da4da4793c3d3ac6e6726c3f6ac5

SHA256
149913c8cdc42085bca2be5caed2c734ac8c864d08594301ab13162f341a6a0d

SHA512
ee551100d90120b6a03181a0ed845030e58bc25b7ca6db6e35e847343671911fb5f6da2e6c9b2f09c63bc81ba6270e638d66f5d26050d6fa2fbbecf7883d540a

Download Submit
C:\Windows\SysWOW64\Bknpbhoo.exe

Filesize
98KB

MD5
948db07f3337ee2b6ff97fc82a00a5ed

SHA1
dd691f236bcd83877363c842c35e8f989f92411f

SHA256
d416ba8672ee6c64e1240819aab706106f263c8a243fedf011bdaf97895442ef

SHA512
7605e58b9c1c0bb81b2b3d9dd44a92d535466a8f5ab2eab86b83a812035ff0c8fea0cb8d9c2ac7d7d3cfbb8ee767e3fce2e4482b73ee004b15653d653a8e6619

Download Submit
C:\Windows\SysWOW64\Bknpbhoo.exe

Filesize
98KB

MD5
948db07f3337ee2b6ff97fc82a00a5ed

SHA1
dd691f236bcd83877363c842c35e8f989f92411f

SHA256
d416ba8672ee6c64e1240819aab706106f263c8a243fedf011bdaf97895442ef

SHA512
7605e58b9c1c0bb81b2b3d9dd44a92d535466a8f5ab2eab86b83a812035ff0c8fea0cb8d9c2ac7d7d3cfbb8ee767e3fce2e4482b73ee004b15653d653a8e6619

Download Submit
C:\Windows\SysWOW64\Bmdfeoqg.exe

Filesize
98KB

MD5
411bc66820d7979de12cebf06b6ffc37

SHA1
d153cbad1c193d75f97c5cc2f3c7bc893ea370cf

SHA256
3ab4dfaf4a7c184dde025c742d9e9506beeb458bd857bbb6b23b79eb0929b125

SHA512
dd9b595fc30d38805a814002883eebe57acec2cb95380acafe3053fc13e672781d62eb7b1046dea570b6ab182949ad29082492280ee2999dcab5bce6322e3410

Download Submit
C:\Windows\SysWOW64\Bmdfeoqg.exe

Filesize
98KB

MD5
411bc66820d7979de12cebf06b6ffc37

SHA1
d153cbad1c193d75f97c5cc2f3c7bc893ea370cf

SHA256
3ab4dfaf4a7c184dde025c742d9e9506beeb458bd857bbb6b23b79eb0929b125

SHA512
dd9b595fc30d38805a814002883eebe57acec2cb95380acafe3053fc13e672781d62eb7b1046dea570b6ab182949ad29082492280ee2999dcab5bce6322e3410

Download Submit
C:\Windows\SysWOW64\Bmgfllli.exe

Filesize
98KB

MD5
95079ffea354bf5ddee3103c1b71b8b5

SHA1
9ec9ca4c86f0194803985712d1c024f052b8c47b

SHA256
a8b527ec68d3376a1a12ade88f5503b4cb46089e1a19c690fe4c46632d26a57f

SHA512
b73cf6b8fe26eb71e7c4cdff35cf45c37f8866339a2f510f256f82696ccb08ec71bbcb96db636bedfbdb8387d12edc22009a60bd33073b5fc55582df6764bc96

Download Submit
C:\Windows\SysWOW64\Bmgfllli.exe

Filesize
98KB

MD5
95079ffea354bf5ddee3103c1b71b8b5

SHA1
9ec9ca4c86f0194803985712d1c024f052b8c47b

SHA256
a8b527ec68d3376a1a12ade88f5503b4cb46089e1a19c690fe4c46632d26a57f

SHA512
b73cf6b8fe26eb71e7c4cdff35cf45c37f8866339a2f510f256f82696ccb08ec71bbcb96db636bedfbdb8387d12edc22009a60bd33073b5fc55582df6764bc96

Download Submit
C:\Windows\SysWOW64\Cfmjnegh.exe

Filesize
98KB

MD5
d586e6b67b6212dfc9cacb82eaab0bef

SHA1
91d5a2b5e853cfefa05a27bf35d558d4ecbc4e6d

SHA256
ab6a5dc474407ef5aa7788c91de721343eb3cdf91147c0037c086141a787aa5b

SHA512
5729412fa44b29fef8e286b1f0c55f750a360abc9a392b982bfb56ff78512ef624b00aa6035910a530e95c1426d9cf68e62e151dc92e48aafd49b5ee7d2ce31b

Download Submit
C:\Windows\SysWOW64\Cfmjnegh.exe

Filesize
98KB

MD5
d586e6b67b6212dfc9cacb82eaab0bef

SHA1
91d5a2b5e853cfefa05a27bf35d558d4ecbc4e6d

SHA256
ab6a5dc474407ef5aa7788c91de721343eb3cdf91147c0037c086141a787aa5b

SHA512
5729412fa44b29fef8e286b1f0c55f750a360abc9a392b982bfb56ff78512ef624b00aa6035910a530e95c1426d9cf68e62e151dc92e48aafd49b5ee7d2ce31b

Download Submit
C:\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
\Windows\SysWOW64\Aldiflnl.exe

Filesize
98KB

MD5
cdc820ef70596e0edd1f66f5a9b74c7c

SHA1
5d6c8877808e31bc66d463670c1c22684f6828e0

SHA256
f6c31bbf2739df9c2b89b6de1303241e8c09ad8eb91d8519dc1fff7c4521d7cd

SHA512
b8f5e0c4b9140ee62d071626dbfd892a3fbe6b234b9b291f4c8009ea44f05d6ab4e953350905f646d4c302370d03cb9da90bd87d946460527ce4856527bfb217

Download Submit
\Windows\SysWOW64\Aldiflnl.exe

Filesize
98KB

MD5
cdc820ef70596e0edd1f66f5a9b74c7c

SHA1
5d6c8877808e31bc66d463670c1c22684f6828e0

SHA256
f6c31bbf2739df9c2b89b6de1303241e8c09ad8eb91d8519dc1fff7c4521d7cd

SHA512
b8f5e0c4b9140ee62d071626dbfd892a3fbe6b234b9b291f4c8009ea44f05d6ab4e953350905f646d4c302370d03cb9da90bd87d946460527ce4856527bfb217

Download Submit
\Windows\SysWOW64\Aoqimhob.exe

Filesize
98KB

MD5
cded75874dabe5e9d2e32f5065582657

SHA1
c177ece173c3b60b83d1b91ada93debb09fc4e09

SHA256
c8d5981d7bf9b86bc0e4734869d3920b779a490fc37e38a46336446195ea647c

SHA512
2ba53f066fdf6957d0fe6b79f2afa99ca719400e1d5f5cf7ff1952d24ccc8a11ebe976a4fdeca1f0efdd7063bd767a525a0bcb1f0ea964f7d701c85114d071dc

Download Submit
\Windows\SysWOW64\Aoqimhob.exe

Filesize
98KB

MD5
cded75874dabe5e9d2e32f5065582657

SHA1
c177ece173c3b60b83d1b91ada93debb09fc4e09

SHA256
c8d5981d7bf9b86bc0e4734869d3920b779a490fc37e38a46336446195ea647c

SHA512
2ba53f066fdf6957d0fe6b79f2afa99ca719400e1d5f5cf7ff1952d24ccc8a11ebe976a4fdeca1f0efdd7063bd767a525a0bcb1f0ea964f7d701c85114d071dc

Download Submit
\Windows\SysWOW64\Beiaamcl.exe

Filesize
98KB

MD5
3b18b5a0f99a68c287ced02858654bfe

SHA1
7b2758c169ef151a69b0f6fe5cd741dfeb3dc1b3

SHA256
2b73ba76ef1a218e082716de090caab1b3dfa2e47e5711fba606b77951222492

SHA512
38b9c32178dea65041104b641ebbb5fdfa96b7e7e5c8b8c1f013a0e56fcf8ab96e920b1069ef45bc55bf11b834a5994aae9eeb5e1cf76e880e314abc74cd6aae

Download Submit
\Windows\SysWOW64\Beiaamcl.exe

Filesize
98KB

MD5
3b18b5a0f99a68c287ced02858654bfe

SHA1
7b2758c169ef151a69b0f6fe5cd741dfeb3dc1b3

SHA256
2b73ba76ef1a218e082716de090caab1b3dfa2e47e5711fba606b77951222492

SHA512
38b9c32178dea65041104b641ebbb5fdfa96b7e7e5c8b8c1f013a0e56fcf8ab96e920b1069ef45bc55bf11b834a5994aae9eeb5e1cf76e880e314abc74cd6aae

Download Submit
\Windows\SysWOW64\Bibpll32.exe

Filesize
98KB

MD5
c4ae35a9dcbacdc4f71ef61b9e8dc028

SHA1
150cdc7592c6da4da4793c3d3ac6e6726c3f6ac5

SHA256
149913c8cdc42085bca2be5caed2c734ac8c864d08594301ab13162f341a6a0d

SHA512
ee551100d90120b6a03181a0ed845030e58bc25b7ca6db6e35e847343671911fb5f6da2e6c9b2f09c63bc81ba6270e638d66f5d26050d6fa2fbbecf7883d540a

Download Submit
\Windows\SysWOW64\Bibpll32.exe

Filesize
98KB

MD5
c4ae35a9dcbacdc4f71ef61b9e8dc028

SHA1
150cdc7592c6da4da4793c3d3ac6e6726c3f6ac5

SHA256
149913c8cdc42085bca2be5caed2c734ac8c864d08594301ab13162f341a6a0d

SHA512
ee551100d90120b6a03181a0ed845030e58bc25b7ca6db6e35e847343671911fb5f6da2e6c9b2f09c63bc81ba6270e638d66f5d26050d6fa2fbbecf7883d540a

Download Submit
\Windows\SysWOW64\Bknpbhoo.exe

Filesize
98KB

MD5
948db07f3337ee2b6ff97fc82a00a5ed

SHA1
dd691f236bcd83877363c842c35e8f989f92411f

SHA256
d416ba8672ee6c64e1240819aab706106f263c8a243fedf011bdaf97895442ef

SHA512
7605e58b9c1c0bb81b2b3d9dd44a92d535466a8f5ab2eab86b83a812035ff0c8fea0cb8d9c2ac7d7d3cfbb8ee767e3fce2e4482b73ee004b15653d653a8e6619

Download Submit
\Windows\SysWOW64\Bknpbhoo.exe

Filesize
98KB

MD5
948db07f3337ee2b6ff97fc82a00a5ed

SHA1
dd691f236bcd83877363c842c35e8f989f92411f

SHA256
d416ba8672ee6c64e1240819aab706106f263c8a243fedf011bdaf97895442ef

SHA512
7605e58b9c1c0bb81b2b3d9dd44a92d535466a8f5ab2eab86b83a812035ff0c8fea0cb8d9c2ac7d7d3cfbb8ee767e3fce2e4482b73ee004b15653d653a8e6619

Download Submit
\Windows\SysWOW64\Bmdfeoqg.exe

Filesize
98KB

MD5
411bc66820d7979de12cebf06b6ffc37

SHA1
d153cbad1c193d75f97c5cc2f3c7bc893ea370cf

SHA256
3ab4dfaf4a7c184dde025c742d9e9506beeb458bd857bbb6b23b79eb0929b125

SHA512
dd9b595fc30d38805a814002883eebe57acec2cb95380acafe3053fc13e672781d62eb7b1046dea570b6ab182949ad29082492280ee2999dcab5bce6322e3410

Download Submit
\Windows\SysWOW64\Bmdfeoqg.exe

Filesize
98KB

MD5
411bc66820d7979de12cebf06b6ffc37

SHA1
d153cbad1c193d75f97c5cc2f3c7bc893ea370cf

SHA256
3ab4dfaf4a7c184dde025c742d9e9506beeb458bd857bbb6b23b79eb0929b125

SHA512
dd9b595fc30d38805a814002883eebe57acec2cb95380acafe3053fc13e672781d62eb7b1046dea570b6ab182949ad29082492280ee2999dcab5bce6322e3410

Download Submit
\Windows\SysWOW64\Bmgfllli.exe

Filesize
98KB

MD5
95079ffea354bf5ddee3103c1b71b8b5

SHA1
9ec9ca4c86f0194803985712d1c024f052b8c47b

SHA256
a8b527ec68d3376a1a12ade88f5503b4cb46089e1a19c690fe4c46632d26a57f

SHA512
b73cf6b8fe26eb71e7c4cdff35cf45c37f8866339a2f510f256f82696ccb08ec71bbcb96db636bedfbdb8387d12edc22009a60bd33073b5fc55582df6764bc96

Download Submit
\Windows\SysWOW64\Bmgfllli.exe

Filesize
98KB

MD5
95079ffea354bf5ddee3103c1b71b8b5

SHA1
9ec9ca4c86f0194803985712d1c024f052b8c47b

SHA256
a8b527ec68d3376a1a12ade88f5503b4cb46089e1a19c690fe4c46632d26a57f

SHA512
b73cf6b8fe26eb71e7c4cdff35cf45c37f8866339a2f510f256f82696ccb08ec71bbcb96db636bedfbdb8387d12edc22009a60bd33073b5fc55582df6764bc96

Download Submit
\Windows\SysWOW64\Cfmjnegh.exe

Filesize
98KB

MD5
d586e6b67b6212dfc9cacb82eaab0bef

SHA1
91d5a2b5e853cfefa05a27bf35d558d4ecbc4e6d

SHA256
ab6a5dc474407ef5aa7788c91de721343eb3cdf91147c0037c086141a787aa5b

SHA512
5729412fa44b29fef8e286b1f0c55f750a360abc9a392b982bfb56ff78512ef624b00aa6035910a530e95c1426d9cf68e62e151dc92e48aafd49b5ee7d2ce31b

Download Submit
\Windows\SysWOW64\Cfmjnegh.exe

Filesize
98KB

MD5
d586e6b67b6212dfc9cacb82eaab0bef

SHA1
91d5a2b5e853cfefa05a27bf35d558d4ecbc4e6d

SHA256
ab6a5dc474407ef5aa7788c91de721343eb3cdf91147c0037c086141a787aa5b

SHA512
5729412fa44b29fef8e286b1f0c55f750a360abc9a392b982bfb56ff78512ef624b00aa6035910a530e95c1426d9cf68e62e151dc92e48aafd49b5ee7d2ce31b

Download Submit
\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
\Windows\SysWOW64\Cglghh32.exe

Filesize
98KB

MD5
15b5ca4743d523d077a7a6c2be78d162

SHA1
641e8b3ed7f82b1e2696b61968232c839601340d

SHA256
44d87ab5949d0e51667dba458f3a54174feb431824ede3350ef5c62c554feae2

SHA512
f61b7c74b40585f68d9efe3d8541efee4aa0f2574f5c51a6a6ff5f0803769072599f1058f0f0b2feb1f9778bd1c5beaa959c2dcfd09c0ee66dc452c9e7da9dbd

Download Submit
memory/272-103-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/272-102-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/940-110-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/996-104-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1040-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1292-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-107-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1548-106-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1664-105-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1784-109-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download