berbew | d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
Size

163KB
MD5

8674499ad292c2d97a0ea0a71baefbef
SHA1

920574e388f1135961030d5d7db3da424dc55075
SHA256

d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f
SHA512

ee77e8fcd9b3d2edd0b4e9e1934eaa7d22dfb8c4d9f93774e27456e1bfed99ee13650527952f1a7ff995bb40a48fe20dfff46b76f1b24c714a7d467b3fe2df71
SSDEEP

3072:qqsKq0LMoSa8r2kdGbjVX6ltOrWKDBr+yJb:DsKq0LMoSa8r2dX6LOf

Score

10^/10

berbew bruteratel gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bfkedibe.exeBnbmefbg.exeCmqmma32.exeDddhpjof.exeCfbkeh32.exeCeehho32.exeDkifae32.exeBhhdil32.exeCjbpaf32.exeDanecp32.exeDmgbnq32.exeDdonekbl.exeCnffqf32.exeCfdhkhjj.exeChcddk32.exeDjgjlelk.exeDmefhako.exeCfpnph32.exeCjpckf32.exeBcjlcn32.exeCjinkg32.exeDfnjafap.exeDhmgki32.exeDaekdooc.exeBmbplc32.exeCabfga32.exeDogogcpo.exeBelebq32.exeCagobalc.exeDknpmdfc.exeCmiflbel.exeCdfkolkf.exeCmnpgb32.exeDeokon32.exeDfpgffpm.exeBjddphlq.exeCegdnopg.exeDhfajjoj.exed8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exeDjdmffnn.exeBanllbdn.exeCenahpha.exeCeqnmpfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Ddonekbl.exe	family_bruteratel

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 45 IoCs

Processes:

Bcjlcn32.exeBjddphlq.exeBmbplc32.exeBanllbdn.exeBhhdil32.exeBfkedibe.exeBnbmefbg.exeBelebq32.exeChjaol32.exeCjinkg32.exeCabfga32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCmiflbel.exeCeqnmpfo.exeCfbkeh32.exeCnicfe32.exeCagobalc.exeCdfkolkf.exeCfdhkhjj.exeCjpckf32.exeCmnpgb32.exeCeehho32.exeChcddk32.exeCjbpaf32.exeCmqmma32.exeCegdnopg.exeDhfajjoj.exeDjdmffnn.exeDanecp32.exeDjgjlelk.exeDmefhako.exeDdonekbl.exeDfnjafap.exeDkifae32.exeDmgbnq32.exeDeokon32.exeDhmgki32.exeDfpgffpm.exeDogogcpo.exeDaekdooc.exeDddhpjof.exeDknpmdfc.exeDmllipeg.exe

pid	process
1576	Bcjlcn32.exe
1396	Bjddphlq.exe
3688	Bmbplc32.exe
1440	Banllbdn.exe
4692	Bhhdil32.exe
3580	Bfkedibe.exe
3404	Bnbmefbg.exe
1912	Belebq32.exe
380	Chjaol32.exe
3464	Cjinkg32.exe
4156	Cabfga32.exe
4176	Cenahpha.exe
3884	Cfpnph32.exe
4572	Cnffqf32.exe
2848	Cmiflbel.exe
916	Ceqnmpfo.exe
744	Cfbkeh32.exe
2784	Cnicfe32.exe
3736	Cagobalc.exe
4408	Cdfkolkf.exe
2560	Cfdhkhjj.exe
3248	Cjpckf32.exe
4832	Cmnpgb32.exe
2184	Ceehho32.exe
1336	Chcddk32.exe
4952	Cjbpaf32.exe
4384	Cmqmma32.exe
2636	Cegdnopg.exe
2580	Dhfajjoj.exe
4812	Djdmffnn.exe
3676	Danecp32.exe
1568	Djgjlelk.exe
3204	Dmefhako.exe
1916	Ddonekbl.exe
4104	Dfnjafap.exe
2872	Dkifae32.exe
1344	Dmgbnq32.exe
4772	Deokon32.exe
4896	Dhmgki32.exe
2148	Dfpgffpm.exe
4340	Dogogcpo.exe
3432	Daekdooc.exe
1424	Dddhpjof.exe
1716	Dknpmdfc.exe
4712	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Bfkedibe.exeCmqmma32.exeBanllbdn.exeCabfga32.exeCjbpaf32.exeDmgbnq32.exeDeokon32.exeDogogcpo.exeCdfkolkf.exeDjgjlelk.exeDjdmffnn.exeDdonekbl.exeBhhdil32.exeCjinkg32.exeCagobalc.exeCmnpgb32.exeChcddk32.exeBcjlcn32.exeBmbplc32.exeCnicfe32.exeDmefhako.exeDhfajjoj.exeCnffqf32.exeCfbkeh32.exeDknpmdfc.exeBnbmefbg.exeCenahpha.exeCegdnopg.exeBjddphlq.exeDanecp32.exeDhmgki32.exeCeqnmpfo.exed8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exeBelebq32.exeChjaol32.exeDfnjafap.exeDddhpjof.exeCmiflbel.exeCjpckf32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4488 4712 WerFault.exe

pid	pid_target	process
4488	4712	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cmiflbel.exeCeehho32.exeDmefhako.exeDfnjafap.exeDmgbnq32.exeDfpgffpm.exeBelebq32.exeCabfga32.exeDhfajjoj.exeDkifae32.exeDeokon32.exeDddhpjof.exeBfkedibe.exeCeqnmpfo.exeCfpnph32.exeCnffqf32.exeDhmgki32.exeDogogcpo.exeBmbplc32.exeCfdhkhjj.exeCjbpaf32.exeCmqmma32.exeCegdnopg.exeDaekdooc.exeCagobalc.exeBjddphlq.exeBnbmefbg.exeChjaol32.exeCfbkeh32.exeCnicfe32.exeCdfkolkf.exeChcddk32.exed8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exeDmllipeg.exeDknpmdfc.exeBanllbdn.exeCjinkg32.exeCjpckf32.exeCmnpgb32.exeDanecp32.exeBcjlcn32.exeCenahpha.exeDjdmffnn.exeDjgjlelk.exeDdonekbl.exeBhhdil32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe

Modifies registry class 64 IoCs

Processes:

Belebq32.exeCjpckf32.exeCfpnph32.exeDkifae32.exeCmiflbel.exeCjbpaf32.exeDanecp32.exed8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exeCdfkolkf.exeCeehho32.exeChcddk32.exeCenahpha.exeCnicfe32.exeBnbmefbg.exeCjinkg32.exeCeqnmpfo.exeDhmgki32.exeDfpgffpm.exeCfbkeh32.exeCfdhkhjj.exeDjdmffnn.exeDjgjlelk.exeDmgbnq32.exeDogogcpo.exeDaekdooc.exeBjddphlq.exeBmbplc32.exeCmnpgb32.exeBanllbdn.exeCagobalc.exeDhfajjoj.exeBhhdil32.exeCmqmma32.exeDddhpjof.exeDknpmdfc.exeDmefhako.exeChjaol32.exeCabfga32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exeBcjlcn32.exeBjddphlq.exeBmbplc32.exeBanllbdn.exeBhhdil32.exeBfkedibe.exeBnbmefbg.exeBelebq32.exeChjaol32.exeCjinkg32.exeCabfga32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCmiflbel.exeCeqnmpfo.exeCfbkeh32.exeCnicfe32.exeCagobalc.exeCdfkolkf.exeCfdhkhjj.exe

description	pid	process	target process
PID 3368 wrote to memory of 1576	3368	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe	Bcjlcn32.exe
PID 3368 wrote to memory of 1576	3368	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe	Bcjlcn32.exe
PID 3368 wrote to memory of 1576	3368	d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe	Bcjlcn32.exe
PID 1576 wrote to memory of 1396	1576	Bcjlcn32.exe	Bjddphlq.exe
PID 1576 wrote to memory of 1396	1576	Bcjlcn32.exe	Bjddphlq.exe
PID 1576 wrote to memory of 1396	1576	Bcjlcn32.exe	Bjddphlq.exe
PID 1396 wrote to memory of 3688	1396	Bjddphlq.exe	Bmbplc32.exe
PID 1396 wrote to memory of 3688	1396	Bjddphlq.exe	Bmbplc32.exe
PID 1396 wrote to memory of 3688	1396	Bjddphlq.exe	Bmbplc32.exe
PID 3688 wrote to memory of 1440	3688	Bmbplc32.exe	Banllbdn.exe
PID 3688 wrote to memory of 1440	3688	Bmbplc32.exe	Banllbdn.exe
PID 3688 wrote to memory of 1440	3688	Bmbplc32.exe	Banllbdn.exe
PID 1440 wrote to memory of 4692	1440	Banllbdn.exe	Bhhdil32.exe
PID 1440 wrote to memory of 4692	1440	Banllbdn.exe	Bhhdil32.exe
PID 1440 wrote to memory of 4692	1440	Banllbdn.exe	Bhhdil32.exe
PID 4692 wrote to memory of 3580	4692	Bhhdil32.exe	Bfkedibe.exe
PID 4692 wrote to memory of 3580	4692	Bhhdil32.exe	Bfkedibe.exe
PID 4692 wrote to memory of 3580	4692	Bhhdil32.exe	Bfkedibe.exe
PID 3580 wrote to memory of 3404	3580	Bfkedibe.exe	Bnbmefbg.exe
PID 3580 wrote to memory of 3404	3580	Bfkedibe.exe	Bnbmefbg.exe
PID 3580 wrote to memory of 3404	3580	Bfkedibe.exe	Bnbmefbg.exe
PID 3404 wrote to memory of 1912	3404	Bnbmefbg.exe	Belebq32.exe
PID 3404 wrote to memory of 1912	3404	Bnbmefbg.exe	Belebq32.exe
PID 3404 wrote to memory of 1912	3404	Bnbmefbg.exe	Belebq32.exe
PID 1912 wrote to memory of 380	1912	Belebq32.exe	Chjaol32.exe
PID 1912 wrote to memory of 380	1912	Belebq32.exe	Chjaol32.exe
PID 1912 wrote to memory of 380	1912	Belebq32.exe	Chjaol32.exe
PID 380 wrote to memory of 3464	380	Chjaol32.exe	Cjinkg32.exe
PID 380 wrote to memory of 3464	380	Chjaol32.exe	Cjinkg32.exe
PID 380 wrote to memory of 3464	380	Chjaol32.exe	Cjinkg32.exe
PID 3464 wrote to memory of 4156	3464	Cjinkg32.exe	Cabfga32.exe
PID 3464 wrote to memory of 4156	3464	Cjinkg32.exe	Cabfga32.exe
PID 3464 wrote to memory of 4156	3464	Cjinkg32.exe	Cabfga32.exe
PID 4156 wrote to memory of 4176	4156	Cabfga32.exe	Cenahpha.exe
PID 4156 wrote to memory of 4176	4156	Cabfga32.exe	Cenahpha.exe
PID 4156 wrote to memory of 4176	4156	Cabfga32.exe	Cenahpha.exe
PID 4176 wrote to memory of 3884	4176	Cenahpha.exe	Cfpnph32.exe
PID 4176 wrote to memory of 3884	4176	Cenahpha.exe	Cfpnph32.exe
PID 4176 wrote to memory of 3884	4176	Cenahpha.exe	Cfpnph32.exe
PID 3884 wrote to memory of 4572	3884	Cfpnph32.exe	Cnffqf32.exe
PID 3884 wrote to memory of 4572	3884	Cfpnph32.exe	Cnffqf32.exe
PID 3884 wrote to memory of 4572	3884	Cfpnph32.exe	Cnffqf32.exe
PID 4572 wrote to memory of 2848	4572	Cnffqf32.exe	Cmiflbel.exe
PID 4572 wrote to memory of 2848	4572	Cnffqf32.exe	Cmiflbel.exe
PID 4572 wrote to memory of 2848	4572	Cnffqf32.exe	Cmiflbel.exe
PID 2848 wrote to memory of 916	2848	Cmiflbel.exe	Ceqnmpfo.exe
PID 2848 wrote to memory of 916	2848	Cmiflbel.exe	Ceqnmpfo.exe
PID 2848 wrote to memory of 916	2848	Cmiflbel.exe	Ceqnmpfo.exe
PID 916 wrote to memory of 744	916	Ceqnmpfo.exe	Cfbkeh32.exe
PID 916 wrote to memory of 744	916	Ceqnmpfo.exe	Cfbkeh32.exe
PID 916 wrote to memory of 744	916	Ceqnmpfo.exe	Cfbkeh32.exe
PID 744 wrote to memory of 2784	744	Cfbkeh32.exe	Cnicfe32.exe
PID 744 wrote to memory of 2784	744	Cfbkeh32.exe	Cnicfe32.exe
PID 744 wrote to memory of 2784	744	Cfbkeh32.exe	Cnicfe32.exe
PID 2784 wrote to memory of 3736	2784	Cnicfe32.exe	Cagobalc.exe
PID 2784 wrote to memory of 3736	2784	Cnicfe32.exe	Cagobalc.exe
PID 2784 wrote to memory of 3736	2784	Cnicfe32.exe	Cagobalc.exe
PID 3736 wrote to memory of 4408	3736	Cagobalc.exe	Cdfkolkf.exe
PID 3736 wrote to memory of 4408	3736	Cagobalc.exe	Cdfkolkf.exe
PID 3736 wrote to memory of 4408	3736	Cagobalc.exe	Cdfkolkf.exe
PID 4408 wrote to memory of 2560	4408	Cdfkolkf.exe	Cfdhkhjj.exe
PID 4408 wrote to memory of 2560	4408	Cdfkolkf.exe	Cfdhkhjj.exe
PID 4408 wrote to memory of 2560	4408	Cdfkolkf.exe	Cfdhkhjj.exe
PID 2560 wrote to memory of 3248	2560	Cfdhkhjj.exe	Cjpckf32.exe

C:\Users\Admin\AppData\Local\Temp\d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe
"C:\Users\Admin\AppData\Local\Temp\d8b3664ae5d24f9a06ef10f8a917797fca3de93d15b85d920b3725d23026b98f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\Bjddphlq.exe
    C:\Windows\system32\Bjddphlq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\Bmbplc32.exe
      C:\Windows\system32\Bmbplc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 400
        47⤵
        Program crash
        
        PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4712 -ip 4712
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
163KB

MD5
1f18873a35c369648969e772bf9f69ed

SHA1
3e3f2a81dfd1d05d43e6e22762e9ac8c83cf10c9

SHA256
8b87e1e792b174c7092f0f21d03a1ac91b99aed5ffc843718bf626cfb6411099

SHA512
9bfc5b1541c25e551353242e72e40aed59a034fad9ad04b05c6c26d867296142507c67d57725dbcfe265d7b60e1f18759d3ae2fe95f75d2058ee2655dd87108f

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
b6ac54b3758dfb89bdcd789ea22ffedd

SHA1
ddb3467d872353a684aa0b27ced407d618960c75

SHA256
61099498ed3f4ec25ea86c6469b83d5d267e32b3a56e3c5d2622823a76e094be

SHA512
4ec3bfcdd9b1401f8607098b5781d8c5a484fb1d2306ba43ffe5fd63433bff87daaf3e568a57f10cf660d04e9b3690ed262054630783ee6eb20085801bba04d0

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
163KB

MD5
b586c856269c6254d45aa08cc1f6081b

SHA1
ad22540ab4da9e111a69483c46e616c12368408e

SHA256
e23f0023e617ad5e6cf153494bee52331abdf79171bc52ce3d87f49a31daa024

SHA512
e293525b7beddd3f8f5f787d65ff84c22af583d3a7394bb5c3fd557d43b2df5d2a459e81ac5c401a6c2daa4a8508429f31617a6a587bb5a1b13f547601add23d

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
163KB

MD5
0f4fcf86c79d5797d30a53e2e7c7e656

SHA1
34af3e9187608dcca41d6efe6a959e2ffa350c82

SHA256
653c801d5a38079cb8763998683d68440c8e4349553683a99cc482632f33517d

SHA512
4253588d327caab3a15eccc3f3e837fe77d80e917787196b74f52d90d9f1cc4789e03d199433ee4e166c9824a88c138d5427d09be15e0567adff741a3f3233f0

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
163KB

MD5
4f447b4477ba196f493c8f3095fa7b66

SHA1
dd4729c2d92d5eaed9781a294bcae908ae35ea1e

SHA256
3d702a06042170c528d51a83415ebb3c369c51d0e795dfad5666edd5d65ac206

SHA512
19425ca9274e17ad2c29c91273585be534faa06be7f0fc590bb352a45cf3e3d244032efffec7147585219de70e601f61272ab575937eeef1f3be4386f54b1c88

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
163KB

MD5
fe3d89799736ec2f50167c884033a6a3

SHA1
8ab695b102423f669cfd245ddc76d4d83bdddcd4

SHA256
9f3fce9d818235dbcc09407e39fc622c70779c1e6625f5a2a21d0411fabc01dd

SHA512
51a766f44de26bc04f2b5825b54b11611f3916cbf7500c9ee1ac91eadd3b17e0ec6e5046bcc1d71e4dcba648b02923af9e08b76e7764da6ca96d1ecbbcdd084d

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
163KB

MD5
a96236d7be52a58a6c85214fa29c2576

SHA1
066d6917dd7964eaa1b89f75fdea92666e151c3a

SHA256
e9d050f44f234a310b043ebe41313cdce0e64492394782d6c83e135e658a605b

SHA512
76367ae87489ee02f56fe10829552b045a3842fd035ebce0a4f46d4a19bf35e110f9b82767267612b928dc1aecc95a91428af8168044d6ec3c372498e277a42f

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
163KB

MD5
a2647f6c7587fd9c68888e9bbf5c2101

SHA1
0419edd55ac9d4b6617a5c63784462225d351131

SHA256
7840f128cddf642b2e47af85b391d18b59716fb9fb958c3238cff7590a519e1d

SHA512
0a45317f27bee31a325d48acae3098da268bd15d31fce2e01c00e411c7d2880e3a7a1e7ecb8674994abd5d1ac04375e3d772a586b55591e05d59bf2893c57c5c

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
163KB

MD5
66a9b5e8670f250fcdfb95b4842585f8

SHA1
d79a7bf3ba89a7922227fd044e2aed5632f0d794

SHA256
705dece08143d1a7f282a83d8b3a72b3cb5beb32eef8719c016cb09f955b8d40

SHA512
96275a0b7eb5b0367eb76bdf968f0fc7cf42432559d0386c03e2ac95dd93b495fb9af11159df8dec426d459e21134b1914a996d3999a0481e6bcb2c0cbaad792

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
163KB

MD5
d56d5d56a2bc65b99dd2d20e1ca0d257

SHA1
39dc333188b3604dfa5cb0e4a226f9ce9067a9c4

SHA256
f8238c7b98b25132de5c197c460dbb804cfd5b2790d1952b8ec4800439eb5630

SHA512
d0760207ab10527cb6e81c689b3d19ed2c119137ddb5620739cb1497bcd7d43fe3743b93986527b6d59ed0d15e2944cbe25d0544b3a4c17fcf8ff59c32b7ef14

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
163KB

MD5
d376e516b86b42101347e216e021a56b

SHA1
8381861c35521e1454abc078246669d4c0757704

SHA256
43e2c8710b8369ac57b53640ae0e557b54ae6c27cfbf5c913928889b9acfe1a6

SHA512
cf8306b50828f4718ae3627f0cb128b758df37c13bdef7bfc64e64f4ded7ba68a210274805abf96b76342ca1d7a4c411e0bde3b5a7b332d67ee39110cb205640

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
163KB

MD5
bd76d5f0a9bcaa66491a2353b8fcba6d

SHA1
9abf03fae166fcbc8a893d57659731bea2a05c7d

SHA256
ac11284331d21e83e9b2943d8285e5be548be2394bfe64f49ff630c56b75a182

SHA512
7084851e64359789a855d52acd0bc9e94fcada2de27ea9bc2e728673b484157c655301afd451d58398a669e2676b5ff694b9d396228bbe137c9e53c9bab7ec71

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
163KB

MD5
a3059b3c88fcc0d4da53ed0f432bd2ea

SHA1
cb7038f21b1e9de23163e6ce2875bc09a83ae83e

SHA256
002f0d70615076a7bc8f5750b83979d05290e563c1f9be710a3fdfe7f317565a

SHA512
b7f97c25d760751cf3d1c910308e34bc39d1ea198eb06c81ba7a9d3e0ef42f2c16cdc191c63765f04e4ff7ef19c0304a4ef996f02d8317fff5d64ec72d5e0d47

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
163KB

MD5
dce7d0860ff638728cfaaa6897a03fc1

SHA1
1e4e3ee841ee7b8d1df07a0fba86714f8eb7c7d4

SHA256
9520be03ef2a071dd471aa49d64bf1f35bb13cefb6cc2e728d10feead6ef0981

SHA512
8956fc6d568983704ec18ef6b88f02b3142c3c1d5b34995ed2fd11c4cb70c45342f08e4099c118900e8a3e5b6b9b499f3d197ff4b4712642519c2dc994440750

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
163KB

MD5
911b7687035f0f13e632373c2b5f5a04

SHA1
6609fba10c79304d6ad91e6426b053b2f9e0e699

SHA256
82e4e3ef063459fd6a385d0918572d826313788ae3b6ec21af78a58ab4253fc9

SHA512
5fed295740c6e67119f0f70bc4706edb2744298738d6f2ef1eaed91049345bed763d91b54aa332ea6816d914d6463bdddd2cbdb7cdf005effdf2548e0902c485

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
163KB

MD5
41b3b80f8d71fbcf457a1aa7c444997f

SHA1
9fa5dc411659354b54d66a67cc96c080b07654cd

SHA256
28e8049c4c0b6c6f633cbf7f7ea4f5c11352a1a20763cc6aa1efa3bd40a8d951

SHA512
920d0bd603c22cccfb8da8d4aac8d8586c705e83b38cea402ffbc7afee6943bc5df3fed8acf272dee7dc878f23137d021bc9840fc26d74688de1312a6d3d2089

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
163KB

MD5
4a645d7cadf1f28b5d110f41a2b11ad4

SHA1
b37e62bbcb9cb630706823471cd521a6cee6e71c

SHA256
386d34fa57cab55b2d16eb0bdd79668584ae140cbbcd7221a652d6b51bfaf680

SHA512
9444e93a63857088d53ff010255ea82963d42e124179372c15f349973c3bc83a0fbf63e6258f1e723082f3ceb625eb44cbeb9725f38d583157f44004dc10549f

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
163KB

MD5
9ad4b31ab4dc3a3da06fe9a13f98e8ac

SHA1
94c6d458f71d6c4be507fa915b724f7a27597aa8

SHA256
4e0a08e4210de9243672fa8dfe0316823d6243da676fba0aae254bac9a807e9f

SHA512
2b86dbc240c25fb17d808271e8a9186bd4100326ca304ba2bb935d904705af167dba13cc8bed030f99cd672aee3b6ddc11f6582b698d0761addf9c475dda4737

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
92b041ee8e2616590ddf42a85bbddffc

SHA1
55c947c08fbe3c1af12da547f5fe93c193fecdac

SHA256
e4a0ec9bb0e0fdc36bd70523847be5349032921479ef5ab6ddffd71cb7fa7064

SHA512
639e58646992026d563d6c8edccdce8fc130b9d6526f4eaa88dff660c95f68c761de79271ca6bc9bd7774f9d724dc0b3e8b4c8bedecfd46c57d137fe91605ec4

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
6acf030fa3641781399df15140d5965e

SHA1
48c96ae53901393cc0d4d912a6ebd96bfd83202f

SHA256
1e614ec800375f58f1bf2cf93e5325c66d5b22fefa284539a6a531a3fc6d3df3

SHA512
001a90170b0373b61324713c66ef32f2385f56d368d671772906fad235533092e44c6b23d4ca3541353641325d31c88bc78fbae9e3d87f07fe2579ae39be45c1

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
ab3dfbc2e7db2564458c9059beb401dd

SHA1
8950a380fdf2b9856186e64633444e6ee5a7b381

SHA256
dd5b24a0c96cbef076e4906de2574e616aa05ff19baddbdc5dcf670e5599dbc5

SHA512
11dd6e6f2f47fb1aad952ae030e06079b14e23fd9bcec8ad0ddeb767c134168479bfc5cf3d333775a66e9ebe00370bc12d381b5f2eb3c6fedc5a670f30f1e5b9

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
403300a58733a6f262f1e8fc670efb14

SHA1
f11eab32ba5ba5e1c430635229672655f37332c1

SHA256
3b75ece454fef81fed1cb1117dab6a6e9b21faf1cfb3d7bfe533b688c586a0b3

SHA512
2e40e2adcadddd031172b4d88c0159c4c2bab3ee217b80e931455aa2daf819a9e0c03dd1249dc39817df8b1acb138e1ff93e7c250b12b1281aebda5a6e29f83f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
163KB

MD5
aaab2eb5456f6db5c462af0cfb87e43f

SHA1
674d0192a55fa18644110a380cbce8adc18893d2

SHA256
cb289d4ca1417b8c4a361ae3b235a2bcf1caea836630f5700ec42ae29b7a2b13

SHA512
fa010cf33a6d0e14074bca093c4b23a523e986b633662a54e56de175e2f2002376b7414b181b869845168b0284ce2fdbcb248945d0ed33e0633e1e91c4254caf

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
163KB

MD5
5b384ef087044efef5101d4be74c94eb

SHA1
361482247ba3e41fb8f5c341409c47be3fdfc096

SHA256
3be8a4b305e16199c58f935503442d23ae8f6def5101cc0e59a9b5922ac55837

SHA512
748d326be249b3ad2382e512edc4948c61cc095b7599ea318fdd11d7a881ddc50ef6b53ce61f7a9a073bd12d222a313e06fcb0d144fcfbdae7bb2ce75f2ba9b1

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
163KB

MD5
80df395a6d8c8e7997dea35a53a638c4

SHA1
5da601acaeef3b23d7636f53d9648d69e2294ebc

SHA256
97693bb334139526f28b60f255dbe33d52a357a27afcdbf7e4588b7ad492f3c6

SHA512
3afd55b676dbe498d68be2e8c2f0f7148ada68e929682c975e73a4aba89f334681cff0d1167cb156fe8e8b3d54d6be73a7f329b83c0979502189d990efcab79e

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
163KB

MD5
b5cc895fca46fa1bc7a85f1e8d1e8fb1

SHA1
0eb28887c4ebcbd89cc128b57b4c6f4e5c5f361b

SHA256
171217c3a2b2e8ef9e439d3e82e6cf9bda79613122ddfd159f34d5edda39bd05

SHA512
2ee1dd0bd815c3580b9e78a4c129de4044e4119b0d87ef776752dd602f67bf4072fd2f1686e463e4cd5e73fbc1c1bc8bbabda037560b10a3a470c118df84dd59

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
163KB

MD5
d9a0b610b8eb432b46107fc2f86778bc

SHA1
78c186ce7b6dc8fe0152f5a89b03d196964e68b3

SHA256
c31fc94067c44143295bdcd25bc362d66fca3f7dfad8f36d382198ab3c1be4e2

SHA512
18ef89ec06fa19783b99bf896b674db56502b47e515e9a109ff382d8a8f6714c56160b8734ac2d677098b2be870457968fa0f8bc6708a2b9efa3fd0cbb89f51b

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
33d38ff08109c55c02afc66b1fbee243

SHA1
c95bdae00c55275309926a20c08a3adbb932d17d

SHA256
288f39ff50f717f58701c2e95a1b2acc55f1ed189e7f7206334a5be2050286cb

SHA512
937370aace13057095b52268f803ac5041e5986590fef16245eb1b518f218f41afe5fcfb84312366ddc86be3a5f292f0b426c23211742fd3d5ea07ebedaf8cf5

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
163KB

MD5
c84b0a38d0df12645f92501026963661

SHA1
c576430a4473c3e7be80655555f77f92b09c109a

SHA256
0fca5a348f0196e244aa61291724b605f658f4f97e2fe29d56f99b780c7e427a

SHA512
efdce78214665a1e6546e8a78541ee8cd9c6bd8b7a03aa8a2bd27351b00133e1f6175fabd67439799f1d664df6b81ba098b3206dcdf9d880d87518100043c3d3

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
40eef73f1e80a3f351e7fc06d0a2dc6c

SHA1
5274c08dbfebb8e3f65a75e7a1ed49e78385ba9e

SHA256
583f0279787b8b84f00cafcfcdae00b7f5d2e64f69d4ede599b95c83f8264ba4

SHA512
86d3a86508c0313890a48637e0d4dc2c5664126fa0c1b2f4b8942f4fd76ab33883dcb5affd0d391237d0e1ca00783180adfaf3c424a070895c3883f6cc19c624

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
163KB

MD5
f9c7371578779d96e81492268da04640

SHA1
38a1e0fa24226d5c8b9a8c6806c776f8a5cf67cb

SHA256
4eeb2214022717f33d2495b0bde5cbca97e32ef4d7c5b7fe7176043bda6b19a7

SHA512
e5f9cb1a1350be5853c261ffe699b250d82a1555feeb0423bb00d55201d5cd66947a05ba23dd7bf2e731e83983fb7f4c187c40b5a9758e49e499b6b4424b101e

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
163KB

MD5
50c2e2db1f082a97bb05bbbd0040422d

SHA1
690bfd980945a982dfcece22a7f12283e058fd42

SHA256
4f578323ffd112c7ff5b73c8c8b042e165e981c12f5c6cec2213a68001b16b24

SHA512
09e485652e2a0185f75453d8a377d56d5eb51d686b8dd9a108d9e0def31aab40ca58667cf70a091a48fd4901b7f342ea1448920c954107ff05e19ae6ffaa640e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
163KB

MD5
b053f1354691769209ed803bc8f606e5

SHA1
b95ef7ff2e70fc24adeccbd1c13d496b5d358082

SHA256
85cc60c1c9158cdcc6743f817f56a6a3bbe7c92315596226fa9be02390b5d882

SHA512
126e58dc0a77ba0b5742947d1b1ce870a3aa474032311f163568754a4f80be88122ccf598b37edd703e215ae5320c2e9e90cdc4fd8466bb58b6a861e50fac671

Download Submit
memory/380-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/380-409-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-391-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/916-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/916-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1424-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1424-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1576-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1576-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1912-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1912-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2184-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2184-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2560-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2560-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2636-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2636-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-397-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3204-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3204-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3248-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3248-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3368-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3368-427-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3368-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3404-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3404-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3432-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3432-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3464-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3464-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3464-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3676-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3676-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3688-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3688-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-392-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3884-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3884-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4104-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4104-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4176-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4176-403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4340-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4340-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4384-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4384-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4712-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4712-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4772-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4772-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4832-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4832-381-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4952-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4952-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download