berbew | 8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807d

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Size

96KB
MD5

506a14609961695889bb98bbb0037c80
SHA1

f3eb0c29102e33c972ca7d6ecfeaa5515791ef35
SHA256

8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807d
SHA512

82a179238995ceea721aa23e446c5d8e6591f7c2e1ef0c2201361e7e1209c1cd45f60f22953a2ec6ccc846fed95d74f21197f586e1bf983078909137ea1d2146
SSDEEP

1536:7GvKG2w3qMz14Ke/A666Rlt2Lpz7RZObZUUWaegPYA:qvTrqMzhezJl+1ClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pcbmka32.exeQgcbgo32.exeAqncedbp.exeCeqnmpfo.exeBjmnoi32.exeChokikeb.exeDaqbip32.exeAnmjcieo.exeAgeolo32.exeAfoeiklb.exeBgcknmop.exeBgehcmmm.exeBeihma32.exeCdfkolkf.exeDaekdooc.exeAabmqd32.exeAadifclh.exeBjokdipf.exeBnmcjg32.exeCmlcbbcj.exeDodbbdbb.exeQjoankoi.exeQddfkd32.exeAnadoi32.exeBeglgani.exeBelebq32.exeCabfga32.exeChmndlge.exeCnffqf32.exeDjgjlelk.exeAnogiicl.exeCjinkg32.exeBagflcje.exeCnnlaehj.exeDdmaok32.exeDdakjkqi.exeDkkcge32.exe8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exeDfiafg32.exeQmkadgpo.exeCnkplejl.exeAgjhgngj.exeBnbmefbg.exeDdjejl32.exeDhkjej32.exeDhocqigp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 46 IoCs

Processes:

Pcbmka32.exeQmkadgpo.exeQjoankoi.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAgeolo32.exeAnogiicl.exeAqncedbp.exeAnadoi32.exeAgjhgngj.exeAabmqd32.exeAfoeiklb.exeAadifclh.exeBjmnoi32.exeBagflcje.exeBjokdipf.exeBgcknmop.exeBnmcjg32.exeBeglgani.exeBgehcmmm.exeBeihma32.exeBnbmefbg.exeBelebq32.exeCjinkg32.exeCabfga32.exeChmndlge.exeCnffqf32.exeChokikeb.exeCmlcbbcj.exeCdfkolkf.exeCnkplejl.exeCdhhdlid.exeCnnlaehj.exeDdjejl32.exeDfiafg32.exeDdmaok32.exeDjgjlelk.exeDaqbip32.exeDhkjej32.exeDodbbdbb.exeDdakjkqi.exeDkkcge32.exeDaekdooc.exeDhocqigp.exeDmllipeg.exe

pid	process
3460	Pcbmka32.exe
2360	Qmkadgpo.exe
3516	Qjoankoi.exe
3944	Qddfkd32.exe
4604	Qgcbgo32.exe
3340	Anmjcieo.exe
2672	Ageolo32.exe
2612	Anogiicl.exe
1748	Aqncedbp.exe
5072	Anadoi32.exe
3564	Agjhgngj.exe
5048	Aabmqd32.exe
3588	Afoeiklb.exe
3456	Aadifclh.exe
1528	Bjmnoi32.exe
4892	Bagflcje.exe
4744	Bjokdipf.exe
4848	Bgcknmop.exe
768	Bnmcjg32.exe
5068	Beglgani.exe
4172	Bgehcmmm.exe
1460	Beihma32.exe
2308	Bnbmefbg.exe
2016	Belebq32.exe
4164	Cjinkg32.exe
4496	Cabfga32.exe
2432	Chmndlge.exe
1852	Cnffqf32.exe
3220	Chokikeb.exe
1520	Cmlcbbcj.exe
4404	Cdfkolkf.exe
2784	Cnkplejl.exe
2496	Cdhhdlid.exe
2296	Cnnlaehj.exe
3300	Ddjejl32.exe
4796	Dfiafg32.exe
2684	Ddmaok32.exe
1732	Djgjlelk.exe
452	Daqbip32.exe
2512	Dhkjej32.exe
868	Dodbbdbb.exe
1608	Ddakjkqi.exe
3580	Dkkcge32.exe
3876	Daekdooc.exe
4652	Dhocqigp.exe
4620	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Aqncedbp.exeAfoeiklb.exeBjmnoi32.exeBnmcjg32.exeChokikeb.exeDaqbip32.exeDodbbdbb.exePcbmka32.exeDkkcge32.exeBgcknmop.exeBeihma32.exeQddfkd32.exeAadifclh.exeChmndlge.exeDaekdooc.exe8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exeDdakjkqi.exeCdhhdlid.exeAnogiicl.exeBjokdipf.exeBnbmefbg.exeCjinkg32.exeCabfga32.exeDjgjlelk.exeDhkjej32.exeQjoankoi.exeDhocqigp.exeBagflcje.exeAnmjcieo.exeCnkplejl.exeCnnlaehj.exeAnadoi32.exeAgeolo32.exeBelebq32.exeQmkadgpo.exeQgcbgo32.exeBeglgani.exeCmlcbbcj.exeAabmqd32.exeDdjejl32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1132 4620 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
1132	4620	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Qmkadgpo.exeQjoankoi.exeAgjhgngj.exeBjokdipf.exeDhkjej32.exeAnmjcieo.exeDkkcge32.exeDaekdooc.exeDhocqigp.exePcbmka32.exeAqncedbp.exeBeglgani.exeCeqnmpfo.exeDaqbip32.exeQddfkd32.exeBelebq32.exeCnkplejl.exeDfiafg32.exeAgeolo32.exeAnadoi32.exeAabmqd32.exeCmlcbbcj.exeCnnlaehj.exeDdmaok32.exeDjgjlelk.exeBgehcmmm.exeCdfkolkf.exeDdjejl32.exeDdakjkqi.exeCdhhdlid.exe8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exeQgcbgo32.exeBnmcjg32.exeCabfga32.exeChmndlge.exeCnffqf32.exeChokikeb.exeDodbbdbb.exeDmllipeg.exeBnbmefbg.exeAnogiicl.exeAfoeiklb.exeAadifclh.exeBjmnoi32.exeBagflcje.exeBgcknmop.exeBeihma32.exeCjinkg32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe

Modifies registry class 64 IoCs

Processes:

Qjoankoi.exeQddfkd32.exeAnadoi32.exeBagflcje.exeCabfga32.exeDdakjkqi.exe8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exeAabmqd32.exeDdjejl32.exeDaqbip32.exeAgjhgngj.exeCeqnmpfo.exeBgcknmop.exeBnbmefbg.exeCdfkolkf.exeDfiafg32.exeDdmaok32.exeDaekdooc.exePcbmka32.exeQgcbgo32.exeAadifclh.exeDhocqigp.exeCnkplejl.exeQmkadgpo.exeBeglgani.exeCdhhdlid.exeDhkjej32.exeCnffqf32.exeAqncedbp.exeChokikeb.exeDjgjlelk.exeDkkcge32.exeCnnlaehj.exeBjmnoi32.exeBjokdipf.exeBnmcjg32.exeCjinkg32.exeAgeolo32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exePcbmka32.exeQmkadgpo.exeQjoankoi.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAgeolo32.exeAnogiicl.exeAqncedbp.exeAnadoi32.exeAgjhgngj.exeAabmqd32.exeAfoeiklb.exeAadifclh.exeBjmnoi32.exeBagflcje.exeBjokdipf.exeBgcknmop.exeBnmcjg32.exeBeglgani.exeBgehcmmm.exe

description	pid	process	target process
PID 4828 wrote to memory of 3460	4828	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe	Pcbmka32.exe
PID 4828 wrote to memory of 3460	4828	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe	Pcbmka32.exe
PID 4828 wrote to memory of 3460	4828	8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe	Pcbmka32.exe
PID 3460 wrote to memory of 2360	3460	Pcbmka32.exe	Qmkadgpo.exe
PID 3460 wrote to memory of 2360	3460	Pcbmka32.exe	Qmkadgpo.exe
PID 3460 wrote to memory of 2360	3460	Pcbmka32.exe	Qmkadgpo.exe
PID 2360 wrote to memory of 3516	2360	Qmkadgpo.exe	Qjoankoi.exe
PID 2360 wrote to memory of 3516	2360	Qmkadgpo.exe	Qjoankoi.exe
PID 2360 wrote to memory of 3516	2360	Qmkadgpo.exe	Qjoankoi.exe
PID 3516 wrote to memory of 3944	3516	Qjoankoi.exe	Qddfkd32.exe
PID 3516 wrote to memory of 3944	3516	Qjoankoi.exe	Qddfkd32.exe
PID 3516 wrote to memory of 3944	3516	Qjoankoi.exe	Qddfkd32.exe
PID 3944 wrote to memory of 4604	3944	Qddfkd32.exe	Qgcbgo32.exe
PID 3944 wrote to memory of 4604	3944	Qddfkd32.exe	Qgcbgo32.exe
PID 3944 wrote to memory of 4604	3944	Qddfkd32.exe	Qgcbgo32.exe
PID 4604 wrote to memory of 3340	4604	Qgcbgo32.exe	Anmjcieo.exe
PID 4604 wrote to memory of 3340	4604	Qgcbgo32.exe	Anmjcieo.exe
PID 4604 wrote to memory of 3340	4604	Qgcbgo32.exe	Anmjcieo.exe
PID 3340 wrote to memory of 2672	3340	Anmjcieo.exe	Ageolo32.exe
PID 3340 wrote to memory of 2672	3340	Anmjcieo.exe	Ageolo32.exe
PID 3340 wrote to memory of 2672	3340	Anmjcieo.exe	Ageolo32.exe
PID 2672 wrote to memory of 2612	2672	Ageolo32.exe	Anogiicl.exe
PID 2672 wrote to memory of 2612	2672	Ageolo32.exe	Anogiicl.exe
PID 2672 wrote to memory of 2612	2672	Ageolo32.exe	Anogiicl.exe
PID 2612 wrote to memory of 1748	2612	Anogiicl.exe	Aqncedbp.exe
PID 2612 wrote to memory of 1748	2612	Anogiicl.exe	Aqncedbp.exe
PID 2612 wrote to memory of 1748	2612	Anogiicl.exe	Aqncedbp.exe
PID 1748 wrote to memory of 5072	1748	Aqncedbp.exe	Anadoi32.exe
PID 1748 wrote to memory of 5072	1748	Aqncedbp.exe	Anadoi32.exe
PID 1748 wrote to memory of 5072	1748	Aqncedbp.exe	Anadoi32.exe
PID 5072 wrote to memory of 3564	5072	Anadoi32.exe	Agjhgngj.exe
PID 5072 wrote to memory of 3564	5072	Anadoi32.exe	Agjhgngj.exe
PID 5072 wrote to memory of 3564	5072	Anadoi32.exe	Agjhgngj.exe
PID 3564 wrote to memory of 5048	3564	Agjhgngj.exe	Aabmqd32.exe
PID 3564 wrote to memory of 5048	3564	Agjhgngj.exe	Aabmqd32.exe
PID 3564 wrote to memory of 5048	3564	Agjhgngj.exe	Aabmqd32.exe
PID 5048 wrote to memory of 3588	5048	Aabmqd32.exe	Afoeiklb.exe
PID 5048 wrote to memory of 3588	5048	Aabmqd32.exe	Afoeiklb.exe
PID 5048 wrote to memory of 3588	5048	Aabmqd32.exe	Afoeiklb.exe
PID 3588 wrote to memory of 3456	3588	Afoeiklb.exe	Aadifclh.exe
PID 3588 wrote to memory of 3456	3588	Afoeiklb.exe	Aadifclh.exe
PID 3588 wrote to memory of 3456	3588	Afoeiklb.exe	Aadifclh.exe
PID 3456 wrote to memory of 1528	3456	Aadifclh.exe	Bjmnoi32.exe
PID 3456 wrote to memory of 1528	3456	Aadifclh.exe	Bjmnoi32.exe
PID 3456 wrote to memory of 1528	3456	Aadifclh.exe	Bjmnoi32.exe
PID 1528 wrote to memory of 4892	1528	Bjmnoi32.exe	Bagflcje.exe
PID 1528 wrote to memory of 4892	1528	Bjmnoi32.exe	Bagflcje.exe
PID 1528 wrote to memory of 4892	1528	Bjmnoi32.exe	Bagflcje.exe
PID 4892 wrote to memory of 4744	4892	Bagflcje.exe	Bjokdipf.exe
PID 4892 wrote to memory of 4744	4892	Bagflcje.exe	Bjokdipf.exe
PID 4892 wrote to memory of 4744	4892	Bagflcje.exe	Bjokdipf.exe
PID 4744 wrote to memory of 4848	4744	Bjokdipf.exe	Bgcknmop.exe
PID 4744 wrote to memory of 4848	4744	Bjokdipf.exe	Bgcknmop.exe
PID 4744 wrote to memory of 4848	4744	Bjokdipf.exe	Bgcknmop.exe
PID 4848 wrote to memory of 768	4848	Bgcknmop.exe	Bnmcjg32.exe
PID 4848 wrote to memory of 768	4848	Bgcknmop.exe	Bnmcjg32.exe
PID 4848 wrote to memory of 768	4848	Bgcknmop.exe	Bnmcjg32.exe
PID 768 wrote to memory of 5068	768	Bnmcjg32.exe	Beglgani.exe
PID 768 wrote to memory of 5068	768	Bnmcjg32.exe	Beglgani.exe
PID 768 wrote to memory of 5068	768	Bnmcjg32.exe	Beglgani.exe
PID 5068 wrote to memory of 4172	5068	Beglgani.exe	Bgehcmmm.exe
PID 5068 wrote to memory of 4172	5068	Beglgani.exe	Bgehcmmm.exe
PID 5068 wrote to memory of 4172	5068	Beglgani.exe	Bgehcmmm.exe
PID 4172 wrote to memory of 1460	4172	Bgehcmmm.exe	Beihma32.exe

C:\Users\Admin\AppData\Local\Temp\8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe
"C:\Users\Admin\AppData\Local\Temp\8f24c5e4ec287f69235007b87cd825dd5123a4f75cfe659d3b71fc101943807dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\Pcbmka32.exe
  C:\Windows\system32\Pcbmka32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\Qmkadgpo.exe
    C:\Windows\system32\Qmkadgpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\Qjoankoi.exe
      C:\Windows\system32\Qjoankoi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 404
        49⤵
        Program crash
        
        PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4620 -ip 4620
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
d61c4d719e0fe2472d54d3f50f409a42

SHA1
55fd821011b06fe3fcf6b94988be33985f951c35

SHA256
94f705b93ca0dd63865e91d0769d994bf532d1b10052bbb956b0c6f965165141

SHA512
d3c4f592f14a5915aa29226bc9dfbaca098813e88c95e4996c431e9ebf0ced6201d4fe30f2ee2c1855b4cf7d39ab0841215df113ea97b4e4e61a0c6ab7a231c6

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
96KB

MD5
92edfdfa700ec5c2fb6e5e920c457009

SHA1
26574dec9c63159cb08c2399d2bad34782a1be63

SHA256
2982e4de1703ab9f0d4aa7cfc2f849a8272c4740b351294131ee47fa87761bbc

SHA512
8f8902950222e584c4a75f146621deccf64c16a71df299dc5bff07750eb3885d84667fa48b3ed1349b21ba413a900377b8a51a164335989b316ae0c01e98467a

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
507e0bddad322dfe1e207f1c1ce2d144

SHA1
5dba63ce23d78ed43e86936935ddcca9e900135e

SHA256
fc9c05d81fd7d0a13fc043ab3d3894d8181b9911139417489c669ffec4d79a4d

SHA512
257d6eaa24d4931a7c9cf84ce160d737deb85a7ec6201a47be1185fe241c8960eb4a725bca65c53fd98ede4cd1df29708b4ed341d82958a8fda39488b29ae951

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
96KB

MD5
ce0e7c0f0f59c64bb4d5b2ce0ec6fdce

SHA1
78eace904e52c2a432be06ecc2c9dc1918d4d742

SHA256
d5ce80d304111f4461e22c1dd4135b263579468a4d3e2ea75542906cc0673a70

SHA512
f5777efa4fb3c11c80eeeef6ec3b353ce6732bd262e71f7ceff40611a1c8304872884a70e22a386d722272c49fc57671b717b66b23dd72963618d664b15c2a2c

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
96KB

MD5
ddd2e2a43d97c59be1dae745a288894a

SHA1
88e6c6915fb4a760a72c8a345b876dfcee0c9186

SHA256
63601488366570425b77276b214e9ac791c105f009afc192e99d991ac9a52a63

SHA512
b8f31ba41eafdd02ebea5c0e93f872d557d5ab9496b7dfea85aa2887e542da672082862ca77123d9ed65fad8049cdc3ba37fee0c0276c9d637dfd87267de28a4

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
72657366ce322fa86e8807deed4e7325

SHA1
641572af9b272e6cd13cfb7836e17b598d63c248

SHA256
b52c3792dd5977f2d8f9608cbc479e8c9afd8984142309db7f7216352e28cba1

SHA512
9ed869451844a4bb3928cf59cac03c19e0cabd72dba1b2916e6825e542acfe8f5a94592f766540cc63ac5de0cf3f3785713c3717f1802bdec98b77ad6addfbde

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
4ca20d132b58e9f4b5e58e4af818be97

SHA1
e0114e1e8583461dbaa55bafded31f4da8c6b0ec

SHA256
8ae3cc07bf67210c0ebffe637637f78f02b732aaa0b5e93ccba17d1377bc9385

SHA512
cea596924ea6a1c37c016ba9897afc2b0f173f983a9687fee6ee37708975c1265f1088ee95ce758faf4beb2f82ca5f652ec555b940c19a94a6ec55d5689e0735

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
c02d206a3a8fd441e943c9a0d9c05e5e

SHA1
2505685b0513320998e14dea128880a6469f900f

SHA256
4c74467b26256bb60cbc01fe19591a56f21f68eb81b4f5b547ca3f9483d3234a

SHA512
1f1ad225d6ec2049df9dd65c9d484fee74bcd7c93220be6cded0d1646da5332e658d5659ba32ffbba11d9c87d6918a25a1456907e5b53456ce598bda6972e29b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
59af4b9319c05dc933ff8f052d4cee3d

SHA1
92cad3549f73cd2987a5618aee6eba7d48787981

SHA256
71af6ee6cca4e1ed40e93b8d960881273e174f1815d32a5da9cb4540b7840cb3

SHA512
d375ec286c2689d85da89bf993768d14defe20df57503d4b559d6e411abbed058c711384b49ad9e9b58f91d0066acaba7f4bca17dde89acb64658b08ebd1ae99

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
96KB

MD5
8ff46cbe6b872a652154e1711ca62883

SHA1
a6f1f8a54901e0c1d378cbcf2547cc0756ea5524

SHA256
5c2d0e239548f5c1de5bdeb6ceaa8763bb2063dd70db2b70d338a6dfc178dec6

SHA512
81cc42d343f0d191406ba4f1d2e289c4cfdbeba95a284f4df83c5215e7179212db807fd6d3d0675dd1315ebc74671ddfa0a58346076073eb23011ffad2eb6de4

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
d835608866351fe4cdcba90fb9301071

SHA1
c167127dff2d293143cf1a2dc08f99a3be1b1dcb

SHA256
864c657d6e7722d23d53fd1297322abb2970b17b2c3c29955ad83dd1b92adeec

SHA512
8545c834d2e3ff3ddc19f47c29bea912ccbc3e0af1398591a0bc822b81c9a1ddc851df001a3e8648343690dc0ed5c4b41068e393e64d38f8db1bcacd43433a7d

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
5e3c3ccd61541ce8a4d2845572315998

SHA1
5c714e6b4013dd75bd4fa1ac3a85fb30e62b6898

SHA256
cae8f82bb81a2be378a753fd1c5aedec9115b9c53621da8a280f580552f6df74

SHA512
72b916d7fb81a6636ce4c71adec346c1dcdee4376c13acacc49a82d80fb958a6eb72dddcb12bcfc1db11a67b5ce774e78906ce08c21045e933baaf763342bd9c

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
3846418bb7844bdb4e033bebaa59306d

SHA1
ef72704482d09cd0dc07a430fb3e30958e1ab721

SHA256
15c5f4c6038a88310e33d1d7c7d8ee8046f85d178cd8163389ee75b91d91636f

SHA512
faa9383d561776d37156d89ac8da7b017f124fb4f0ce244a40e64ed9f7589016b192e016dba740641f507ae33360b95f9986d89c9566ce80599c153531d68d8e

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
fcd386b0b4832f079a5ebeb9264b7da0

SHA1
49087a8ce659412115c1e7f2c56336c00e50253e

SHA256
2ea7c90d2e889664772fc2ea00636799ae1f2c8fc5cd5f1ad0019dd10f806e25

SHA512
3fff857aa9bc98a870c4153f40c2608e95c6d60fdfb2c84f412a2400d77573ce5231ac58199d19350d2daa61616ae261f96adfef283deed74c977440e0161732

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
96KB

MD5
f85c635a80432d71c0dd4a1b690e00eb

SHA1
01667cf3d38a9cb4a68bd4e646f351e375b013cc

SHA256
6784e097f32669086b5e06f5321ce5a8b6761066bc11db8cfe6cd11c62310edf

SHA512
5aef8e1625bb7d8b6e0cb05beee67f0053001d0f1608b59b4169c0ea77a41cc48c6b41b02b3a73f44fead9df467440d3d99f3384ae79d96f7da3e54fc896f219

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
66f3d1ab8c250b81e6a9bba650fb6b38

SHA1
a0d9f06080ffde00bd2fc755801157aec6d08aa7

SHA256
08f01daca068d1b6c33e2459ad25e9b515f52dbbf8244e4344c28b9ee4e2254a

SHA512
0654b8f3aabb68245e92d58ab62da5b504c98e48cf9cf6404ce252bf99e090c67d60246e35f3d8bb4dd0ec1d46e0676a7142faef63273b37d94a02fa0848db61

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
271428c33139802f8fff930a21caaf37

SHA1
9698a6394721eb658ff5a040b320079ff0eb45d2

SHA256
15a846e14ca4b615c6b13ca17c54a916b2872357749c28f2545268e07fb2c2e9

SHA512
e8895e4d4ffd846d0b731a125ed53e5a7985e66ee11dd57ab225f29f141d3a9343693629203d27862857d47c3ab4c1d31480226cf753a7fd4b0ab5c0c1cd8fd1

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
5a6c3ce9474f03d822fdb434dbde86d8

SHA1
7b6c0676f4381b0943db9af9351a9b7f399ec01b

SHA256
579377ac821e701c5e251050f651381e8de356d8a4ba5174e669aff6be598ffa

SHA512
e3ec04739f8d59f08a89293b04f693e96d5ac5261438a3e9bd91fd81b8290856dbfc2608a47822f2d4a8ceaf35bab8a2c54890488c9bcc7951a88ddccf79db9c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
07dc70797b4cca2c6e7131a10dfeec8b

SHA1
0d3a4309d275d24fe061acc1e5dd444d2696bebe

SHA256
8bf3bcf5cd957c78fd2b671a070f4d8a18e32fc136ff4a700d6e8ca64c79eba0

SHA512
c83fc096f8129687058a54a7bc90dbb3786dea7a2f53cda06e5b4856220610ee17aef2d7281ce9d30defb869b71992d6fb519313d5ed3e883309fd192a75c9bb

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
f36ef16b4d942e7cb01c74829ed32f05

SHA1
3def60890ec532ef2937fbe77a93fc94b2d02337

SHA256
5704ebbc504a367946710daa241596a85b4c0d5be2ab8ee024f822ede0ec9a4e

SHA512
1b9bc74342a94e7a874a4bde66f9441566f853535f1089d3b383080c104cff8a65df85dfbcd074eef5b7dc74aef8fdf36f87a9e751df03ea88ab45d61f8db961

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
c75efc6e61012be4cc9fa593f4811907

SHA1
5e5802402a0a95a1724e4bb0fe40fb4a8715d839

SHA256
044db30fbf88cb4d9f54e35a203791b53c3950fdad2703b35c2d1c43fe9485e4

SHA512
c25d22e17bfa854829430eb0c617cefa6b5e265d7ae033ed8598eb8a7257fef06cbf9de82cb0a17e82cd5dd0aab7c7ffb7e4474747cfc7a5dc210b5d6edd1a18

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
24701b904ecb1e09a54b9ffe1c98f34f

SHA1
3aca354627d764022e9cd3a6da0a73b51db2b82d

SHA256
993abb1c99d421fdc8ca3831b01e2a2a5c792fa5c54fea5d5832825c07b87d78

SHA512
ae1241d86fbb6e5c2f3dd3289a18ca91339f6387dcb7667019b28ac50238618ad14c22bdae00e3eac03bc88d3ebcd0745ee3b9a8b65f4747316ae48524772049

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
20716191f7f71858b8bbb689978d5240

SHA1
70449cf585f5b6dabfcc1ab1fd77b76bf6775d9e

SHA256
52411f94b9e5382a93f8275a6852ef6dd59d71b4d4498680a7ebc3572b241041

SHA512
042167e1516a39953763db9510d1150330e27e479d1bb62d3ee0350938b9468221f9aef4d56eb36bc3fdbadf0bbf8facc0f800142806ec2a0f2aca94874e2eae

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
fec3b59474a24b0ed01ba1b381e5423f

SHA1
7b6624d9a0726466441af68c2f511390de681f04

SHA256
9e0ba2fccc07a6046e699089e5ec4b7f277a167ebbfb2b88b2cbc8d1d2eab1d1

SHA512
688ae17a5bd0f120c7d30240e7d8facf4e5ac958d4a7a8c52ce06dd1805a28d243fc1cfb2a6e06c57523be37f4eb67d685fc3449078bcb0a10bc8e108534c8a8

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
ce9df60e02a2862921141792407593f1

SHA1
c456714695604dd76670d7e43f35aef7c05f204f

SHA256
b57ab033c3b2f55da245d6411eaa3379b70d45f9e8867b44e0a688b0a7ea9083

SHA512
866d55e1ae4b625d18089bfe328f1a3a4fa64daeafc7e24f624d2ef8f93aeb04719e026e8d2a86ca67f63ed8ea91bc227e2275064ab334d226f77908fb51181c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
012055048856c679d41010213196e7c4

SHA1
1d3bf5e826747da0061ae0feb8886b9d1b1273f8

SHA256
a0d85c4d115b7eb1c7524511ddd545052405cf7a91d69062a8f861a5121b11ee

SHA512
ac67399ebf92d7170ff90052524cfba7eae1addaf100ab06ee057e4dfb5f54b4c8dd4ed89480003ab885ac6efe5152ed8e3ed124f2d040c633946ef1e4cbdde8

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
5c4012e7d3dc8dc138b7318c3a8366a2

SHA1
99d5db191c986c50a5fc982ab27563ff73b931d5

SHA256
3341ffe5b430d0a73e35f17545236e56daf7c0eb9a55d41ca5047242b73a2a97

SHA512
0bfe016d7191a6f685768d8206d27d7e05ef303b82899497fea1a305bbf2c60f1153a69f88b0978ac7e27f811e66220b5b1819532faa924039069a03dae0fd83

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
040b23b4b1138d084eb5a4a77d9e5853

SHA1
f29bbac226aedba607d576febe83a7cadaef63f5

SHA256
8d63838d2930f3965a1f1f44155baa11986c7296fe6b6a196848ab2ddf8cf5f2

SHA512
698cfb6bd47fc7b026a81c673b00156c24f9e1b3cfad8788156aebc9c95ef215ba45997d6729f8d1c2cb3f61b02fe50013721e55ea73df2d22fc95bb83142562

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
cb8b32c4e559155654ee5c38ef302111

SHA1
d8620362acc2967d9d4539ffd6988b8de1c1896e

SHA256
6cf81005147dc32c4c9bbcf0c549e59b62674f86d8356e3226d5c586e3856cc8

SHA512
cdb54c1f4ce408911ca3877f72d81b78b4acda06245c62400e5b31dc287be2a693d86925b4d7d732130ad70923f3c2026a4cfcdaf19708e1483f5d20ee4f1326

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
db825adb32089abef40545410a574977

SHA1
308720290c5bb6c4afc50f9db6844c3485b567b1

SHA256
2b45e4c0182b3f9f176cb7ae1cf1a20537c3210899a6eb7d5b516a94cbf5ecc1

SHA512
d442c15fbcf763cdf248e1fe5166d4dddadb715a52d99b89db449c75278960b9328ae33f8da4af7414fcc2b4037316951808dff9e46cca8a02ebfc1ba78e9124

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
c6d5d89ee1dcace450f50ca172dbe04b

SHA1
0643480dfd0e6322051b893218505908f8850a6f

SHA256
3a0e127d1473fed71da577e06c1aa0c19d48846cfadf6efb83949e52bcc720dc

SHA512
1ad58e1ce3536847ce4447b33788d939f55c16020895f5984d716085b1ecfe01f544535c881bd1e0aedf8f83e9f9b911323180b2bb350e679bb6e468645e0d94

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
a7d6473a17665d29d6466d07bfce8cc6

SHA1
9d7a910a850492b6d1a06ef4de979b36c30ca482

SHA256
ac60eb80152949736b737b44243c0021563b9e13e9672615a2462916b2abc0c9

SHA512
3c388c6c59f93729177026ee0f8018c79825697fb86e3aefc81efc86430e9484048ccfc8c46c99db786d60bf8b583c3b3b926ce7d5cdc882d049f6091d8e2138

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
92288eb1d54c8b1cc32b58e4d23a10ae

SHA1
cd5618b257f660a3acb5d49d62fc1de7f14895dc

SHA256
2a37e3f3b37d451c3dfd0f271a5193480cb1bdd2aa8a5199ecc74c74eecbec3f

SHA512
0b0c13a42cfda9df15014d4e200a955f10522fbe7aeb069dd33cffefb65a21cb3f18eaaf8b9ffec0e12a4e2f50b639d5f2278cb142c29d7def9af9a1e82ae67d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
7dc216d252dda4525d8734deb20f5695

SHA1
8fb694fa5bb32a7eb55f5d3dc4f6f3f3893cffad

SHA256
8148da5e9e2722b7052900f895abadd1b2749ee82e1fa6f2dbffdd9d2d1c8649

SHA512
d3005e34965e6e0a3d8294c8ffc561d40c3beef8a40bca91d87f6561a24518d43d6f00db9f3b5bd40fff376b8545e9def51c335bbfd39bb06978f6502c162359

Download Submit
memory/452-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4828-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download