berbew | 3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Size

163KB
MD5

7e09d1ead4b9b4a0ebfaec0f08824c1b
SHA1

6c316543db199524f4f5f56ea26d16da0d2a5f20
SHA256

3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4
SHA512

cbc0e00258dd85ea3aa6aae8d58885ca0dcd3a6c5ffc06489377544c9c3565eaffa73f2307e057ed384da0e6a745e486709b011561454ae87f247722e678fd4e
SSDEEP

1536:PTzugSV/4dhS5QSRHEjdOFDGlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:3ugSVIaQckjdOlGltOrWKDBr+yJb

Score

10^/10

berbew bruteratel gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Aabmqd32.exeAnfmjhmd.exeCfmajipb.exeDmefhako.exeDmjocp32.exeAglemn32.exeAgoabn32.exeBjddphlq.exeChmndlge.exeDkkcge32.exeDknpmdfc.exe3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exeBclhhnca.exeBcoenmao.exeCaebma32.exeCjbpaf32.exeCegdnopg.exeAqppkd32.exeBnmcjg32.exeBanllbdn.exeDopigd32.exeDodbbdbb.exeAjckij32.exeBmkjkd32.exeBcebhoii.exeCfbkeh32.exeDdonekbl.exeBchomn32.exeAfhohlbj.exeChagok32.exeDeagdn32.exeBcjlcn32.exeDelnin32.exeBnbmefbg.exeCeehho32.exeDaconoae.exeDhhnpjmh.exeAfjlnk32.exeAfmhck32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Ddonekbl.exe	family_bruteratel

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 39 IoCs

Processes:

Afhohlbj.exeAjckij32.exeAfjlnk32.exeAqppkd32.exeAfmhck32.exeAabmqd32.exeAglemn32.exeAnfmjhmd.exeAgoabn32.exeBmkjkd32.exeBcebhoii.exeBchomn32.exeBnmcjg32.exeBcjlcn32.exeBjddphlq.exeBanllbdn.exeBclhhnca.exeBnbmefbg.exeBcoenmao.exeCfmajipb.exeChmndlge.exeCaebma32.exeCfbkeh32.exeChagok32.exeCeehho32.exeCjbpaf32.exeCegdnopg.exeDopigd32.exeDhhnpjmh.exeDmefhako.exeDelnin32.exeDdonekbl.exeDodbbdbb.exeDaconoae.exeDkkcge32.exeDmjocp32.exeDeagdn32.exeDknpmdfc.exeDmllipeg.exe

pid	process
3248	Afhohlbj.exe
5060	Ajckij32.exe
2936	Afjlnk32.exe
4764	Aqppkd32.exe
1028	Afmhck32.exe
912	Aabmqd32.exe
1960	Aglemn32.exe
1388	Anfmjhmd.exe
4632	Agoabn32.exe
664	Bmkjkd32.exe
1060	Bcebhoii.exe
4548	Bchomn32.exe
4368	Bnmcjg32.exe
2816	Bcjlcn32.exe
5032	Bjddphlq.exe
728	Banllbdn.exe
988	Bclhhnca.exe
4496	Bnbmefbg.exe
3520	Bcoenmao.exe
1952	Cfmajipb.exe
2208	Chmndlge.exe
1140	Caebma32.exe
1144	Cfbkeh32.exe
3156	Chagok32.exe
4252	Ceehho32.exe
2212	Cjbpaf32.exe
1308	Cegdnopg.exe
1776	Dopigd32.exe
1120	Dhhnpjmh.exe
3032	Dmefhako.exe
3364	Delnin32.exe
1360	Ddonekbl.exe
4308	Dodbbdbb.exe
1472	Daconoae.exe
3704	Dkkcge32.exe
3996	Dmjocp32.exe
756	Deagdn32.exe
2796	Dknpmdfc.exe
2032	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Caebma32.exeCjbpaf32.exeDdonekbl.exeAfmhck32.exeAabmqd32.exeBclhhnca.exeAnfmjhmd.exeDmefhako.exeAjckij32.exeBmkjkd32.exeChagok32.exeAfjlnk32.exeCfbkeh32.exeDkkcge32.exeAgoabn32.exeDhhnpjmh.exeBcebhoii.exeChmndlge.exeDodbbdbb.exeAqppkd32.exeAglemn32.exe3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exeDmjocp32.exeBnmcjg32.exeBanllbdn.exeDeagdn32.exeBcjlcn32.exeDaconoae.exeBcoenmao.exeAfhohlbj.exeCeehho32.exeDelnin32.exeBchomn32.exeBjddphlq.exeDopigd32.exeBnbmefbg.exeCfmajipb.exeCegdnopg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1920 2032 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
1920	2032	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cfmajipb.exeDmefhako.exeCjbpaf32.exe3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exeAfjlnk32.exeAfmhck32.exeBanllbdn.exeCfbkeh32.exeBjddphlq.exeBcoenmao.exeCaebma32.exeAfhohlbj.exeAabmqd32.exeAglemn32.exeBmkjkd32.exeBnmcjg32.exeDmllipeg.exeAjckij32.exeAgoabn32.exeBcjlcn32.exeChmndlge.exeDdonekbl.exeBclhhnca.exeDkkcge32.exeDeagdn32.exeDknpmdfc.exeAqppkd32.exeAnfmjhmd.exeBchomn32.exeCeehho32.exeDmjocp32.exeBcebhoii.exeChagok32.exeCegdnopg.exeDhhnpjmh.exeDaconoae.exeBnbmefbg.exeDopigd32.exeDelnin32.exeDodbbdbb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 64 IoCs

Processes:

Delnin32.exeDmjocp32.exeBnmcjg32.exeDhhnpjmh.exeDdonekbl.exeDodbbdbb.exeAqppkd32.exeCegdnopg.exeDeagdn32.exeBanllbdn.exeCeehho32.exe3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exeBclhhnca.exeBcoenmao.exeDmefhako.exeAfjlnk32.exeBcebhoii.exeCfmajipb.exeBmkjkd32.exeAnfmjhmd.exeAgoabn32.exeDkkcge32.exeBcjlcn32.exeAfmhck32.exeAfhohlbj.exeBnbmefbg.exeCaebma32.exeAabmqd32.exeAglemn32.exeDknpmdfc.exeDopigd32.exeBjddphlq.exeDaconoae.exeBchomn32.exeChmndlge.exeChagok32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exeAfhohlbj.exeAjckij32.exeAfjlnk32.exeAqppkd32.exeAfmhck32.exeAabmqd32.exeAglemn32.exeAnfmjhmd.exeAgoabn32.exeBmkjkd32.exeBcebhoii.exeBchomn32.exeBnmcjg32.exeBcjlcn32.exeBjddphlq.exeBanllbdn.exeBclhhnca.exeBnbmefbg.exeBcoenmao.exeCfmajipb.exeChmndlge.exe

description	pid	process	target process
PID 3832 wrote to memory of 3248	3832	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe	Afhohlbj.exe
PID 3832 wrote to memory of 3248	3832	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe	Afhohlbj.exe
PID 3832 wrote to memory of 3248	3832	3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe	Afhohlbj.exe
PID 3248 wrote to memory of 5060	3248	Afhohlbj.exe	Ajckij32.exe
PID 3248 wrote to memory of 5060	3248	Afhohlbj.exe	Ajckij32.exe
PID 3248 wrote to memory of 5060	3248	Afhohlbj.exe	Ajckij32.exe
PID 5060 wrote to memory of 2936	5060	Ajckij32.exe	Afjlnk32.exe
PID 5060 wrote to memory of 2936	5060	Ajckij32.exe	Afjlnk32.exe
PID 5060 wrote to memory of 2936	5060	Ajckij32.exe	Afjlnk32.exe
PID 2936 wrote to memory of 4764	2936	Afjlnk32.exe	Aqppkd32.exe
PID 2936 wrote to memory of 4764	2936	Afjlnk32.exe	Aqppkd32.exe
PID 2936 wrote to memory of 4764	2936	Afjlnk32.exe	Aqppkd32.exe
PID 4764 wrote to memory of 1028	4764	Aqppkd32.exe	Afmhck32.exe
PID 4764 wrote to memory of 1028	4764	Aqppkd32.exe	Afmhck32.exe
PID 4764 wrote to memory of 1028	4764	Aqppkd32.exe	Afmhck32.exe
PID 1028 wrote to memory of 912	1028	Afmhck32.exe	Aabmqd32.exe
PID 1028 wrote to memory of 912	1028	Afmhck32.exe	Aabmqd32.exe
PID 1028 wrote to memory of 912	1028	Afmhck32.exe	Aabmqd32.exe
PID 912 wrote to memory of 1960	912	Aabmqd32.exe	Aglemn32.exe
PID 912 wrote to memory of 1960	912	Aabmqd32.exe	Aglemn32.exe
PID 912 wrote to memory of 1960	912	Aabmqd32.exe	Aglemn32.exe
PID 1960 wrote to memory of 1388	1960	Aglemn32.exe	Anfmjhmd.exe
PID 1960 wrote to memory of 1388	1960	Aglemn32.exe	Anfmjhmd.exe
PID 1960 wrote to memory of 1388	1960	Aglemn32.exe	Anfmjhmd.exe
PID 1388 wrote to memory of 4632	1388	Anfmjhmd.exe	Agoabn32.exe
PID 1388 wrote to memory of 4632	1388	Anfmjhmd.exe	Agoabn32.exe
PID 1388 wrote to memory of 4632	1388	Anfmjhmd.exe	Agoabn32.exe
PID 4632 wrote to memory of 664	4632	Agoabn32.exe	Bmkjkd32.exe
PID 4632 wrote to memory of 664	4632	Agoabn32.exe	Bmkjkd32.exe
PID 4632 wrote to memory of 664	4632	Agoabn32.exe	Bmkjkd32.exe
PID 664 wrote to memory of 1060	664	Bmkjkd32.exe	Bcebhoii.exe
PID 664 wrote to memory of 1060	664	Bmkjkd32.exe	Bcebhoii.exe
PID 664 wrote to memory of 1060	664	Bmkjkd32.exe	Bcebhoii.exe
PID 1060 wrote to memory of 4548	1060	Bcebhoii.exe	Bchomn32.exe
PID 1060 wrote to memory of 4548	1060	Bcebhoii.exe	Bchomn32.exe
PID 1060 wrote to memory of 4548	1060	Bcebhoii.exe	Bchomn32.exe
PID 4548 wrote to memory of 4368	4548	Bchomn32.exe	Bnmcjg32.exe
PID 4548 wrote to memory of 4368	4548	Bchomn32.exe	Bnmcjg32.exe
PID 4548 wrote to memory of 4368	4548	Bchomn32.exe	Bnmcjg32.exe
PID 4368 wrote to memory of 2816	4368	Bnmcjg32.exe	Bcjlcn32.exe
PID 4368 wrote to memory of 2816	4368	Bnmcjg32.exe	Bcjlcn32.exe
PID 4368 wrote to memory of 2816	4368	Bnmcjg32.exe	Bcjlcn32.exe
PID 2816 wrote to memory of 5032	2816	Bcjlcn32.exe	Bjddphlq.exe
PID 2816 wrote to memory of 5032	2816	Bcjlcn32.exe	Bjddphlq.exe
PID 2816 wrote to memory of 5032	2816	Bcjlcn32.exe	Bjddphlq.exe
PID 5032 wrote to memory of 728	5032	Bjddphlq.exe	Banllbdn.exe
PID 5032 wrote to memory of 728	5032	Bjddphlq.exe	Banllbdn.exe
PID 5032 wrote to memory of 728	5032	Bjddphlq.exe	Banllbdn.exe
PID 728 wrote to memory of 988	728	Banllbdn.exe	Bclhhnca.exe
PID 728 wrote to memory of 988	728	Banllbdn.exe	Bclhhnca.exe
PID 728 wrote to memory of 988	728	Banllbdn.exe	Bclhhnca.exe
PID 988 wrote to memory of 4496	988	Bclhhnca.exe	Bnbmefbg.exe
PID 988 wrote to memory of 4496	988	Bclhhnca.exe	Bnbmefbg.exe
PID 988 wrote to memory of 4496	988	Bclhhnca.exe	Bnbmefbg.exe
PID 4496 wrote to memory of 3520	4496	Bnbmefbg.exe	Bcoenmao.exe
PID 4496 wrote to memory of 3520	4496	Bnbmefbg.exe	Bcoenmao.exe
PID 4496 wrote to memory of 3520	4496	Bnbmefbg.exe	Bcoenmao.exe
PID 3520 wrote to memory of 1952	3520	Bcoenmao.exe	Cfmajipb.exe
PID 3520 wrote to memory of 1952	3520	Bcoenmao.exe	Cfmajipb.exe
PID 3520 wrote to memory of 1952	3520	Bcoenmao.exe	Cfmajipb.exe
PID 1952 wrote to memory of 2208	1952	Cfmajipb.exe	Chmndlge.exe
PID 1952 wrote to memory of 2208	1952	Cfmajipb.exe	Chmndlge.exe
PID 1952 wrote to memory of 2208	1952	Cfmajipb.exe	Chmndlge.exe
PID 2208 wrote to memory of 1140	2208	Chmndlge.exe	Caebma32.exe

C:\Users\Admin\AppData\Local\Temp\3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe
"C:\Users\Admin\AppData\Local\Temp\3ceee6f48111ab4080bd6baf04761e3b3e4d491414cb054b8e0e489e2885fca4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\Afhohlbj.exe
  C:\Windows\system32\Afhohlbj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\Ajckij32.exe
    C:\Windows\system32\Ajckij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\Afjlnk32.exe
      C:\Windows\system32\Afjlnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 404
        41⤵
        Program crash
        
        PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2032 -ip 2032
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
163KB

MD5
05b3beb7240d29857be7738b9c6b517f

SHA1
d953f76adabcd9a91169631006a148b7f80ad4d2

SHA256
5f8e885fc78290642607306214177e963f17f580f3236cad14534d459d1c5ac4

SHA512
1ecf8d8981e891eae860a0c8645814506b8bef15f98b1e0ab368bc5b26c8a6f56797bb6e89610cd0f0b5cdcdc1be1f8001639b9fec5319a38adc564dd81f574e

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
163KB

MD5
59d1d73066566b02ec170df708066f79

SHA1
40133ca3227d7c6a8de6bcf1c8335e6574ecd29e

SHA256
7f4f571a9782c8aed82adca5cd4e6c2d5f7e0c08b5f207fbdcf70c8e693076e7

SHA512
ec26522f7f09a13807938a9457d1a34d39ed2034c8447166fb0dbbfb66f5045cf5eb6285fab7f7c33c7ae48326395d4018256b5ccb0b6055e90e301d4659890c

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
163KB

MD5
a598f50fe2f0eb44e7f7af9711b7ca1a

SHA1
82e88195f3b64a167edfc9b81cd86a533f60cccf

SHA256
9a18a58cd3f9b76ed3f4c7e91cae37b39cb444c274696965d87234eb74d0d0d4

SHA512
0541d636b66fcc615b2a96536e54fb81f9572e5ec41e259a7f1cea66f926ef18fc7028049635e31fba44eb7938ab57314060025788693f0695a5f56961198885

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
163KB

MD5
672a2d5f98684307ea6921844086f21e

SHA1
4cc3c327af5d494d29eed1688178ce644505fd88

SHA256
d1ba95c16d1ac1d7d13d11882c0509c86170f7d7f3150957932a8b6b5908c7d4

SHA512
d9ad6affa3c2c1073a9bd1445978654c77bdb538b0d27031be1047ed65fe28b802c2329686e4f33132c39b3c20f743cd25b86124be523461c26faecec86757a7

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
163KB

MD5
d877eafa21aed34eb9002e6ba7316cf7

SHA1
5d66cf2bb49b815e4698bd7b74d9c1aceaa145db

SHA256
584575c757eb89adeda58b6f6695ba105015e4694095037e7141f8430cb9da69

SHA512
75eff925c7860e0e58f9814e0a061c77f1546b31abd296c4286d4cebbf9e5523d9b6f5cf6c95aef70274ff2f843e9f0ea270669b646f75214a4d6aa4ba94f42c

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
163KB

MD5
7725fda52e041c9b851f28c0688a2f97

SHA1
6cd6555aabdc19ba5bd23df9f9c1fa380108ef63

SHA256
d7ef121a7e4a348148a5d32093b6fe97bddac62a90be9a240948a3a3a4fef5dd

SHA512
aec70f02131e741e3395857f56fe11626371c91912df94fb6036002eb9ad4835b8f811279a80a525c917639b4e5f1ccf137eeec84c9885f62aa462cdf8e35493

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
163KB

MD5
7cb4b909a106c08c367737eab4fc5178

SHA1
e5a91fff9fadb78d1786077f230ff09a86c51c9b

SHA256
7abb3353cb19b60bb5d3f1e859c6f1fa14c0db635da20a4aacb489bca964d1ef

SHA512
8f85a694ee36c612d4c84fab5d6814fa2f43be6c783dc2e3c381b90c1c22bb3a19d795ff04bce160fc92cbc5010e62a49c6a1029227b7efbfbd2d03ca2db266f

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
163KB

MD5
7555de65bf11facca1c228d947b43521

SHA1
d4484dd3826025921bdcfae6c3f56504fca5f6da

SHA256
2b5994ef9d3521d5c8cea83465b843b515f19ca67464c4f16771182068301ee0

SHA512
00c4dc4a26ee382911f9926c5fe0b14ba1b4f3b3d642e5703cb17c0916b6e6acf52b86b1e5b4e12572373c0bfedb7b4c3e9ac93414415f011c6a363ea15134b5

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
163KB

MD5
cd266c180e0625066eff14729fc201d3

SHA1
49f801f41ef55d2f28e73871027321defd312f42

SHA256
09d7c66475be476eec7a9bf6aac9a060f90c685fcbaf33fc090ede23ddc71d9d

SHA512
ef4e13f0c3bc13b85fca788075560b34a83f14af73ac7e06d3191dad3028386b096b9ffcc18bd27ba2a90b4db3007881b26eddc881bdc7e3bd8d3ab84a7322ff

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
163KB

MD5
00f144d050e0c6902e9b6425764829bd

SHA1
86796e8f9e9b47c0a6c4ae4781e179d2d2e90848

SHA256
457b94c6c5fcca9608b3be5c5e960d4b63bd37a0aee5a281a04446c9cc97e22a

SHA512
f55b3940257aac7a3e24a667f3ad30e3bd5592b1ae939269ce4c7f4aaa7c1b2b41ef4ec4d2eac6d97e4852253d99f3d5e117799b570f2c06da4e8a781df12913

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
163KB

MD5
00ec552c3fa673123c7eef4ff4229a5b

SHA1
d579e944b64666fb1805230810a73edb9b8239ce

SHA256
dd2bd136b1e926b934578662a366da3da92e26f3988eefb10fbc6f6d598923f0

SHA512
24ff3f60f76e99f5eaf03439aad02bd0be1eb335e497cf77bd7e6cbde4a84f26c1160067b02b64a460e825d7c20cd7fff8b6f89c81b1c24a3e55e20fa2adaef9

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
163KB

MD5
3bac0723c7d0d3f984bd009065a9408e

SHA1
917bb56d0947224f86c67a591ec39ff90f32a3d1

SHA256
f6f6b76fb736466f191cb2051aeb83904acdc8689263fd0977bd188a66761a11

SHA512
c81b11c69249bc63eed1da382d3187d12f21446c2c8aeb2e1ab55071441e69999ed8287961bf022ae47da77767d4c48598230b16c929576a7315a85a02a8a79a

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
b945657ea2d8a1aa0ea1adba4a6ccc84

SHA1
e1d12d449f5ddf7663ad0082e88f33d6d48526a2

SHA256
a768e1e69cfe89d416058a7accee53c06e2a36464ae4c953566d4aeed611e69c

SHA512
c38ec37b8f429f05162e6370f916deee374d19046df7c9964d681f72b83b97ac8867c74f0ed223c95cf001439219a90b238a06114da5a17da67f14cd5e258f5b

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
163KB

MD5
90e70dea281fca0970981ec1a8019a0b

SHA1
d4983efda2eb65a640feb5c5bfd1c6410b5e6098

SHA256
a25c6b5348dad4e5c7e99364c1c0f1b8736e1419089dfd00b07d5475c668a356

SHA512
4114b9bdd1b06380eba612c557ab6b57384b83c0fea8c94ca391f64b4758e5803a139f61d1fe1d6c557dd7a9898804dcd5f83449e74ffc0679a1b01f45215947

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
163KB

MD5
b8629b6dc584431dc6ebd60511a520d1

SHA1
8a9481877b454012ed1f6af7d96ee0a1baac4c31

SHA256
bc3c68ba74467cabf58443f23d5aaf38f8bf917bd4ef75a906bf1827f5d91127

SHA512
e8d6b6724b29496095d6242a8648c7f528798e94fb30a90df2e8e602076fd7f992e6eef298d5cd110633b8fec4085e25483ab129100ce8e5998ea684fc29cd4a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
163KB

MD5
953127359bc9e0eb932fbea69c62f6d0

SHA1
d9fe266dfba4f88e35cf886f9e2d4d7b0188907e

SHA256
cddad7caf5ef56ad118b3d671170898da35252666e18a6d8b114b4d6ea17a609

SHA512
8940b4daedf3481466f680966e9fa0e3717d7e22f5dba07d98fcbb17095b0083b033d18ec34ecd75d78933685b9f62e1340edf9103ac55bd9e2f931fef4ec748

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
163KB

MD5
d2e662ee07976f5b412335b23e940770

SHA1
47c50e7f540d1cfd6644c3c3af2df760a0915c34

SHA256
b82c15d7394ec97c93e2c9ef806bb7ef1276e9ef7f04919d6ae0e5de39d97e13

SHA512
89ff15e0ee8a247ac7a22cfb37760e59819c112f2143bb21fb99e842cd204856789eb32824b37dbaf3b906d4e6145b5cadcb2bddf9f10eb9dcb28acd9b8cf927

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
163KB

MD5
a96236d7be52a58a6c85214fa29c2576

SHA1
066d6917dd7964eaa1b89f75fdea92666e151c3a

SHA256
e9d050f44f234a310b043ebe41313cdce0e64492394782d6c83e135e658a605b

SHA512
76367ae87489ee02f56fe10829552b045a3842fd035ebce0a4f46d4a19bf35e110f9b82767267612b928dc1aecc95a91428af8168044d6ec3c372498e277a42f

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
163KB

MD5
0b305c8ef9f61a78116a3c40aa5e6029

SHA1
0c4aa6195dfdfa467df29f77d8fa69c740feb61e

SHA256
8c4493a732ec47d73a65327e00d1b2110385f5d9b9b404a1a072f48908d96299

SHA512
243c353507bb00922d93cd6dc12b8a2adec6f42e09250ebbbf6fa6053528956d3b41f5e09d5bd9f4e174197bda1b43b926290a3e56d5fb462fd42aa725c34a6c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
163KB

MD5
a0dc6aae19ec57cf9fa35e52f5b9a696

SHA1
09e3f67b02cf7e2f7a34c9c2e6f648442fae2d33

SHA256
930a05f25a3edfe96ef57f242feccaf98c625949c86b12113464752be84bd5ca

SHA512
dd07382f0b9ff9013af8dee183cf42fa70bd7b2c5afdfb66da572f65c3bacecf38ed94b2abfb72a28796e63f6759c6d7776d30aaddd2cad2fa4a105812e8bacc

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
163KB

MD5
5054306e91a4e213e8a36799bf952453

SHA1
4654211bb07b6e67cf5b6cb95015ace259b69ac2

SHA256
946f5f8b1285dab7f7d5e8dc82c31958b67fb382c8a6bd9cdd9665c3abcbbf2b

SHA512
c093b9a503b02e265274b125457db4b8e7a947377e4d1e3ea2bdd5ddb41f1e7a7978b4d79713a69bf4cd127913722b347199d84af3e50800465c9f4086e69620

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
163KB

MD5
d376e516b86b42101347e216e021a56b

SHA1
8381861c35521e1454abc078246669d4c0757704

SHA256
43e2c8710b8369ac57b53640ae0e557b54ae6c27cfbf5c913928889b9acfe1a6

SHA512
cf8306b50828f4718ae3627f0cb128b758df37c13bdef7bfc64e64f4ded7ba68a210274805abf96b76342ca1d7a4c411e0bde3b5a7b332d67ee39110cb205640

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
163KB

MD5
bda30a52b165d1e8847074a971357df1

SHA1
4e9aff6adb72ee62c67acf4c5b9d79df2d37f0c9

SHA256
4b9ffcd6af24f88acece347e2a7368703379925bebb568809a6fb68ae6e40337

SHA512
b9783eddcdbcff83148d810d0ade281f26e8bee540cf053a8abec9c502d852904628353ccc6a339b4ab6d7ce6f351b955e7be7f4bf1efa2b983aa695343040b9

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
59ae59e036b9560ac4095229a387e288

SHA1
045f3e9f7b84104c0fa0c8bdd2b7e38d14a4bfa8

SHA256
351b57176cceb9134198cd2517350fd49c458df25f4b8a2fa165ae44fef8dcbb

SHA512
ac9795e25ed4077d3f178ce0cd32cd45fbea2f11d62c4f31043e80db6c6f3c72182e61e2c32519ad33820a44006fd4cd9c2d8c1b56c460111e2b14a21dc9dfd8

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
9602f63aa80203746b48f4d71fdb905d

SHA1
cfd4f3b555ce592bfb1631d40005cde9f0157022

SHA256
87d6ca07d9c7f84c5a6f94f3f4bde71f429af8545a3b6aa0cb6f6a19a6c0dd2b

SHA512
fa74b7bb7a7dae4afe98d5f2b668f426d7df0dbdb87464a0afcc4968720c7d7ff6e814c4d8e16217bf4f90c854ed29d63058d72c79f0879d7a732f09b3b0f24e

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
163KB

MD5
f46fb497ae6a6f58a38ceb9133fe738e

SHA1
a4602181099053fe0ee29b0c5e120202a939e52a

SHA256
2ec0138e0c37c899797424f666a8ffc0ba0f379fa40b668f153cc44b85245d7c

SHA512
70fc118975458496f1d6646796ff272530975cfdd503ae9e1b4d657e5ff1f193abd1580ee7cdb470525377941398325bd77ed3535a1d6bf7226de0a1550e78d4

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
ab3dfbc2e7db2564458c9059beb401dd

SHA1
8950a380fdf2b9856186e64633444e6ee5a7b381

SHA256
dd5b24a0c96cbef076e4906de2574e616aa05ff19baddbdc5dcf670e5599dbc5

SHA512
11dd6e6f2f47fb1aad952ae030e06079b14e23fd9bcec8ad0ddeb767c134168479bfc5cf3d333775a66e9ebe00370bc12d381b5f2eb3c6fedc5a670f30f1e5b9

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
163KB

MD5
8d7dfe3d032cf4457e717c6904728aeb

SHA1
739ed6f417bdb11101974d60f4c62d0ad7d4beb3

SHA256
fe2b2809c94b3c10e5fe940588aa6e305588adc2da2f7591a4268c743227b112

SHA512
f0f18295184a5a441c27cf36cfab2226480342b9e7775c261b0c226b23664246f53714216d2e8886ab0974cc0aed7b622fb496791da8c42a54dc307a0c116447

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
40eef73f1e80a3f351e7fc06d0a2dc6c

SHA1
5274c08dbfebb8e3f65a75e7a1ed49e78385ba9e

SHA256
583f0279787b8b84f00cafcfcdae00b7f5d2e64f69d4ede599b95c83f8264ba4

SHA512
86d3a86508c0313890a48637e0d4dc2c5664126fa0c1b2f4b8942f4fd76ab33883dcb5affd0d391237d0e1ca00783180adfaf3c424a070895c3883f6cc19c624

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
163KB

MD5
3eaa6394381a27091f7796cc0f96dbb9

SHA1
64e267ad10139c71a7c727be53c46fea107aa1b8

SHA256
904dc5c1ad6319ab49a7b7d56c476383cd923a372e2935f67169ab021fe8f0cf

SHA512
165126bf7c58f77fb97e9b7c5d3bd9b1c0cd2533d31c8043d448e64c0bbb158b380e9f6351bd7c6ea5943d5cc63e0f190948e1277cf97b61557907cd927099ff

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
163KB

MD5
536898eac627220beb73716ab5a31011

SHA1
26ff5561332ff6a284f65a3fb385cd3c5c4846fa

SHA256
f43712f04214a0d9fad9683d0622838ceccf4657fa6b275cbf6d70ee5d553e71

SHA512
da2dbae6fd189cb1484e13965febc5e8428c830a4491b38420fb56edaaa2b470eaaa1f97e0549b8818c900324da6a0d84743489c1693bad1365acb541a5535ab

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
163KB

MD5
b52fc6f938f7bd59853f96f2dd95435e

SHA1
5736fef90f832443c36eabc57aac635f6ef0ceae

SHA256
349d9a2fb01ac7956fd39dd8d984239cda40cf7803b44b9adea4862d0c604ef7

SHA512
014bdc5f83cbd1255c725b979722e2b416b308fb3144140150adffd8a3a14bbf1074eb35398f4689503a3d4aa457c3de7a6890bcb39d94e40ae55b6b3b67ed3e

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
163KB

MD5
866666a6aaaa0fada7d28208cbc6c451

SHA1
4c02f2fb78976a34e06af797049b04715f8a54bc

SHA256
6383dcb6e41aefea0d724941d8cee6c9f5b6e8d406bca38cf93daf2dc4da7627

SHA512
4a79f18e8e23d576e2bfeaed99c9a37659ec49c346e610ec2903a2a9eb575478495b354e09bae4d43830db27bf312e2f76a01fa95615c099a68f246baf923d74

Download Submit
memory/664-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/912-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/912-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/988-142-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/988-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1028-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1028-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1060-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1060-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1144-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1144-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1308-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1308-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1952-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1952-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1960-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1960-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2208-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2208-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2212-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2212-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3156-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3156-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3248-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3248-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3364-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3364-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3832-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3832-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3832-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3996-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3996-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4252-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4252-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4308-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4496-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4496-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4548-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4548-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4632-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4632-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5032-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5032-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download