berbew | d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391

Analysis

max time kernel
0s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Size

84KB
MD5

d0dd3696d1eab95d2f3ec9d12f58ba16
SHA1

a2943c4c77d8c869c73e92889ade46123ad99412
SHA256

d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391
SHA512

555c051dddfbf21db4155a1fbda96a57d1c3dd11c393c0ab1304765f5a8dfdbba9b4f73808e57e2770d96877918835f2c955e0f7c6fd57f9a768268724a81b36
SSDEEP

1536:X/6nZ6fMLsPI+kpzeb9qRNDrlOmXSREXHfVPfMVwNKT1iqWUPGc4T7VLn:X/Yh2UNDrYmCREXdXNKT1ntPG9pT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bnpppgdj.exeBjfaeh32.exeBnbmefbg.exeChjaol32.exeBcjlcn32.exeBjddphlq.exeBhhdil32.exeBapiabak.exeBelebq32.exeCjinkg32.exeBfhhoi32.exeBanllbdn.exed903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 13 IoCs

Processes:

Bcjlcn32.exeBfhhoi32.exeBjddphlq.exeBnpppgdj.exeBanllbdn.exeBhhdil32.exeBjfaeh32.exeBnbmefbg.exeBapiabak.exeBelebq32.exeChjaol32.exeCjinkg32.exeCmgjgcgo.exe

pid	process
1560	Bcjlcn32.exe
4404	Bfhhoi32.exe
744	Bjddphlq.exe
4004	Bnpppgdj.exe
4284	Banllbdn.exe
4816	Bhhdil32.exe
1996	Bjfaeh32.exe
4788	Bnbmefbg.exe
2328	Bapiabak.exe
4168	Belebq32.exe
1644	Chjaol32.exe
3948	Cjinkg32.exe
4468	Cmgjgcgo.exe

Drops file in System32 directory 39 IoCs

Processes:

Bnbmefbg.exeBcjlcn32.exeBanllbdn.exeBfhhoi32.exeBjddphlq.exeBnpppgdj.exeBhhdil32.exeBjfaeh32.exeBapiabak.exed903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exeChjaol32.exeCjinkg32.exeBelebq32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3356 1496 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
3356	1496	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bapiabak.exeBelebq32.exeChjaol32.exeBjddphlq.exeBjfaeh32.exeBfhhoi32.exeBnpppgdj.exeBanllbdn.exeBhhdil32.exeBnbmefbg.exeCjinkg32.exed903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exeBcjlcn32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe

Modifies registry class 42 IoCs

Processes:

d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exeBapiabak.exeBelebq32.exeChjaol32.exeBjddphlq.exeBhhdil32.exeBjfaeh32.exeBnbmefbg.exeBcjlcn32.exeBfhhoi32.exeBanllbdn.exeCjinkg32.exeBnpppgdj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exeBcjlcn32.exeBfhhoi32.exeBjddphlq.exeBnpppgdj.exeBanllbdn.exeBhhdil32.exeBjfaeh32.exeBnbmefbg.exeBapiabak.exeBelebq32.exeChjaol32.exeCjinkg32.exe

description	pid	process	target process
PID 1684 wrote to memory of 1560	1684	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe	Bcjlcn32.exe
PID 1684 wrote to memory of 1560	1684	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe	Bcjlcn32.exe
PID 1684 wrote to memory of 1560	1684	d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe	Bcjlcn32.exe
PID 1560 wrote to memory of 4404	1560	Bcjlcn32.exe	Bfhhoi32.exe
PID 1560 wrote to memory of 4404	1560	Bcjlcn32.exe	Bfhhoi32.exe
PID 1560 wrote to memory of 4404	1560	Bcjlcn32.exe	Bfhhoi32.exe
PID 4404 wrote to memory of 744	4404	Bfhhoi32.exe	Bjddphlq.exe
PID 4404 wrote to memory of 744	4404	Bfhhoi32.exe	Bjddphlq.exe
PID 4404 wrote to memory of 744	4404	Bfhhoi32.exe	Bjddphlq.exe
PID 744 wrote to memory of 4004	744	Bjddphlq.exe	Bnpppgdj.exe
PID 744 wrote to memory of 4004	744	Bjddphlq.exe	Bnpppgdj.exe
PID 744 wrote to memory of 4004	744	Bjddphlq.exe	Bnpppgdj.exe
PID 4004 wrote to memory of 4284	4004	Bnpppgdj.exe	Banllbdn.exe
PID 4004 wrote to memory of 4284	4004	Bnpppgdj.exe	Banllbdn.exe
PID 4004 wrote to memory of 4284	4004	Bnpppgdj.exe	Banllbdn.exe
PID 4284 wrote to memory of 4816	4284	Banllbdn.exe	Bhhdil32.exe
PID 4284 wrote to memory of 4816	4284	Banllbdn.exe	Bhhdil32.exe
PID 4284 wrote to memory of 4816	4284	Banllbdn.exe	Bhhdil32.exe
PID 4816 wrote to memory of 1996	4816	Bhhdil32.exe	Bjfaeh32.exe
PID 4816 wrote to memory of 1996	4816	Bhhdil32.exe	Bjfaeh32.exe
PID 4816 wrote to memory of 1996	4816	Bhhdil32.exe	Bjfaeh32.exe
PID 1996 wrote to memory of 4788	1996	Bjfaeh32.exe	Bnbmefbg.exe
PID 1996 wrote to memory of 4788	1996	Bjfaeh32.exe	Bnbmefbg.exe
PID 1996 wrote to memory of 4788	1996	Bjfaeh32.exe	Bnbmefbg.exe
PID 4788 wrote to memory of 2328	4788	Bnbmefbg.exe	Bapiabak.exe
PID 4788 wrote to memory of 2328	4788	Bnbmefbg.exe	Bapiabak.exe
PID 4788 wrote to memory of 2328	4788	Bnbmefbg.exe	Bapiabak.exe
PID 2328 wrote to memory of 4168	2328	Bapiabak.exe	Belebq32.exe
PID 2328 wrote to memory of 4168	2328	Bapiabak.exe	Belebq32.exe
PID 2328 wrote to memory of 4168	2328	Bapiabak.exe	Belebq32.exe
PID 4168 wrote to memory of 1644	4168	Belebq32.exe	Chjaol32.exe
PID 4168 wrote to memory of 1644	4168	Belebq32.exe	Chjaol32.exe
PID 4168 wrote to memory of 1644	4168	Belebq32.exe	Chjaol32.exe
PID 1644 wrote to memory of 3948	1644	Chjaol32.exe	Cjinkg32.exe
PID 1644 wrote to memory of 3948	1644	Chjaol32.exe	Cjinkg32.exe
PID 1644 wrote to memory of 3948	1644	Chjaol32.exe	Cjinkg32.exe
PID 3948 wrote to memory of 4468	3948	Cjinkg32.exe	Cmgjgcgo.exe
PID 3948 wrote to memory of 4468	3948	Cjinkg32.exe	Cmgjgcgo.exe
PID 3948 wrote to memory of 4468	3948	Cjinkg32.exe	Cmgjgcgo.exe

C:\Users\Admin\AppData\Local\Temp\d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe
"C:\Users\Admin\AppData\Local\Temp\d903213fca27ff97c2f27cbe233f177410489153953e3eaa99e5e0422d641391.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Bfhhoi32.exe
    C:\Windows\system32\Bfhhoi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\Bjddphlq.exe
      C:\Windows\system32\Bjddphlq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        14⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        15⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        16⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        17⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        18⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        19⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        20⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        21⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        22⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        23⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        24⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        25⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        26⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        27⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        29⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        30⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        31⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        32⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        33⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        34⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        35⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        36⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        37⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        38⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        39⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        40⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        41⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        42⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        43⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        44⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        45⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        46⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        47⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        48⤵
        
        PID:928
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        49⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        50⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        51⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        52⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        53⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        54⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        55⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        56⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        57⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 396
        59⤵
        Program crash
        
        PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1496 -ip 1496
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
84KB

MD5
054beed3bb15a5dff90ce5f536247518

SHA1
89b0c73445e2c770e82058f8b3237052b7c4081a

SHA256
368294888332c0bcbd85021a6e707bf0c5be83435bd3ce7fe5b69f4c0ce1b55c

SHA512
40a6befd390e7bc0e6044047476886a65090f4e39192e0dbb5cc8a90e71800110d7b647073b6b1df99b2685afa7b42851a13b62277ec43b45f7f7e9fd62fc055

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
84KB

MD5
21a4e27ec460dca124e1d74cd90a0228

SHA1
0aa938c64c232bfb4a8c299190ab3bc6cb17e832

SHA256
4973628d62b4c7a1a477aec47534e3748ff90014c4398ea4ee768544f6905ae7

SHA512
bb08a686e1243cb04bcdf02aae309fe9f66d67450278cbe414e8d8c65fef6b43971780a0c2c5f049986d1768c59a417f94ec24ba215f670589c676a71bee884a

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
84KB

MD5
22e98853b1ae6dac5250535bec6b7824

SHA1
c3705eeaa36a95bea75274fb0cfb982ed108fa31

SHA256
17f607dbdc943e6ee9e191c3b7b085d07bb35b56c849c001d43169290fa8fa98

SHA512
c5496f23f773ec44c28fad8b08406a50338b1dacee087b6bad680392c1e873dfbb274b9e226f245c669581b904bb38db8a579749d4c02b83b2cd7dc621b7f01c

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
84KB

MD5
fc94871ae16e7ed212d17fd276f475aa

SHA1
be199928021cd15e49f89b1ebe0abd5803013a55

SHA256
4a695d434f1e69719d76365ee78df10bb69df5ab4f1ade4e04cf745d56bcfa29

SHA512
87e21b79e0c9ca0dbadb9c34b02a94057daae52fcce429eddfc05603a320690ae049eba1508f7d07f7ae750939332f726acd7a9a80b76a19c37515626e894177

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
84KB

MD5
e7b14aeadb1f804d52882bd72f8dc34e

SHA1
c00372f200f28f456e659c97772d6ce89d8fc13e

SHA256
28d3624f1c4cf1b857a64cc4fffe4d46f15373bda61e23f559254b9b3575d293

SHA512
1a792e238985f7d2b4b34799a5aff0433e7f41e84c0bda93e98b6e89e09d2ee5139408f70c24fcd5b588945df61303483785f91e4fd2ffad7d4d7c93adf0523a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
84KB

MD5
4ee48d488ffe2c4ddc22af8066bbf12c

SHA1
345874fca7e43e0ade3068b481c29ae0e308f64c

SHA256
1dd83d91018e19fcc057515434838713f3e70fb14d79786709d527e92146de4d

SHA512
a22e6a86a5b92a33852e5929b89751b2211f9d27d7d2655bb08d7de1adaf9339dbf7085cbb5c21d4d529b903b798c508a2a946e6e0312ac0f56b213fd5166e7c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
84KB

MD5
5c6ceb49566cf7f0cc73904b29a583e9

SHA1
46614d21c95e1285346928bee1cfa6fe4a07f427

SHA256
a9dabb66853b94f66add97f4fd01748848208968db1f5bb6e4e2b9cf220eea15

SHA512
f434dce0a140bbb067d34905424e711edfa089e2f7503a94de37bb9d6d0e1e830424d952f52f9c1d3062467746680b3e4167f096c8b42ece05c5e647ca06e603

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
84KB

MD5
fc62d940760aae39fe8b00e16ea9073e

SHA1
930ed3f82f4c555ab126e2e445d8918d1f5a5935

SHA256
fe5892a5a1dcb8f0d134391785f67cddf39d5cde648a311c76ee36e40dd3fb53

SHA512
416c67456a555eea2cdc27bb4c6ad783c075bd83fc868f4d690358b3d10dc3dd2d34fad70f0e0d785f957849a4d3b9cec59771773c24f9a984b219633b12011e

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
84KB

MD5
04fb9aff3d9557d430baa5e4a58229f1

SHA1
84141080595df99912aaa70e3e2fb97ad65d8a52

SHA256
7aff3227801f148c5d30b6888e5b653297f70a587f8c3c6b526df7e83a12d11d

SHA512
f43904a7592b25bbd6586a752f61676df7f1a514a06fd5bb5ac4166b5ae42c084ae22756a082435c4097718eb5dc60d9b2626f6d851aa115a9e7c66c8fc850d8

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
84KB

MD5
1c1ad0432292d9edf92748a349b38f63

SHA1
b47b6046bc9f3da1daac46059fd5e121b61c8866

SHA256
f0ed93bfb9af787cafc472b783711b3c9078d95d6610f7d81073a63c50308a3f

SHA512
d726ced9c46ee97cf191c1cb17ee36d0ca48e93ed2c3d405d936b51cbd9f19d9a7cbc9aadb36a67cf5946fcf96ab39146ba97b64db93e3f4721d4d3009438e05

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
84KB

MD5
2861692a831019b0d13704adcb72ec5c

SHA1
7478446e6996ecd75891a45b08d7fcac19ae2e35

SHA256
75ea95039a9a02b449f850f45565a2294a89ec4793cb96431db2bf02eb0b73b4

SHA512
4c620fc9d13190d817668c5167f9d3f8826e3f4a306fc87868c45b5c2c3d12fc8a739ed5424984b6a7aaaad3be40469b465e1ea8c42a00ea60d8f8fc8f4d5cb7

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
84KB

MD5
b303a7ccf0aa2f668c035b302bfe37c6

SHA1
d491fc1d61713600e92de73f59268fd70ff6a4a1

SHA256
f5c6bd34084062c6098a25600085b1a8c547a71f4efd92f6540ac3aa15ddb723

SHA512
d6af6f6fbe468dcf5d9d8f440857261c692a6da529b7ff8ce3dfe5b1b0ea12d5a262b954bfb6121c0cb7af393e7fdd559680a6093d1199a8f01cc55f48e480f7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
84KB

MD5
3ee46f258c94c42bdfafb0ddd98bba91

SHA1
fdfebf1847705a391749402f0eba5d677ddecb55

SHA256
4d25f19576883def6e0954c39d171e13402e1fe79bd5915ac90714b99d1e1743

SHA512
b02c08309fda46edfd555c2da2578fa9f4796cdf6cdaa454deeafa7ed7d3f77933d365167d7696ad9d9661780e0766a06ef42422a6fa577d8f87caffab4126ae

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
84KB

MD5
8cb23045021dcbf152f1b8a18b1a806f

SHA1
1dd259fbafc5a87bbcea49060a4627d1dbd77b48

SHA256
6cc922a58c389b8e194f3accc474117588f0dcb735f30b533885891c6020f8c1

SHA512
8c6a6dba0f8ff8f0b5d3c5c1149c1efb46605d33a6232c773ea97b275ac66fc428cfd10d1fc197cebcaea67ee81cfbed1dcf3145d83b789dc7b981ed34199d34

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
84KB

MD5
1eb31311d4dc3cc9c1f26e5bacfd869e

SHA1
bb3de6d69a021ae27c7779d72976cb4145b91957

SHA256
d77a52810c221493874ce18996c7ecc31d050a694c5b8ecf3cb7e04de30c0aa0

SHA512
a5d6266d86e1ba36d92c168d130a522dd2fceaf1e7efafdf0a5a251e4fa2fbe20dca8789d8237cc6a6b7a2df7f6df6261c3b9cc75d14005c32651aceb9f7b946

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
84KB

MD5
3a7422b5ed4bbd742cee049a2ea40fc1

SHA1
77f5c37f6eb57c2ad0dabcf9ea28bff12526044b

SHA256
7756eb461d1e71c074ce9e2e2670820a8931a392a77eceb4ce64b3e480f56d56

SHA512
e8512e8ecd13e60dd7d0708c3550a825e10a98e0d4c567bd90dafa9c78925376113212c1f95734ff140371384c84e9167a43b69b4c1bf360561f8e22474f10f0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
84KB

MD5
a85caa62125f1d4f1d05eb342eafe347

SHA1
96ab7887f95ccb23c12b1e55e69403b0e53f5b5d

SHA256
58e3c2909867561065704b915cf9b9429f532559352dd823aeadfeb76014a91f

SHA512
141c721d2aa9b5d19020414342bb7c0ae73d9cedcff87ed478a1c1ad102fb4fb4ea726effaf8fe5ca592127ae54cafeaf33fd2711cc6b79256ded53ddc410e76

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
84KB

MD5
54f88de86ae2b716e27653be47570b84

SHA1
aea9f38e5ebcabd3c7363917921dad40a0aff256

SHA256
a8bc6a83d984c3592b15373dbadcc9e45648126c5d77231730799bb3b91bc8e9

SHA512
900840455cafcc3a2e2f5f7598b616f1d09e8c72749fb7a265c55fcbff6496cbb854dd35f21f3ae3f10dfb345084967e3e8a75e1b713089f62338f034367f271

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
84KB

MD5
9ea80947848b4b33a3c6f2f5728f2c56

SHA1
f6d44d60d65c577d0e06a7a9a04f80a9b3eb0f76

SHA256
039ba99d5f751c814b58b2dada589165a4242a12e03414717f05497f2e2c9067

SHA512
e337ff4325719a14937a3a4d45e87ea9dc53c556d9f5d897e303a65854f2154e1e1769c8d47bac2961fa4b97c2ae828f5f7965100fcdc4a65ea19b32d9771bae

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
84KB

MD5
a0cbe68fa04766e7e34e09e4d5c4695e

SHA1
e7bc826f55b91903ae9408f3c3afc6853e21c51c

SHA256
e1b84b048dfa014818a8d78c23695a934ca19841fb9d061ee4a0e8f122a67852

SHA512
70868d192552daa0130d4c9cc69a7b446a74e74c775f2e0c6f23843bda3d36c9c00e37b5466215ce550ae0b7cccc2f736eb927cba2a5aef1f4b4f0defdaeac01

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
84KB

MD5
a1d5b81560dc65a1d0a836e9e91b3f80

SHA1
eb26cc6cbebbd96cd8fc7f960be41c0a2a02905d

SHA256
b9fbb8ddf9c4f22eac2e5f0c6bcda2d961860597dfcefaf36f9e261d878fccc2

SHA512
7968167d0797fadf96eab551baa76725920c98e02a5379ce3d9cc4ce44e7455ee11edad15348ef0a4a098a8b10d6d5e66636b662144c275c713ec95f2b736aff

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
84KB

MD5
5fac9aac57e95add94a9a3ff68c18944

SHA1
2b18c25dbcd4fd6427769dfa5c41e0ec6c76fce9

SHA256
25320e74b4310ef298231e4e0151053b00f408fd4f9554a895d9cf29a77014f9

SHA512
57fcc8ad619a11ce2e6d896844428f59534ef22649f2932e7dcd3b333e464508863bf52e84f1e697df8cad5a4ea81ed29934fe0e0a51e13b832e6d6c1b229740

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
84KB

MD5
bef37cab8a2751535d4d5d7f7bca4741

SHA1
e19c81d3e7b3bd24426ed064af2f1d1c9941104f

SHA256
995c5346466d57e41874db6f8103a4f1cbd224480526464a1a6dd63ac705f73e

SHA512
a9f38ed0f1848c80c204f7534ccf49e62ffacb786a90de237565757e51dc1216d77c7d401dc83abbbc855dd6158ef82b53f60b150259622c3f0f680757f5af37

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
84KB

MD5
64c9ecce968802e4bb8b4ce78fe6207e

SHA1
95a21243e840392adcb9b43dec3ad60eeeef347b

SHA256
e34841593202772ccbbdd2d5c321a383b00be63ee13bb8cbe2ae1704693fbc62

SHA512
abc69dd63a0ea0dd4313562db1bb4fa687dcc300387da72bda9316089d5cea206e38718050f2d20bf3fe5911e10437c5fdffb5768ca77d6cba791f8ecee868e4

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
84KB

MD5
540b6c05b4fe8727644edf5f3545edc2

SHA1
88ea7fc285be89c688abd1dc59974fb5c96ef4d9

SHA256
2548f08318409f39f4f1ea41000bae199a7be56663eb45a63f822be657308374

SHA512
b9ba3d9dba94d879a36f98e5a40097c4c5609633e03fc2dc186e55499fd5ada29a09228273fffa5db13f1b048cd7080303a2a2de040a21987de25d6a48666ef0

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
84KB

MD5
7dd8a5d8f423d9baafdba16fc146eede

SHA1
9880575580a13cf3c012ccb15f4bf95333c533e9

SHA256
73a84ca28c92efa704fb8d3e7f962923b2918b7de13b24d1b42fb8eb199f5752

SHA512
35adc4f7e49a7366b983f74112f97cfbe6ede105ebd788608467cc778c5fcc4c692c6952ddcfb357d94ff3afc6d1d951c15c996f8bef2f2ff264f3a6284f749d

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
84KB

MD5
da56da5dece197abff1a0da1279012e2

SHA1
cac8238a853102c95b2d203b60b32f00191019e5

SHA256
7738556297ad3a8730f5efd38731be92c26e3f5774f52235d8edc51570ee863e

SHA512
ac352014390c262b8b6b28f630454418e8e5dc2922cc5ee96a16aaf5b7bbe2a2cc7ac31057dae23528dc798aaa5ded5ecc9c9109b36ed3ed4496a06bb9d013a2

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
84KB

MD5
8cc993868b3a27cac0848a5576ff8f5f

SHA1
3a63e2ef33884d48f7a24efd0c81073911e1ff92

SHA256
05fda708a7134e31f0a1e51b9be7fdcea127fe0241d98190450263d0ecc59874

SHA512
8ad5583a3a13794ceeecccfef4cd10104c926d8c9bb0758c717f535378b6362efabdc0ad8990d6d12ad9bb455a0b4d1ad64b6e7498c07e0a0172baf038a0c207

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
84KB

MD5
dd9485f5f12f2058907c67d66d1db774

SHA1
d234ca26bc8082ed23f67f82fb42e9f052c24fa3

SHA256
6e6dd12a3e7d2cd430627e495f183e5e1ea37889fd5c59f085d783d6ffc5f9d3

SHA512
fd9e4a4c9cf30d768f4221b1179362e9f2751227333a31302632ca7e34e6a670899040fec1144b6805dbf294bf870de2442c4bc6bfdf2f545a7ea5e16a3f62c0

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
84KB

MD5
4ebf5b8ee508c2017042e96960d4c993

SHA1
b1bfddccc246cb027839226cff7f38d6397d1134

SHA256
5e42ce265f45084a7ab95f159b576b6549c67a00ef422a0fd296a21887add5d6

SHA512
0ff99c4aa8876f23e42e8a3f29f11d71eda5ec51679d4ff5cbd16554b66fbd1a99757b683a41b7f97237c1790d49bff1c95a4e83269cfa1faa4816e630ff15de

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
84KB

MD5
b944e8b8cb1eb8761a2580cd88e6e446

SHA1
db3d542408e584ee839c8b7841cc5540b15b024b

SHA256
936737acf158889a61f29ba4ba7ac00147c3ed6f7ed5e82f529b7fef614ee462

SHA512
6b600a93a1eb4614b2fa0a30479a766b86677ccd50c743195d8e13af1d73c8d537f9e3f448a3dafcb188a833eb88ced730c29e23f36c7ee6fa2a28b548afa40b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
84KB

MD5
6818fe3176e4b09b43415d4f1eb3645d

SHA1
673365c0f73ac9152254df4d5b1ed61bd8b2b9f6

SHA256
7c2dfbdb0e6fc00222309c2a027a3fc419ab8a8457d759264f712536304bbdf2

SHA512
b3d73f2a5578a1f7963fd9d9baf81d0dafc88756b447f2b10f6865416bf3645e5d00a327a567ce998cb4ad43d2b2c7a088db09aee26a4a94b8bc4b7456706ee6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
84KB

MD5
d7afccfbac19edb62838312813af5843

SHA1
50513cba7e5cc6ad3ccf00ef9e56606235477bae

SHA256
9c1cc688a64d30425a07babfba47c7456ba61a95f1d09015cb45938134665629

SHA512
0739c853b76d69bee035cd69c7ab93c71656c56c9680bdee77f0384572d8ac388e154d8025691552f93d1edb86dfff31ed898c302cc1449ba8295d0c9c759cd0

Download Submit
memory/60-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/60-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2168-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-420-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3864-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3864-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-421-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4004-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4504-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4504-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4804-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4804-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download