berbew | d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Size

96KB
MD5

8709c738565b53a37435c3f676deee2e
SHA1

ebe961a7f8ada09cd7bec22b4009c097d39abe4e
SHA256

d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9
SHA512

e6663655c54a95f7a15303435cbba3fe603f65039c49325ad43bcddfb64aef29921e19e75f231026c712809d8f1b76bf616ea1f0b8ada6b0853f72d15c79b9e8
SSDEEP

1536:41yOkIWYeqmKp1xN6KqbgLWLiDvrEUBTAw/BOm6CMy0QiLiizHNQNdq:41yG8Kp1Cbg2iEITR5Om6CMyELiAHONM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cinafkkd.exeCgfkmgnj.exed3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exeCnfqccna.exeCkjamgmk.exeCebeem32.exeDnpciaef.exeCbdiia32.exeCnmfdb32.exeCjonncab.exeCgcnghpl.exeCileqlmg.exeCaifjn32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 13 IoCs

Processes:

Cnfqccna.exeCileqlmg.exeCkjamgmk.exeCbdiia32.exeCebeem32.exeCinafkkd.exeCjonncab.exeCaifjn32.exeCgcnghpl.exeCnmfdb32.exeCgfkmgnj.exeDnpciaef.exeDpapaj32.exe

pid	Process
2696	Cnfqccna.exe
2676	Cileqlmg.exe
2144	Ckjamgmk.exe
2596	Cbdiia32.exe
2624	Cebeem32.exe
3004	Cinafkkd.exe
2760	Cjonncab.exe
2152	Caifjn32.exe
1352	Cgcnghpl.exe
584	Cnmfdb32.exe
2616	Cgfkmgnj.exe
1348	Dnpciaef.exe
2940	Dpapaj32.exe

Loads dropped DLL 29 IoCs

Processes:

d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exeCnfqccna.exeCileqlmg.exeCkjamgmk.exeCbdiia32.exeCebeem32.exeCinafkkd.exeCjonncab.exeCaifjn32.exeCgcnghpl.exeCnmfdb32.exeCgfkmgnj.exeDnpciaef.exeWerFault.exe

pid	Process
3056	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
3056	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
2696	Cnfqccna.exe
2696	Cnfqccna.exe
2676	Cileqlmg.exe
2676	Cileqlmg.exe
2144	Ckjamgmk.exe
2144	Ckjamgmk.exe
2596	Cbdiia32.exe
2596	Cbdiia32.exe
2624	Cebeem32.exe
2624	Cebeem32.exe
3004	Cinafkkd.exe
3004	Cinafkkd.exe
2760	Cjonncab.exe
2760	Cjonncab.exe
2152	Caifjn32.exe
2152	Caifjn32.exe
1352	Cgcnghpl.exe
1352	Cgcnghpl.exe
584	Cnmfdb32.exe
584	Cnmfdb32.exe
2616	Cgfkmgnj.exe
2616	Cgfkmgnj.exe
1348	Dnpciaef.exe
1348	Dnpciaef.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe

Drops file in System32 directory 41 IoCs

Processes:

Cjonncab.exeDpapaj32.exeCkjamgmk.exeCebeem32.exeCinafkkd.exeCgfkmgnj.exed3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exeCileqlmg.exeCbdiia32.exeCnmfdb32.exeCnfqccna.exeCaifjn32.exeCgcnghpl.exeDnpciaef.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process
2256	2940	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exeCileqlmg.exeCbdiia32.exeCjonncab.exeCaifjn32.exeCnmfdb32.exeCnfqccna.exeCebeem32.exeCinafkkd.exeCgfkmgnj.exeDnpciaef.exeDpapaj32.exeCkjamgmk.exeCgcnghpl.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe

Modifies registry class 42 IoCs

Processes:

d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exeCnfqccna.exeCkjamgmk.exeCinafkkd.exeCgcnghpl.exeCnmfdb32.exeCbdiia32.exeCebeem32.exeCjonncab.exeCaifjn32.exeCgfkmgnj.exeCileqlmg.exeDnpciaef.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

description	pid	Process	procid_target
PID 3056 wrote to memory of 2696	3056	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe	31
PID 3056 wrote to memory of 2696	3056	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe	31
PID 3056 wrote to memory of 2696	3056	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe	31
PID 3056 wrote to memory of 2696	3056	d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe	31
PID 2696 wrote to memory of 2676	2696	Cnfqccna.exe	32
PID 2696 wrote to memory of 2676	2696	Cnfqccna.exe	32
PID 2696 wrote to memory of 2676	2696	Cnfqccna.exe	32
PID 2696 wrote to memory of 2676	2696	Cnfqccna.exe	32
PID 2676 wrote to memory of 2144	2676	Cileqlmg.exe	33
PID 2676 wrote to memory of 2144	2676	Cileqlmg.exe	33
PID 2676 wrote to memory of 2144	2676	Cileqlmg.exe	33
PID 2676 wrote to memory of 2144	2676	Cileqlmg.exe	33
PID 2144 wrote to memory of 2596	2144	Ckjamgmk.exe	34
PID 2144 wrote to memory of 2596	2144	Ckjamgmk.exe	34
PID 2144 wrote to memory of 2596	2144	Ckjamgmk.exe	34
PID 2144 wrote to memory of 2596	2144	Ckjamgmk.exe	34
PID 2596 wrote to memory of 2624	2596	Cbdiia32.exe	35
PID 2596 wrote to memory of 2624	2596	Cbdiia32.exe	35
PID 2596 wrote to memory of 2624	2596	Cbdiia32.exe	35
PID 2596 wrote to memory of 2624	2596	Cbdiia32.exe	35
PID 2624 wrote to memory of 3004	2624	Cebeem32.exe	36
PID 2624 wrote to memory of 3004	2624	Cebeem32.exe	36
PID 2624 wrote to memory of 3004	2624	Cebeem32.exe	36
PID 2624 wrote to memory of 3004	2624	Cebeem32.exe	36
PID 3004 wrote to memory of 2760	3004	Cinafkkd.exe	37
PID 3004 wrote to memory of 2760	3004	Cinafkkd.exe	37
PID 3004 wrote to memory of 2760	3004	Cinafkkd.exe	37
PID 3004 wrote to memory of 2760	3004	Cinafkkd.exe	37
PID 2760 wrote to memory of 2152	2760	Cjonncab.exe	38
PID 2760 wrote to memory of 2152	2760	Cjonncab.exe	38
PID 2760 wrote to memory of 2152	2760	Cjonncab.exe	38
PID 2760 wrote to memory of 2152	2760	Cjonncab.exe	38
PID 2152 wrote to memory of 1352	2152	Caifjn32.exe	39
PID 2152 wrote to memory of 1352	2152	Caifjn32.exe	39
PID 2152 wrote to memory of 1352	2152	Caifjn32.exe	39
PID 2152 wrote to memory of 1352	2152	Caifjn32.exe	39
PID 1352 wrote to memory of 584	1352	Cgcnghpl.exe	40
PID 1352 wrote to memory of 584	1352	Cgcnghpl.exe	40
PID 1352 wrote to memory of 584	1352	Cgcnghpl.exe	40
PID 1352 wrote to memory of 584	1352	Cgcnghpl.exe	40
PID 584 wrote to memory of 2616	584	Cnmfdb32.exe	41
PID 584 wrote to memory of 2616	584	Cnmfdb32.exe	41
PID 584 wrote to memory of 2616	584	Cnmfdb32.exe	41
PID 584 wrote to memory of 2616	584	Cnmfdb32.exe	41
PID 2616 wrote to memory of 1348	2616	Cgfkmgnj.exe	42
PID 2616 wrote to memory of 1348	2616	Cgfkmgnj.exe	42
PID 2616 wrote to memory of 1348	2616	Cgfkmgnj.exe	42
PID 2616 wrote to memory of 1348	2616	Cgfkmgnj.exe	42
PID 1348 wrote to memory of 2940	1348	Dnpciaef.exe	43
PID 1348 wrote to memory of 2940	1348	Dnpciaef.exe	43
PID 1348 wrote to memory of 2940	1348	Dnpciaef.exe	43
PID 1348 wrote to memory of 2940	1348	Dnpciaef.exe	43
PID 2940 wrote to memory of 2256	2940	Dpapaj32.exe	44
PID 2940 wrote to memory of 2256	2940	Dpapaj32.exe	44
PID 2940 wrote to memory of 2256	2940	Dpapaj32.exe	44
PID 2940 wrote to memory of 2256	2940	Dpapaj32.exe	44

C:\Users\Admin\AppData\Local\Temp\d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe
"C:\Users\Admin\AppData\Local\Temp\d3a405d1eef40909f7319d1e31263d7751cff92249204f73d530e758daef3fd9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\Cnfqccna.exe
  C:\Windows\system32\Cnfqccna.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Cileqlmg.exe
    C:\Windows\system32\Cileqlmg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Ckjamgmk.exe
      C:\Windows\system32\Ckjamgmk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 144
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
96KB

MD5
d0555df793bd63149b61fb8fffad9465

SHA1
66227c9ac554a8bfaa30f3ae85eb60d7c9190fa0

SHA256
80e1021ea2f025806faac719daac2582a999f29c09d99d43b6528c87304d183a

SHA512
8341ba4eb5566fb31900894cd0613bdb5dfa954a9aac9c9b1be1efc8f5148856a954d5304cd803b508720f6b1de6d9ced7649cfa8686543d7b1e61526ad339d1

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
180e5337649f50e3bdc91ff5cf737d39

SHA1
fad45e43f6267ca7407892535017d69a4cc0c869

SHA256
8cf1fb7269c46f65e1361a30606d1a9886d0a1e00dcf6c5edcd7ab8dc860f6cf

SHA512
0e91c8496d7b2d1c41907f548c7a6caad2b0e27642ee76465c2fed61a9540d200b442e7018140719386549078778310112376c97245c2f9cc2989c9bed62f973

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
682ca2e70efe2976f962a40adcf8e967

SHA1
1ee97427a0d25cddd4b04862817b300fbb510567

SHA256
7dacd100c0c1d62a00cfa0c29872c8f95e8e07dae50a8ec864fe118f7c8869f8

SHA512
5d29d02097e267c1da1e5e64ca41aed5cc47ddc255209c1b26f3f00e54df2c0e92ab1cde8c2e66841c87f795d82041709d1dfc08d78b4ecc5f780e4acb713597

Download Submit
C:\Windows\SysWOW64\Fnbkfl32.dll

Filesize
7KB

MD5
83847535d0909fb51d0694f2ca9efce8

SHA1
ee01d252a9153d748d1ef9aa41d44c996236706b

SHA256
3fb278afa19364032d9b646d7d5d18f75eb5279b6b6f8bf0f157bad159649ac2

SHA512
181b4588eca1beb4f400eed896964d30f6b78e71e7e0c8e16b73aed5e81e83f827a91111724c5558c1939cc9ad610278c01bccd40e83f2763554f958706089d4

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
42030179785c135c538dc195bd477f6b

SHA1
b3bc1e522815da9e098d6aa18e8ad7878f572e4c

SHA256
acacfd5513ab7a535a72690cb2bb0e8ccfe4c957ad834229057eb7f602710855

SHA512
803b1496695b15065a30ccccb901a0bbc266d1786f82b4249f98c9f2dd975432d558dacd21083d5ae0cc2b5f2ff39e538ab443ec4af459f67d3cdf6c9b59994f

Download Submit
\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
4e3b88a41c0b26687f73c87da0ac8981

SHA1
5f0c7f9753cffb4d1dcc3ac3589bb4f350985456

SHA256
be2876f3a816aeb4d0c70eba9c946f243d38fd655244854bbf2361b814266a31

SHA512
efeac74770e871e69b619d60b20ca792b0fb2fcdaf2026c96920cc55e47808a8142e345cc35db483deddbd1915b62dfab636e769c7e805ba47a6a405573f0b12

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
96KB

MD5
12b8522584fbbc0723f799a59bd8f0d2

SHA1
c097d5af78b9c393dcea2a6408abda164a4d258c

SHA256
f23326dfcdc02c7b131098361ca7f93e4f233297aa59e209555ba58b9a1f2c62

SHA512
eac14aa205d8b78879af8e9b46439e1bc352f9edb6d91c357e2ca996ee1b21fd896319694f813b7d85a22a5642a04b0c1076aac7ad1bab88582792e45ca30c71

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
aa906821ca625733038d8b8b8ae0eab9

SHA1
832106d7559f1d7ae45f032337520c12a29702ea

SHA256
26319b7a22cdeba974ec48785a122d7a932ab432ee0c8a219c9abd562294c58b

SHA512
b9d2b2bf38ef62071cc7b3c7c67ca52f47656a3028e988d0b0dc96893b77bfdfa6744a98a4d6d3237019c40b2152574eabbbe1d618808273fd860177c23ce2ad

Download Submit
\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
4169767e015b042631aa8b6744731a5e

SHA1
2f017c60b1df2f25b0a0c687f2a9d0cee5b817a2

SHA256
89e479d3aa58ba00aa377762556bc071848ead88ff3f0e35434c2ae7bab14d5e

SHA512
366a599454386972b24ffcbbb1867be5bdde5151944ec3c8416f67c3d365f83fd7c7e21986d0f1306b1a57a5e2246c747e626fa512698441427a9395e9541503

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
f58a4b85112d0be131720cfbf3a78c38

SHA1
c3bae6e82f08b3bc3e35e27da5f4df737bda464b

SHA256
2298d3d9c0934a569e36b4735b224a1d0255a05df61260a7188bbf3a5d2f39dd

SHA512
8010cd9961753ed4d54f52c9fcd7ce1080f4aa814a5d67ee63397fd5003d7ec9dfb29b3c396afb740b55837d872b3fb19e7eafdae865099a8f5e96633c19f867

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
71ae8d0e65df616faa84e660432f31d9

SHA1
1fbb38b46e00624bbcbb9a267a17801ae25b7fb4

SHA256
ad08be2cb2cf6131bcae5118e50c8c3e2c0eedd9656983256e5bea7170018a46

SHA512
dbc70bfa279ecb7bbf364a0d103690558a9811233c469d2825d9e433a1d7d270b1be0b47ffa4e3b40e970eab351c099bb0caa781a7092da7523a570d3d790805

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
00d48d85b310d3c755df4f4032935a1e

SHA1
292f3e15d6c3c4c1e8e4c890fc5bca5085addcbb

SHA256
7bb23efca91b9da24a2ddd2ea9204f2d388f0ab14b81cab06c729dfd7d952f51

SHA512
5fd98337ff36408bb9cc6a9dadde4baac302d7d611dd5e307525d6b22b31e8b91fa7e4dffae1fa061809f759f401c7fabf24cffed3250df9d9148040ccfd08f8

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
ef5042d9cd1977771df71f2b83eaf547

SHA1
363fa22b2034622fe45280e0e2e5d08134579959

SHA256
2f68cf6bffbba467574a4bebe9f1d5443a8380fccd29ce49fc37a877caaccb19

SHA512
c62e3ae93241047ba4c2315a9dab46873118b659e387efe13907fcf63cbf17116d41196a8082fe5f83f73963f91f01becf2808632e2f587db3a5c4e426203456

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
901fa651a4bb5924ed7d84d594b2eb6a

SHA1
a92cf4d603352c9e022e5fc52bf79ba95987d277

SHA256
46df355c4efc81982eac56a080b03a6e6d10afeecdc67d4534cc732d3d593802

SHA512
f6c93379d760e378718d1d34ef61401c9bc9e02f7cd4049f3fec35194a6f69b5b67100fd6afe3495177fcffc05da1dc7c102f4a757d6950faca99f5c99c90b55

Download Submit
memory/584-158-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/584-153-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/584-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/584-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/584-201-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1348-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-190-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1348-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-140-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1352-142-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1352-192-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1352-199-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2144-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-49-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2152-169-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2152-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-124-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2616-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-174-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2624-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-21-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2696-28-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2760-160-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2760-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2760-106-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2760-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-141-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/3004-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-96-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/3056-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-13-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3056-12-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3056-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download