berbew | 6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Size

192KB
MD5

513ecf9016c8fb282a3450334a8581f5
SHA1

946324dbfea788b25e4063f8ec66770b518464c5
SHA256

6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9
SHA512

8a57a819a23ea662618b8ed25c6a800e25cc330d80575b597e0c053311c3e1499dd2e2f937385797e81c53e6f9d49b0e611a9904841accbcdf6720a87916c1e3
SSDEEP

3072:VgYC3LmIj2m8XQ7oavB/S3l3FQo7fnEBctcp/+wreVisC:yCIj2xXqoaFCl3FF7fPtcsw6U/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cfdhkhjj.exeCjbpaf32.exeDfiafg32.exeDmcibama.exeDmefhako.exeDhmgki32.exeCfpnph32.exeDeagdn32.exeCdcoim32.exeDfnjafap.exeCagobalc.exeCmnpgb32.exeCdhhdlid.exeCalhnpgn.exeDdmaok32.exeDmgbnq32.exe6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exeCmiflbel.exeCjmgfgdf.exeDogogcpo.exeDgbdlf32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 21 IoCs

Processes:

Cfpnph32.exeCmiflbel.exeCdcoim32.exeCjmgfgdf.exeCagobalc.exeCfdhkhjj.exeCmnpgb32.exeCdhhdlid.exeCjbpaf32.exeCalhnpgn.exeDfiafg32.exeDmcibama.exeDdmaok32.exeDmefhako.exeDfnjafap.exeDmgbnq32.exeDhmgki32.exeDogogcpo.exeDeagdn32.exeDgbdlf32.exeDmllipeg.exe

pid	process
4872	Cfpnph32.exe
1632	Cmiflbel.exe
3520	Cdcoim32.exe
3432	Cjmgfgdf.exe
1176	Cagobalc.exe
2760	Cfdhkhjj.exe
3956	Cmnpgb32.exe
4696	Cdhhdlid.exe
3900	Cjbpaf32.exe
3300	Calhnpgn.exe
3576	Dfiafg32.exe
3688	Dmcibama.exe
1664	Ddmaok32.exe
464	Dmefhako.exe
1000	Dfnjafap.exe
2652	Dmgbnq32.exe
1624	Dhmgki32.exe
4120	Dogogcpo.exe
4608	Deagdn32.exe
2412	Dgbdlf32.exe
2336	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

Processes:

Cfpnph32.exeCdcoim32.exeCjmgfgdf.exeCjbpaf32.exeDdmaok32.exeCfdhkhjj.exeDfiafg32.exeDmefhako.exeDfnjafap.exeCagobalc.exeCmnpgb32.exeDhmgki32.exeDogogcpo.exeDgbdlf32.exeDmgbnq32.exeCalhnpgn.exeDmcibama.exe6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exeCmiflbel.exeDeagdn32.exeCdhhdlid.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4236 2336 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
4236	2336	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Dmefhako.exeDhmgki32.exeDgbdlf32.exe6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exeCagobalc.exeCdhhdlid.exeCjbpaf32.exeDfiafg32.exeDmllipeg.exeDmgbnq32.exeDeagdn32.exeCmiflbel.exeCdcoim32.exeDmcibama.exeDfnjafap.exeDdmaok32.exeDogogcpo.exeCfpnph32.exeCjmgfgdf.exeCfdhkhjj.exeCmnpgb32.exeCalhnpgn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe

Modifies registry class 64 IoCs

Processes:

6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exeCmnpgb32.exeDmgbnq32.exeDhmgki32.exeCdcoim32.exeDmcibama.exeCdhhdlid.exeDogogcpo.exeDdmaok32.exeDmefhako.exeCmiflbel.exeCagobalc.exeDgbdlf32.exeCalhnpgn.exeDfiafg32.exeDfnjafap.exeCfdhkhjj.exeCfpnph32.exeCjbpaf32.exeCjmgfgdf.exeDeagdn32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exeCfpnph32.exeCmiflbel.exeCdcoim32.exeCjmgfgdf.exeCagobalc.exeCfdhkhjj.exeCmnpgb32.exeCdhhdlid.exeCjbpaf32.exeCalhnpgn.exeDfiafg32.exeDmcibama.exeDdmaok32.exeDmefhako.exeDfnjafap.exeDmgbnq32.exeDhmgki32.exeDogogcpo.exeDeagdn32.exeDgbdlf32.exe

description	pid	process	target process
PID 1100 wrote to memory of 4872	1100	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe	Cfpnph32.exe
PID 1100 wrote to memory of 4872	1100	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe	Cfpnph32.exe
PID 1100 wrote to memory of 4872	1100	6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe	Cfpnph32.exe
PID 4872 wrote to memory of 1632	4872	Cfpnph32.exe	Cmiflbel.exe
PID 4872 wrote to memory of 1632	4872	Cfpnph32.exe	Cmiflbel.exe
PID 4872 wrote to memory of 1632	4872	Cfpnph32.exe	Cmiflbel.exe
PID 1632 wrote to memory of 3520	1632	Cmiflbel.exe	Cdcoim32.exe
PID 1632 wrote to memory of 3520	1632	Cmiflbel.exe	Cdcoim32.exe
PID 1632 wrote to memory of 3520	1632	Cmiflbel.exe	Cdcoim32.exe
PID 3520 wrote to memory of 3432	3520	Cdcoim32.exe	Cjmgfgdf.exe
PID 3520 wrote to memory of 3432	3520	Cdcoim32.exe	Cjmgfgdf.exe
PID 3520 wrote to memory of 3432	3520	Cdcoim32.exe	Cjmgfgdf.exe
PID 3432 wrote to memory of 1176	3432	Cjmgfgdf.exe	Cagobalc.exe
PID 3432 wrote to memory of 1176	3432	Cjmgfgdf.exe	Cagobalc.exe
PID 3432 wrote to memory of 1176	3432	Cjmgfgdf.exe	Cagobalc.exe
PID 1176 wrote to memory of 2760	1176	Cagobalc.exe	Cfdhkhjj.exe
PID 1176 wrote to memory of 2760	1176	Cagobalc.exe	Cfdhkhjj.exe
PID 1176 wrote to memory of 2760	1176	Cagobalc.exe	Cfdhkhjj.exe
PID 2760 wrote to memory of 3956	2760	Cfdhkhjj.exe	Cmnpgb32.exe
PID 2760 wrote to memory of 3956	2760	Cfdhkhjj.exe	Cmnpgb32.exe
PID 2760 wrote to memory of 3956	2760	Cfdhkhjj.exe	Cmnpgb32.exe
PID 3956 wrote to memory of 4696	3956	Cmnpgb32.exe	Cdhhdlid.exe
PID 3956 wrote to memory of 4696	3956	Cmnpgb32.exe	Cdhhdlid.exe
PID 3956 wrote to memory of 4696	3956	Cmnpgb32.exe	Cdhhdlid.exe
PID 4696 wrote to memory of 3900	4696	Cdhhdlid.exe	Cjbpaf32.exe
PID 4696 wrote to memory of 3900	4696	Cdhhdlid.exe	Cjbpaf32.exe
PID 4696 wrote to memory of 3900	4696	Cdhhdlid.exe	Cjbpaf32.exe
PID 3900 wrote to memory of 3300	3900	Cjbpaf32.exe	Calhnpgn.exe
PID 3900 wrote to memory of 3300	3900	Cjbpaf32.exe	Calhnpgn.exe
PID 3900 wrote to memory of 3300	3900	Cjbpaf32.exe	Calhnpgn.exe
PID 3300 wrote to memory of 3576	3300	Calhnpgn.exe	Dfiafg32.exe
PID 3300 wrote to memory of 3576	3300	Calhnpgn.exe	Dfiafg32.exe
PID 3300 wrote to memory of 3576	3300	Calhnpgn.exe	Dfiafg32.exe
PID 3576 wrote to memory of 3688	3576	Dfiafg32.exe	Dmcibama.exe
PID 3576 wrote to memory of 3688	3576	Dfiafg32.exe	Dmcibama.exe
PID 3576 wrote to memory of 3688	3576	Dfiafg32.exe	Dmcibama.exe
PID 3688 wrote to memory of 1664	3688	Dmcibama.exe	Ddmaok32.exe
PID 3688 wrote to memory of 1664	3688	Dmcibama.exe	Ddmaok32.exe
PID 3688 wrote to memory of 1664	3688	Dmcibama.exe	Ddmaok32.exe
PID 1664 wrote to memory of 464	1664	Ddmaok32.exe	Dmefhako.exe
PID 1664 wrote to memory of 464	1664	Ddmaok32.exe	Dmefhako.exe
PID 1664 wrote to memory of 464	1664	Ddmaok32.exe	Dmefhako.exe
PID 464 wrote to memory of 1000	464	Dmefhako.exe	Dfnjafap.exe
PID 464 wrote to memory of 1000	464	Dmefhako.exe	Dfnjafap.exe
PID 464 wrote to memory of 1000	464	Dmefhako.exe	Dfnjafap.exe
PID 1000 wrote to memory of 2652	1000	Dfnjafap.exe	Dmgbnq32.exe
PID 1000 wrote to memory of 2652	1000	Dfnjafap.exe	Dmgbnq32.exe
PID 1000 wrote to memory of 2652	1000	Dfnjafap.exe	Dmgbnq32.exe
PID 2652 wrote to memory of 1624	2652	Dmgbnq32.exe	Dhmgki32.exe
PID 2652 wrote to memory of 1624	2652	Dmgbnq32.exe	Dhmgki32.exe
PID 2652 wrote to memory of 1624	2652	Dmgbnq32.exe	Dhmgki32.exe
PID 1624 wrote to memory of 4120	1624	Dhmgki32.exe	Dogogcpo.exe
PID 1624 wrote to memory of 4120	1624	Dhmgki32.exe	Dogogcpo.exe
PID 1624 wrote to memory of 4120	1624	Dhmgki32.exe	Dogogcpo.exe
PID 4120 wrote to memory of 4608	4120	Dogogcpo.exe	Deagdn32.exe
PID 4120 wrote to memory of 4608	4120	Dogogcpo.exe	Deagdn32.exe
PID 4120 wrote to memory of 4608	4120	Dogogcpo.exe	Deagdn32.exe
PID 4608 wrote to memory of 2412	4608	Deagdn32.exe	Dgbdlf32.exe
PID 4608 wrote to memory of 2412	4608	Deagdn32.exe	Dgbdlf32.exe
PID 4608 wrote to memory of 2412	4608	Deagdn32.exe	Dgbdlf32.exe
PID 2412 wrote to memory of 2336	2412	Dgbdlf32.exe	Dmllipeg.exe
PID 2412 wrote to memory of 2336	2412	Dgbdlf32.exe	Dmllipeg.exe
PID 2412 wrote to memory of 2336	2412	Dgbdlf32.exe	Dmllipeg.exe

C:\Users\Admin\AppData\Local\Temp\6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe
"C:\Users\Admin\AppData\Local\Temp\6d43e0f92394b20c6fe6e2413198aa62262b792832a5a08d153f4a7ceb63e0e9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Cfpnph32.exe
  C:\Windows\system32\Cfpnph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Cmiflbel.exe
    C:\Windows\system32\Cmiflbel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\Cdcoim32.exe
      C:\Windows\system32\Cdcoim32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 424
        23⤵
        Program crash
        
        PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2336 -ip 2336
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
192KB

MD5
702acfe08f95ede29fe782188d51c499

SHA1
100791138a29c3d36d0a92df616519f33e4c9a73

SHA256
4403fe474804c4ca6ae9a1406e70cf34e05f7b57fa8d46b2cc36933c7c3b2e88

SHA512
2a12e90014638ec29ed50a963a7196fc28909a73594e64627a8d4f4e2d51f8c23f4d1b72fb80f5ee8df96e4fb0cf8ff58368226eece33f3b01add30cb36ba5b2

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
192KB

MD5
1516d275221e0b58ea09364308102aa2

SHA1
31e7ba58302f22314431f8ef8009f11d4d3c12c2

SHA256
003fc8519a3b4789a33e73ce9be7755f284273dc91cefea467660f2b6c5022eb

SHA512
ec3e063c7c3854b90675882b14c7fdd570f31a71d9dbbd980d9285e94772fa9ed0cfb4191f0c1a8fc2a44524bac1c87502b36ab690766aa7105c53552423d6b6

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
192KB

MD5
cbf43ff9df140e6f4111290610d0bb36

SHA1
ee5c4484e6d8dfc8de0c7bc85ee9e9ddc564e144

SHA256
7427aef14591a56d0c469456935b79e9317f5013646130a380b4ccc5dd816c76

SHA512
c2968110056e34558eb61c8c49df49978dd5b90fe13a6a9a30a2e4f5cabf23cf42b5afff7d7cc0c53e7b4546bdcb1f6f759b423c21566214bb68d89e7e529b1b

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
192KB

MD5
1733752e7be9035a51bc5ae8074c4f03

SHA1
32a3f0a641bec74f579b334a92574e4b72f840c2

SHA256
7cace3df73c3e320866bdcee99931ca8b85b4d836233cc78de0bc34ac0affd1f

SHA512
4eed76f16a9d66a2881a7d3823ced6c3b3286a2ded6472092a425a2db3b8072df10dfde54b1417379f27c6b339849d131322c153a35695a50bea6aae78984203

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
192KB

MD5
b091a2e37631648ef86f16d67d61a0d3

SHA1
7836f1a8c32a90ee3606ba4cce5948922c8d22ea

SHA256
66a37a5bafa9f2de5812f5adb426a0595321d727bf2774b051265fecc1a3de45

SHA512
2475a58d46e5fb16c08b4c4c5a261819416979334a17b98fb6b11e0d2abfa12ff55a2c634db1e96d2c2e394586c888990774c56a3cf880d0a974e8e0308bbc82

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
192KB

MD5
0b577766018748686d2a15b985703079

SHA1
a6e2a567920165603f2e4a3e6ca50245898c964d

SHA256
91169486b88e6bd02952bdd47aa3868754853f68bac25cefddc6afe4c5675217

SHA512
541de925b310323a9fbfa6c7691aad4e1243373784810e988a7586e8d2f294ea341e32e85fca0353365eeb544323058780472ab4571cfa6980ff6df37de195f4

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
192KB

MD5
7254a6c07556c2261e12bca1db1dc682

SHA1
21613f1d5e2dbf9cf8005b4180f2ab6e0a15e5e4

SHA256
27dbfb57d77f6e996c8313f1b4ff1c59df35b8435d4996069fcaba22bf02dd14

SHA512
40b85ac59a735eb7c8fecd7dedafa0444890808cd2d41535af5f0bf5758bcb017acda7ec5c31d0ee45e71bccfaff953dab066f1e991855d1b0255d3e71ca88f4

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
192KB

MD5
ddb1f2db2b3ce6e0af25b2ad6b5c4a60

SHA1
4f189f141d86205a1bd4b45bec4e3ed5e99a13e6

SHA256
9968094ca78cd910b3108214e17c8da00d5273650f40c2017d78d76cd4cc9a79

SHA512
dd178319e3745adcf075cfb30786969f7f13b3e9297c2a41400188980ee4722032872efc770822aab28b7e78da5245bd5e8064b03b95c4a74bac0710d6d92bf3

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
192KB

MD5
cb6b1952bec0dde9b367fab963049ee4

SHA1
87d3f74c87e15a744ec596224e928bb7611a6d65

SHA256
1c8e31c288cc1dda4af1717aa48775eabaa888af20f13b99239863bf69c08a1f

SHA512
e7afc0bd283e4c1c9b74e5f034c789928f0eb7c4689c5c8a6334d83196b8fd991e786ac97cda6fc89f0acf48a2d77f97078d7330fbb7fe6d364235a9d7606a8e

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
192KB

MD5
99b39902341b32970a6149bb055b39a9

SHA1
832b7d830c24389301c1f0feed9fb3d67c604746

SHA256
7e49a59ed95be434c05de263db9c34c805a95d4b9cb2a19448f5b8e7bbfa6700

SHA512
07c30e9d9a61c247c0ab01d750e72d03ef0678a03adaee0043e845224fa1bb7f5d15b31c6354067d1315bf480c49ce163de442ee2e836c0c362d189dc8eaf4b3

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
192KB

MD5
9dd4e5f96810535d769e21f6200f8544

SHA1
92924662aafa08effe11702469666beac89cec93

SHA256
0e57561866dd7102b76d870471520f1c9a2f8048f5d93ec0c514ccc2b7873b47

SHA512
d2c4b703abb937a3ae00a50d2235d688f76bbcb7c5f5745148f7c4a36c55b68600fcfe94e8c582701cd6de4764bc89d394f82335885a7c37b3b25e843aaa0c9e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
192KB

MD5
57b7e637b2753ee109a51368585d165c

SHA1
9e238903870de0a5370e8dc77c03275e58445841

SHA256
1755fd5ad39bd5ae3a30bf655bcba40deed76fdc6efe178fc8849d8fc3766a76

SHA512
bea02472139c58908b36d92869992f375b5d7be05f3bf6ddf133ec47310f7658b30ac1bc493bfe7baba5c4572819f5d420ce40ec94c9066b61a120cd00dfdb4d

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
192KB

MD5
b3daa8307262a645f013746ef36d4dc3

SHA1
a471c09c1ed205bfdf818abb22665af7c8a6f018

SHA256
a949b864433aadafc28a66ef596de477410b835346ab93586f399ccd9655df5c

SHA512
ec38ff971fa0027af0d03c72613227faeaba0e8e239a3d66bbe0081d30b2a7b755ed1297948bd8c920e9754a4a52b1056ac9f75f0d0d0492f1625f7c6c551641

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
192KB

MD5
eeb260e363b197e782c10ea86c7c8ec9

SHA1
b445e93e61626654f95e29146200b4e6a21b354c

SHA256
72ac37d0529e9be5767818d45215b1d6f4e1034f2dc869712eacfdb5ed4f3d63

SHA512
ddc66e622454d8c706ca976351db925d1d417e5e0986a217af4dac70b7409aa2c64c70061d52e237b4ae93156e5d96e9e473d371110f209a51f28712723eaeab

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
192KB

MD5
22356d8ca9825871797b88ac1f5ae934

SHA1
4c55904fddbfc8e58c17062328a3b3f1441e0671

SHA256
91f83e4ab0ce08a5e856eb8df8695bbd610574afb380a6622b79012ecf80cb5f

SHA512
02aafa84ce5dc9138e04dc05d1f4da2c5e1d2ada69e32b46a08921a45182d61d4c632187f85f13036756d09e5c68ff1df7768ce13a05918d635f21ca0661fa44

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
192KB

MD5
518d266e1506f7bafe21ce35a3f80d63

SHA1
bdfac4bc2ce962c4aaf52e81868f7e4b5da6614d

SHA256
23f7f2c1b1427a64f8b203a1955d7facbb0120c7c5e67197497543f604b8200e

SHA512
f9cf792533698a743cecc1118d58c8523febb8f94f5b4762efe74a4a1b77ccedd74da6486b1dbde26509419a9fa7979cff1d55d1c2de82ec51b1a3ee94a1ed6c

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
192KB

MD5
91a29899bd8726313f3855033461d720

SHA1
c5af9fcfb6bcabf06370dc5c93b29698be6ee92a

SHA256
c56cec21b17ede1ba13664f8451f2846236694811da82981fd94dd2704dacc55

SHA512
38270a01e27aff414ac4bd9739615e024d634bf83ee4a28c425de1aaf50910e95463c669fb48a2ca32fa0b02154f23c1141ee5f16c0e66785af91fd42f1f2932

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
192KB

MD5
e786506a5e6273e861e695a0c5a55928

SHA1
d570e3d417638112206cfa393b9239eaf27d156a

SHA256
f85a34393106f4bd20bfc148c655ad496ee2fb91a643a3627383c055291b0369

SHA512
75bc4f36065ce991a294bb6e74d985e2c2e5f1bef1f25fe858d6446b54935315886bb477a3c86f1ac739a40845b1053025c2a23e2b195a4379d73887a64e7ca2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
192KB

MD5
bf53ba15eec161b77983b890a605690a

SHA1
37966fa27755ae35c6323a8c2e55527e0105b6b2

SHA256
2a409aaf3b94b3998ec6a86fc673275578e406b4aff06aeb9831bd00c7ef748d

SHA512
7a1c9043809cbca559045fceb4c548a2d252d0bb48111d6e246977aeb8f2e75ad7b612888c18134a25967fd6411628fa9992a0042d49392c06e390a331924bf7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
ec26f453ce628b4eba4240f801785ef8

SHA1
6ea0f94174b8c8e418223d00d1333b0bbd404d04

SHA256
07a8850d9b56b5c5a1e67a1cdc5774ac1c2ec1d820b04c356130c1468792badb

SHA512
027c95a02f3f9812662f988ec91d8c9a0f2ba40b7fc7b10fb2cb6e09514208c4402f72d2c4bcaf5733aa8d261621039fa8221e1d05e219a915709d1d676ca973

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
192KB

MD5
b678a2ce7a2a09c6eadaab81300d452a

SHA1
dbfdbb4b78d66b0a78577aa57b23948b6cc5d7cb

SHA256
257387dc746eef67bc35a4c2ce321da4e8ac10636597d9fc35e69ee54873c5db

SHA512
69cf4ea5985ac038e83ed9be9f804262f79e47a47d9952b6c56f586c93d3789ba9248411168dac2b9aa8ca7eaeae4f573ad48d6d48da7198981563f481e73425

Download Submit
C:\Windows\SysWOW64\Echdno32.dll

Filesize
7KB

MD5
910c4237b962005e935568bb869ee1a2

SHA1
07370326764a44abc01c63ead10f6ea912db1be9

SHA256
ed56c19d1955133773e9e2794a5e71d4b4b5748945029e6b300196ab16403667

SHA512
d67dfb058ab228f1305ea8bf8303b2da307118036d94abd8ac19f48361e020bda6bac94b2f85232927bd94447f2bd8a0a60444fa6b20667a297b2a4a2cb77486

Download Submit
memory/464-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download