berbew | 718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93d

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Size

93KB
MD5

54dcfb55cad82b3d7ba2632827cfc5d0
SHA1

930f021b1a9f1fc113c3942b1794340495bf692b
SHA256

718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93d
SHA512

e29694b1bad71cd16ddb33466d822e3207c425d47fd0c62cc16a2b73c476d372a1ed23ac1a164b32d4fd81527c16be7e3f6f441795c705da260fb1738b9c5bdc
SSDEEP

1536:2IaxaXm/mtvagbapIe1DaYfMZRWuLsV+1Z:2IaxaWettbapXgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dhkjej32.exeCaebma32.exeCmnpgb32.exeDfiafg32.exeCegdnopg.exe718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exeCdhhdlid.exeCmqmma32.exeCfbkeh32.exeCnicfe32.exeDdmaok32.exeCnffqf32.exeDeagdn32.exeDfpgffpm.exeDogogcpo.exeDdakjkqi.exeDgbdlf32.exeCffdpghg.exeCeckcp32.exeCfdhkhjj.exeDodbbdbb.exeDmefhako.exeDmcibama.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 23 IoCs

Processes:

Cnffqf32.exeCaebma32.exeCfbkeh32.exeCnicfe32.exeCeckcp32.exeCfdhkhjj.exeCmnpgb32.exeCdhhdlid.exeCffdpghg.exeCmqmma32.exeCegdnopg.exeDfiafg32.exeDmcibama.exeDdmaok32.exeDmefhako.exeDhkjej32.exeDodbbdbb.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDeagdn32.exeDgbdlf32.exeDmllipeg.exe

pid	Process
972	Cnffqf32.exe
3492	Caebma32.exe
2128	Cfbkeh32.exe
1116	Cnicfe32.exe
1820	Ceckcp32.exe
4940	Cfdhkhjj.exe
2264	Cmnpgb32.exe
2484	Cdhhdlid.exe
2848	Cffdpghg.exe
4904	Cmqmma32.exe
5080	Cegdnopg.exe
220	Dfiafg32.exe
1004	Dmcibama.exe
1948	Ddmaok32.exe
2620	Dmefhako.exe
4924	Dhkjej32.exe
2120	Dodbbdbb.exe
1588	Ddakjkqi.exe
2840	Dfpgffpm.exe
4444	Dogogcpo.exe
2568	Deagdn32.exe
1560	Dgbdlf32.exe
2400	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Cdhhdlid.exeDfiafg32.exeDogogcpo.exe718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exeCaebma32.exeDdakjkqi.exeDeagdn32.exeDgbdlf32.exeDmcibama.exeDdmaok32.exeDfpgffpm.exeCfbkeh32.exeDodbbdbb.exeCeckcp32.exeCffdpghg.exeCnffqf32.exeDmefhako.exeDhkjej32.exeCmnpgb32.exeCmqmma32.exeCfdhkhjj.exeCegdnopg.exeCnicfe32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4540	2400	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cegdnopg.exeDmefhako.exeCmnpgb32.exeDmcibama.exeDdmaok32.exeDodbbdbb.exeCdhhdlid.exeCnicfe32.exeCeckcp32.exeCfdhkhjj.exeDhkjej32.exeDdakjkqi.exeDeagdn32.exeDmllipeg.exe718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exeCaebma32.exeCfbkeh32.exeCffdpghg.exeCmqmma32.exeDfiafg32.exeDfpgffpm.exeDogogcpo.exeCnffqf32.exeDgbdlf32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 64 IoCs

Processes:

718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exeCnffqf32.exeCffdpghg.exeDmefhako.exeDogogcpo.exeCfbkeh32.exeCeckcp32.exeCfdhkhjj.exeCmqmma32.exeDodbbdbb.exeDdakjkqi.exeDeagdn32.exeDgbdlf32.exeCaebma32.exeCmnpgb32.exeCdhhdlid.exeCegdnopg.exeDfiafg32.exeDhkjej32.exeCnicfe32.exeDmcibama.exeDdmaok32.exeDfpgffpm.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exeCnffqf32.exeCaebma32.exeCfbkeh32.exeCnicfe32.exeCeckcp32.exeCfdhkhjj.exeCmnpgb32.exeCdhhdlid.exeCffdpghg.exeCmqmma32.exeCegdnopg.exeDfiafg32.exeDmcibama.exeDdmaok32.exeDmefhako.exeDhkjej32.exeDodbbdbb.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDeagdn32.exe

description	pid	Process	procid_target
PID 4836 wrote to memory of 972	4836	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe	85
PID 4836 wrote to memory of 972	4836	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe	85
PID 4836 wrote to memory of 972	4836	718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe	85
PID 972 wrote to memory of 3492	972	Cnffqf32.exe	86
PID 972 wrote to memory of 3492	972	Cnffqf32.exe	86
PID 972 wrote to memory of 3492	972	Cnffqf32.exe	86
PID 3492 wrote to memory of 2128	3492	Caebma32.exe	87
PID 3492 wrote to memory of 2128	3492	Caebma32.exe	87
PID 3492 wrote to memory of 2128	3492	Caebma32.exe	87
PID 2128 wrote to memory of 1116	2128	Cfbkeh32.exe	88
PID 2128 wrote to memory of 1116	2128	Cfbkeh32.exe	88
PID 2128 wrote to memory of 1116	2128	Cfbkeh32.exe	88
PID 1116 wrote to memory of 1820	1116	Cnicfe32.exe	89
PID 1116 wrote to memory of 1820	1116	Cnicfe32.exe	89
PID 1116 wrote to memory of 1820	1116	Cnicfe32.exe	89
PID 1820 wrote to memory of 4940	1820	Ceckcp32.exe	90
PID 1820 wrote to memory of 4940	1820	Ceckcp32.exe	90
PID 1820 wrote to memory of 4940	1820	Ceckcp32.exe	90
PID 4940 wrote to memory of 2264	4940	Cfdhkhjj.exe	91
PID 4940 wrote to memory of 2264	4940	Cfdhkhjj.exe	91
PID 4940 wrote to memory of 2264	4940	Cfdhkhjj.exe	91
PID 2264 wrote to memory of 2484	2264	Cmnpgb32.exe	92
PID 2264 wrote to memory of 2484	2264	Cmnpgb32.exe	92
PID 2264 wrote to memory of 2484	2264	Cmnpgb32.exe	92
PID 2484 wrote to memory of 2848	2484	Cdhhdlid.exe	93
PID 2484 wrote to memory of 2848	2484	Cdhhdlid.exe	93
PID 2484 wrote to memory of 2848	2484	Cdhhdlid.exe	93
PID 2848 wrote to memory of 4904	2848	Cffdpghg.exe	94
PID 2848 wrote to memory of 4904	2848	Cffdpghg.exe	94
PID 2848 wrote to memory of 4904	2848	Cffdpghg.exe	94
PID 4904 wrote to memory of 5080	4904	Cmqmma32.exe	95
PID 4904 wrote to memory of 5080	4904	Cmqmma32.exe	95
PID 4904 wrote to memory of 5080	4904	Cmqmma32.exe	95
PID 5080 wrote to memory of 220	5080	Cegdnopg.exe	96
PID 5080 wrote to memory of 220	5080	Cegdnopg.exe	96
PID 5080 wrote to memory of 220	5080	Cegdnopg.exe	96
PID 220 wrote to memory of 1004	220	Dfiafg32.exe	97
PID 220 wrote to memory of 1004	220	Dfiafg32.exe	97
PID 220 wrote to memory of 1004	220	Dfiafg32.exe	97
PID 1004 wrote to memory of 1948	1004	Dmcibama.exe	98
PID 1004 wrote to memory of 1948	1004	Dmcibama.exe	98
PID 1004 wrote to memory of 1948	1004	Dmcibama.exe	98
PID 1948 wrote to memory of 2620	1948	Ddmaok32.exe	99
PID 1948 wrote to memory of 2620	1948	Ddmaok32.exe	99
PID 1948 wrote to memory of 2620	1948	Ddmaok32.exe	99
PID 2620 wrote to memory of 4924	2620	Dmefhako.exe	100
PID 2620 wrote to memory of 4924	2620	Dmefhako.exe	100
PID 2620 wrote to memory of 4924	2620	Dmefhako.exe	100
PID 4924 wrote to memory of 2120	4924	Dhkjej32.exe	101
PID 4924 wrote to memory of 2120	4924	Dhkjej32.exe	101
PID 4924 wrote to memory of 2120	4924	Dhkjej32.exe	101
PID 2120 wrote to memory of 1588	2120	Dodbbdbb.exe	102
PID 2120 wrote to memory of 1588	2120	Dodbbdbb.exe	102
PID 2120 wrote to memory of 1588	2120	Dodbbdbb.exe	102
PID 1588 wrote to memory of 2840	1588	Ddakjkqi.exe	103
PID 1588 wrote to memory of 2840	1588	Ddakjkqi.exe	103
PID 1588 wrote to memory of 2840	1588	Ddakjkqi.exe	103
PID 2840 wrote to memory of 4444	2840	Dfpgffpm.exe	104
PID 2840 wrote to memory of 4444	2840	Dfpgffpm.exe	104
PID 2840 wrote to memory of 4444	2840	Dfpgffpm.exe	104
PID 4444 wrote to memory of 2568	4444	Dogogcpo.exe	105
PID 4444 wrote to memory of 2568	4444	Dogogcpo.exe	105
PID 4444 wrote to memory of 2568	4444	Dogogcpo.exe	105
PID 2568 wrote to memory of 1560	2568	Deagdn32.exe	106

C:\Users\Admin\AppData\Local\Temp\718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe
"C:\Users\Admin\AppData\Local\Temp\718c96d2c1017e270c51c094c395daca39cee721016adb7ed34f32c2d858c93dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Cnffqf32.exe
  C:\Windows\system32\Cnffqf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\Caebma32.exe
    C:\Windows\system32\Caebma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\Cfbkeh32.exe
      C:\Windows\system32\Cfbkeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 408
        25⤵
        Program crash
        
        PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2400 -ip 2400
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
93KB

MD5
635cd8f043b39a0982aa95ee085c35d0

SHA1
39202e3c03b089b3d9ca0194e24b33541cdde810

SHA256
e32820b038803f081adb5d57bc7fa4a5589a8e34a4b6959d312e84ee92f42068

SHA512
7417d3a6cbf26d609fb5d681d0beb144bbb457211c40d909e52e1c2a101658c413f90b05de090f0b7a077abfbb0af0799abfc64a43280f3d4c61966db9f33a29

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
8fd0fd7be1707e9e2e39c5cc09285103

SHA1
60d1384410ee7cd5c08fa6e83b1a09aa80b92170

SHA256
2a00ad3ebe103d47166f0b1f11b2597ed7028e00c69d699b92d649f104775eff

SHA512
98bb12bcffa34b6d2abfc0470f4c955aca3fef89b16eb5d70b7fb269ddbc6c5d793921a4725f2da98312bf374648b529bae73d1cd40335f73643e1ef1cea4adf

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
3e455c5a587410b4e333cb35ead48e55

SHA1
6acd2f6ea55f8edce8a25d153f178cfee3c20337

SHA256
563467b052413f877322b0620e737247feeb78c90a647b0ea19b3bf8ea3c4e1e

SHA512
9f098c6b8933c5db084b7c2f618034bcd33eb0e1e0d20c061fd7001b398c69ede1ff81155094a31101754ff74ee92eafdbccd9e568520c335a76d574405e7000

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
93KB

MD5
35f06962e449c9c2169b0f84eafa9e58

SHA1
d3e27aa21866eb842dda4075a98144c1c9c68aa9

SHA256
09849c2a10a0cd30e0e27e3baef8f7621dd98031d4daa9d4c7d6c8b7a28d32e7

SHA512
92a1ac4a72ebf747ec76f13053efe881c724f985aabe1954fc897bba6fefc88ec80ef7fd252e10a191f56dac8fb934e3baa9dd34380f1fcf8b406d70ec33a6b6

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
ee87ade5e1dffcd1098d041f6b9ac5a1

SHA1
b67fb3d046069afe9e2ac701ef9e31d3174977cd

SHA256
309b1b138d5ff44d730c9cbc8d572cd710ecaa23c0118ce0e607f7f92395ede9

SHA512
fb4889f706750e01e132cb3982470955121e2cfceee9362e458cf15e81a6b99e2a502a5bf05a6db842b8928c13d6714ea9251e69f5ba3e0a4e87e0a29d802e57

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
93KB

MD5
91da708b89da95a4e6edd6c734a4e9f4

SHA1
a9409f1bafbae5f9cbab4f1359774bd5d519a431

SHA256
2508305c368cd4578d5e53792d1b590ec017cf7c27f461e5faffc56034e0062c

SHA512
c199dfbce4fcc2691b0ab3b828164d2f38d88a0d90fd759485b96fefe755725179689c8358fa79d328a7cb51bb4e1fc92ceed5b000cc31b886eb57acbc8294b7

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
46b320547e1400b2caeb8d8a6ac04079

SHA1
b35bd544a3477d216df5ddb59fd50c91546c2edf

SHA256
3aa7cd86db2808d5652e7d1e2ce451d560b71ae30b427c006058d3aca710c28a

SHA512
ffd5a79990817a1c65a47720c520efad6c596b0dfe507069e4e711ac6a9445f91d3caf4bec5490e0715e1153793a62448001c3e8be1a8cf0fbc39ffdc9d20027

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
c7f1f9fcc2ea4c234b2c412d38159ce9

SHA1
068a79deabd510de7abc9667e674d0c39350f48e

SHA256
b0cf60981f79e628bb3523eb5ae03f3d8389b6a823d6f7d5829f90178cb08f11

SHA512
d5019fd5a4b13a905174e4ceeb980b6093644550f80fdab5f0339e899db128157939ec904abf788db9adfdccd08938658d8beef47cc9fc9c5c35913132e542a6

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
93KB

MD5
afe59f514c1f54f5d5cf276ce0530325

SHA1
25ea18405915ec7d19ec680d7c7b3d0c4ed0d638

SHA256
084943f537c651bec49f51efc5ae5a7f8f3ccd6d3fb151e57a5a9ce7bab7f067

SHA512
4294d8f5aed2e53639fdf5b194f66c12ca00194f90f6cd3055ef06fc768057c0c7915891da20781e96d9bd175d6baf93a5784ae8e817b6f4f042dca5bce8a2b9

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
93KB

MD5
7b680ede445768f06a2c5adcb90c32db

SHA1
0879713612fcb135124eef208b4829c3f7546584

SHA256
9311726d2fdaa69477e546c3e07eb32d12c60adeb31c96ed6a79e7a49f19733c

SHA512
51387ccc58efceb42191261223bd753d980de2f0f05ea936248a06f323248f1209ab593bc1d9f9011c0074cbd69c68dcea265476a7c9b2f82653b67f299dd40a

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
93KB

MD5
d6dbab217f553b24a7ecda9f59c9b9fd

SHA1
31caa15433733dd156ef704666ed4d5c63f5beb9

SHA256
074539cb42807656e78def0635294b69a96173cd4be6944bc208a0a98be4fa01

SHA512
fc8d3e2c0fb60f4ea14cab1bb77ab275352f88a57be39f9f4e880d1d801b8bacdb4927da688243991dd9a9fd0856e68723ce6787fc4b006586280f23449d025e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
ee220e30ccb5f542404d4c07b0d4dd1e

SHA1
d2312d1e4e4bc711a1be941f5afb19138994cb99

SHA256
74a040da64e0c407d14a5be1ede18c821f50bc5e116c73563711669a36f278a7

SHA512
bf1c5a8837d8f1f7cddd293cd0588e921709e98a391621201581325eebff80ac43317210ba485c5fb87080ae5c9ef38d91ca0b19189b1a7435bce75f71ae0671

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
33e238ce2fd177f77317e991d5cc82ff

SHA1
54ff3f6b9ba5e9958a556aeb8be4566999fc524e

SHA256
c24ad62bb39cb8888d65a50027ff29bca38f65f826d53047370f6bc63b71d0a2

SHA512
b7aa042905f7c05ed012e2526384f95c85a76befd8dc2ef8167263fa3f64a045bb312020752925ebfca7926d5959534b80d6e4ba8ab05c905eb39aeff65aa5ca

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
93KB

MD5
5baacce98314e28c0ad78b828faf4600

SHA1
28d25bcbc84c10cd9b88459908b82ec382fe1708

SHA256
8beb4a7463ff5bb5d9be6b258852c2071879750d13e15223007a6bb69bbea7f1

SHA512
ae47922e0af1edcc39429446f598334e70d02ca2777c86cd58a7080b4741758f635ceba870b93fa7daac6847285a02b5727d99af536ecfe0e9e680c99d01b921

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
cc1cc83ce29c021ba94c2c6f69f896a0

SHA1
dd1c2f351c05799b082b97fdb30491d6f6128e27

SHA256
5ac54724fdc116693e7d6fec0e184d794fa55c1794cdae2efda97468240abdf7

SHA512
a5abce26e53b8182ccca949b6fe6191b7132b3129ce2e22080a341e9e37c4591c22cdc640d945306da2a8fa8c04d82bcdca8b19e278bb1b6018e583facace424

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
93KB

MD5
8ce28c4210839f2e5f66ee6abbc79b4d

SHA1
33796dfa694597e9ce3fa4d95129ac4727871ded

SHA256
ea077b6d0adac634bcdaa31c5b1efe30bfd9d046a9b8be162ce0ea09ce44e255

SHA512
4df39c125502fe48bc7974233c083dea2660ec280e6248f0102741c019bd54a7f5c6479aa9aa03aa211ea9d8f41d3fe6de2f06b709d317912066ac74ab99baa7

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
a5d2e85601f51fcc6603421d12d70beb

SHA1
6e3da7775eee4016f7ab626dc3e820761cee6e43

SHA256
55a10cfe44d750957e6ced100a2189ab9ad7b42c8c452931bbb6eaa8e7dcea1a

SHA512
f56ec8fa176a40567c6afe5ce3d77e94c8d0ebe2795aa2b093fb314ec90a5b599768b60f0951265b7c5a8af06d45b2c0295bd7c31717e2fb3b0018e60b3a3003

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
5e401fa20f22ed3ec57cdb56d15aec8b

SHA1
81a2b8b05529f4309ec8dbeed7808da793c53bc9

SHA256
c138e46aadd20698678fe8ce3712684132385d36215b1916d6e45742c7f4ade6

SHA512
f81e32fdbe3d41fce644ba6c157a1838b7b64e4b4ec1d999150f1157058a2bf74280210e9551fbda33ccd634185f0361f4452fe2b955b5f460e2b194127faa18

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
690ee166918405833bf73df1a7c22613

SHA1
84014656da2a1b2e37f6fde89e21e4467ea64a53

SHA256
d8a4edc25e936118f67093552a72a6f60a5648099b443a164605c5f8c176d3fe

SHA512
3b4c4109179bf11338d829be9c99c3a84b23523b2c8db815d1b1798ec7b7d4eacbf5a42e1361e2e0b9d746938852e31f4257e24db6816b7ddbfc1cdca37a9635

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
0a1247e525ec09b9510e80a8134cf740

SHA1
538b947d1a31b294fdb5be3a784ba1af1ab84b2b

SHA256
3add42d262d07c227965dc10ae21a9ea5fd94a2aa3af52ddf222bc955fb81006

SHA512
9e3d5782f8b85888985683642ca91b48f65ceb60803b199997a7915d5aa75230a96162a51d906d9f4244b89bc53fefa978f10e6bfbf7772d9bfec03658f9ebf4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
50f65ccbfd0919969b9257c067d1c11a

SHA1
97008b72842933ace09ccd3f8ffa326312f44319

SHA256
fd3f1d8c5a95c214524d6595978736e33cce34a2e71b437dec72a28c6d21f2bb

SHA512
5551698cfe2e3534b6a38d27cc915cad2c13f1b147814df51a267acc0cefdbfb09e2a601c2e793a0565fa67cf1a28442cdbd5dd6c165f6b146e8cb96f715ae63

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
c2ace7936f190423583a264728ccb570

SHA1
d37039e6c385b7b710cd362c29988b0750ce241d

SHA256
0e534343ed8fd6fd3224b95a4ad4e37b28e3ca186766a475896388c2ba13d1c2

SHA512
617112d83e19eac6c5c5e9e0e9f89b5510ef7e368c9b0157d166496d3f3245b6ccdcafe43272615f7b811906b0b03d8afb8d58d8c8c56272f590f457b0ffd6b2

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
93KB

MD5
498fb29db8a703333e704d7947ad03b3

SHA1
30d2db4a5884bc85ba38059a452a05b95d8e668a

SHA256
dbae33e6739ead0fa956df5e94e2b4dc106f0a71e3be4b6450c0ce7918ab79cc

SHA512
8f0dbff853f7462d6e11c620b83e628449c9d2f465173de5008ac8d66f39cc582700af9eaed950c849d4cbb056f21d8ce940cc62f9cf8146371cdd5153dfefd4

Download Submit
memory/220-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4904-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download