berbew | dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
Size

163KB
MD5

19310c6eccd6507997390f401cf9f0d2
SHA1

92a272ac35c50d6685d86c1513493040f9d12898
SHA256

dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164
SHA512

10114c93de371ab8204a18794a838122869c443ff1e7ec242601eda4ab61dcd4ff34ec0766021b96cd4fb310bb1204043f388586d7156eef6bb05d571934c1d3
SSDEEP

1536:PX4VtWHtpryEJUfHrkhAT8LbctNzSIblProNVU4qNVUrk/9QbfBr+7GwKrPAsqNz:bHumcz7bltOrWKDBr+yJbg

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pfjcgn32.exeAjkaii32.exeCfmajipb.exeCmiflbel.exeDogogcpo.exePflplnlg.exePfolbmje.exeAnmjcieo.exeAfhohlbj.exeAeiofcji.exeBgcknmop.exeQdbiedpa.exeAqppkd32.exeBmemac32.exeDanecp32.exeDmgbnq32.exeCalhnpgn.exeDopigd32.exedcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exeQddfkd32.exeDgbdlf32.exeAabmqd32.exeDhhnpjmh.exeDfpgffpm.exePjhlml32.exeCfbkeh32.exeChcddk32.exeDelnin32.exePqdqof32.exeBfdodjhm.exeCmqmma32.exeDobfld32.exeDfiafg32.exeAepefb32.exeBeeoaapl.exeBclhhnca.exeCmnpgb32.exeDhfajjoj.exeDhkjej32.exePfaigm32.exeBmkjkd32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 50 IoCs

Processes:

Pfhfan32.exePdifoehl.exePfjcgn32.exePflplnlg.exePjhlml32.exePfolbmje.exePqdqof32.exePfaigm32.exeQdbiedpa.exeQmmnjfnl.exeQddfkd32.exeAnmjcieo.exeAfhohlbj.exeAeiofcji.exeAnadoi32.exeAqppkd32.exeAabmqd32.exeAjkaii32.exeAepefb32.exeBmkjkd32.exeBfdodjhm.exeBeeoaapl.exeBgcknmop.exeBfhhoi32.exeBclhhnca.exeBmemac32.exeCfmajipb.exeCdabcm32.exeCmiflbel.exeCfbkeh32.exeChagok32.exeCmnpgb32.exeChcddk32.exeCmqmma32.exeCalhnpgn.exeDhfajjoj.exeDfiafg32.exeDopigd32.exeDanecp32.exeDhhnpjmh.exeDfknkg32.exeDobfld32.exeDelnin32.exeDhkjej32.exeDmgbnq32.exeDfpgffpm.exeDogogcpo.exeDddhpjof.exeDgbdlf32.exeDmllipeg.exe

pid	Process
4520	Pfhfan32.exe
3516	Pdifoehl.exe
4996	Pfjcgn32.exe
4764	Pflplnlg.exe
3936	Pjhlml32.exe
4588	Pfolbmje.exe
4276	Pqdqof32.exe
4128	Pfaigm32.exe
2132	Qdbiedpa.exe
3276	Qmmnjfnl.exe
1004	Qddfkd32.exe
3384	Anmjcieo.exe
3420	Afhohlbj.exe
3180	Aeiofcji.exe
660	Anadoi32.exe
4828	Aqppkd32.exe
3136	Aabmqd32.exe
756	Ajkaii32.exe
3692	Aepefb32.exe
3228	Bmkjkd32.exe
2356	Bfdodjhm.exe
3852	Beeoaapl.exe
5104	Bgcknmop.exe
392	Bfhhoi32.exe
1896	Bclhhnca.exe
992	Bmemac32.exe
1988	Cfmajipb.exe
2944	Cdabcm32.exe
948	Cmiflbel.exe
1240	Cfbkeh32.exe
2744	Chagok32.exe
5016	Cmnpgb32.exe
4300	Chcddk32.exe
4796	Cmqmma32.exe
1444	Calhnpgn.exe
5080	Dhfajjoj.exe
2296	Dfiafg32.exe
1008	Dopigd32.exe
3392	Danecp32.exe
3500	Dhhnpjmh.exe
3640	Dfknkg32.exe
2000	Dobfld32.exe
3052	Delnin32.exe
1348	Dhkjej32.exe
2868	Dmgbnq32.exe
928	Dfpgffpm.exe
4564	Dogogcpo.exe
4824	Dddhpjof.exe
4500	Dgbdlf32.exe
3324	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Dobfld32.exePflplnlg.exePfolbmje.exeAfhohlbj.exeAnadoi32.exeBmkjkd32.exeChagok32.exeDhhnpjmh.exeDelnin32.exePfhfan32.exePdifoehl.exeCdabcm32.exeCmiflbel.exeDfknkg32.exeCfbkeh32.exeDogogcpo.exeDgbdlf32.exeAepefb32.exeDfiafg32.exeDmgbnq32.exePjhlml32.exePqdqof32.exeAeiofcji.exeCmnpgb32.exeDhkjej32.exeQdbiedpa.exeQmmnjfnl.exePfaigm32.exeAnmjcieo.exeBeeoaapl.exeBfdodjhm.exeBclhhnca.exePfjcgn32.exeBgcknmop.exeBmemac32.exeCalhnpgn.exeCfmajipb.exeCmqmma32.exeDopigd32.exeDfpgffpm.exeDanecp32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3924	3324	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Qddfkd32.exeBeeoaapl.exeCdabcm32.exeCmiflbel.exeCmqmma32.exeDgbdlf32.exePfaigm32.exeAnmjcieo.exeAepefb32.exeDopigd32.exeDobfld32.exeDddhpjof.exeDfiafg32.exeDfpgffpm.exePqdqof32.exeQdbiedpa.exeAabmqd32.exeBmkjkd32.exeCmnpgb32.exeCalhnpgn.exePfolbmje.exeBfhhoi32.exeBclhhnca.exeCfmajipb.exeDhfajjoj.exeDogogcpo.exeDhkjej32.exeDmllipeg.exePfhfan32.exeAfhohlbj.exeChcddk32.exeDanecp32.exeDhhnpjmh.exeDfknkg32.exeAqppkd32.exeAjkaii32.exeBfdodjhm.exeCfbkeh32.exeChagok32.exeDmgbnq32.exeDelnin32.exePfjcgn32.exePflplnlg.exePjhlml32.exeAeiofcji.exeBgcknmop.exeBmemac32.exedcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exePdifoehl.exeQmmnjfnl.exeAnadoi32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe

Modifies registry class 64 IoCs

Processes:

Delnin32.exePqdqof32.exeAnmjcieo.exeBgcknmop.exeDfiafg32.exeDgbdlf32.exePfjcgn32.exeBeeoaapl.exePflplnlg.exeAfhohlbj.exeAeiofcji.exeDhfajjoj.exeDhhnpjmh.exedcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exePfhfan32.exeBfdodjhm.exeBclhhnca.exeCdabcm32.exeDfknkg32.exePfaigm32.exeAabmqd32.exePdifoehl.exeQmmnjfnl.exeDhkjej32.exePfolbmje.exeAjkaii32.exeCfbkeh32.exeDogogcpo.exeQdbiedpa.exeAnadoi32.exeBfhhoi32.exeDmgbnq32.exeQddfkd32.exeCmiflbel.exeDobfld32.exeDfpgffpm.exeCmnpgb32.exePjhlml32.exeCalhnpgn.exeAepefb32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cdabcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exePfhfan32.exePdifoehl.exePfjcgn32.exePflplnlg.exePjhlml32.exePfolbmje.exePqdqof32.exePfaigm32.exeQdbiedpa.exeQmmnjfnl.exeQddfkd32.exeAnmjcieo.exeAfhohlbj.exeAeiofcji.exeAnadoi32.exeAqppkd32.exeAabmqd32.exeAjkaii32.exeAepefb32.exeBmkjkd32.exeBfdodjhm.exe

description	pid	Process	procid_target
PID 464 wrote to memory of 4520	464	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe	83
PID 464 wrote to memory of 4520	464	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe	83
PID 464 wrote to memory of 4520	464	dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe	83
PID 4520 wrote to memory of 3516	4520	Pfhfan32.exe	84
PID 4520 wrote to memory of 3516	4520	Pfhfan32.exe	84
PID 4520 wrote to memory of 3516	4520	Pfhfan32.exe	84
PID 3516 wrote to memory of 4996	3516	Pdifoehl.exe	85
PID 3516 wrote to memory of 4996	3516	Pdifoehl.exe	85
PID 3516 wrote to memory of 4996	3516	Pdifoehl.exe	85
PID 4996 wrote to memory of 4764	4996	Pfjcgn32.exe	86
PID 4996 wrote to memory of 4764	4996	Pfjcgn32.exe	86
PID 4996 wrote to memory of 4764	4996	Pfjcgn32.exe	86
PID 4764 wrote to memory of 3936	4764	Pflplnlg.exe	87
PID 4764 wrote to memory of 3936	4764	Pflplnlg.exe	87
PID 4764 wrote to memory of 3936	4764	Pflplnlg.exe	87
PID 3936 wrote to memory of 4588	3936	Pjhlml32.exe	88
PID 3936 wrote to memory of 4588	3936	Pjhlml32.exe	88
PID 3936 wrote to memory of 4588	3936	Pjhlml32.exe	88
PID 4588 wrote to memory of 4276	4588	Pfolbmje.exe	89
PID 4588 wrote to memory of 4276	4588	Pfolbmje.exe	89
PID 4588 wrote to memory of 4276	4588	Pfolbmje.exe	89
PID 4276 wrote to memory of 4128	4276	Pqdqof32.exe	90
PID 4276 wrote to memory of 4128	4276	Pqdqof32.exe	90
PID 4276 wrote to memory of 4128	4276	Pqdqof32.exe	90
PID 4128 wrote to memory of 2132	4128	Pfaigm32.exe	91
PID 4128 wrote to memory of 2132	4128	Pfaigm32.exe	91
PID 4128 wrote to memory of 2132	4128	Pfaigm32.exe	91
PID 2132 wrote to memory of 3276	2132	Qdbiedpa.exe	92
PID 2132 wrote to memory of 3276	2132	Qdbiedpa.exe	92
PID 2132 wrote to memory of 3276	2132	Qdbiedpa.exe	92
PID 3276 wrote to memory of 1004	3276	Qmmnjfnl.exe	93
PID 3276 wrote to memory of 1004	3276	Qmmnjfnl.exe	93
PID 3276 wrote to memory of 1004	3276	Qmmnjfnl.exe	93
PID 1004 wrote to memory of 3384	1004	Qddfkd32.exe	94
PID 1004 wrote to memory of 3384	1004	Qddfkd32.exe	94
PID 1004 wrote to memory of 3384	1004	Qddfkd32.exe	94
PID 3384 wrote to memory of 3420	3384	Anmjcieo.exe	95
PID 3384 wrote to memory of 3420	3384	Anmjcieo.exe	95
PID 3384 wrote to memory of 3420	3384	Anmjcieo.exe	95
PID 3420 wrote to memory of 3180	3420	Afhohlbj.exe	96
PID 3420 wrote to memory of 3180	3420	Afhohlbj.exe	96
PID 3420 wrote to memory of 3180	3420	Afhohlbj.exe	96
PID 3180 wrote to memory of 660	3180	Aeiofcji.exe	97
PID 3180 wrote to memory of 660	3180	Aeiofcji.exe	97
PID 3180 wrote to memory of 660	3180	Aeiofcji.exe	97
PID 660 wrote to memory of 4828	660	Anadoi32.exe	98
PID 660 wrote to memory of 4828	660	Anadoi32.exe	98
PID 660 wrote to memory of 4828	660	Anadoi32.exe	98
PID 4828 wrote to memory of 3136	4828	Aqppkd32.exe	99
PID 4828 wrote to memory of 3136	4828	Aqppkd32.exe	99
PID 4828 wrote to memory of 3136	4828	Aqppkd32.exe	99
PID 3136 wrote to memory of 756	3136	Aabmqd32.exe	100
PID 3136 wrote to memory of 756	3136	Aabmqd32.exe	100
PID 3136 wrote to memory of 756	3136	Aabmqd32.exe	100
PID 756 wrote to memory of 3692	756	Ajkaii32.exe	101
PID 756 wrote to memory of 3692	756	Ajkaii32.exe	101
PID 756 wrote to memory of 3692	756	Ajkaii32.exe	101
PID 3692 wrote to memory of 3228	3692	Aepefb32.exe	102
PID 3692 wrote to memory of 3228	3692	Aepefb32.exe	102
PID 3692 wrote to memory of 3228	3692	Aepefb32.exe	102
PID 3228 wrote to memory of 2356	3228	Bmkjkd32.exe	103
PID 3228 wrote to memory of 2356	3228	Bmkjkd32.exe	103
PID 3228 wrote to memory of 2356	3228	Bmkjkd32.exe	103
PID 2356 wrote to memory of 3852	2356	Bfdodjhm.exe	104

C:\Users\Admin\AppData\Local\Temp\dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe
"C:\Users\Admin\AppData\Local\Temp\dcbd72e8b7f6b418960e2b4857c1d0aa62d264e0254bdd8b1adf631e10a49164.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\SysWOW64\Pfhfan32.exe
  C:\Windows\system32\Pfhfan32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\Pdifoehl.exe
    C:\Windows\system32\Pdifoehl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\Pfjcgn32.exe
      C:\Windows\system32\Pfjcgn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 396
        52⤵
        Program crash
        
        PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3324 -ip 3324
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
163KB

MD5
ec3deb1ab748c2c9dd08b264e557b2a8

SHA1
f80a47f5bd7cd90a6eb4543e406e26a9c9fa9da8

SHA256
e856f20bb172d3e612fa31049f196b21c8dde7bb7e7b7a7880ef96228bd966d2

SHA512
e3291070c62dcf52a54536210787027c7b74f7775d34d6fc87e907e852dd45e8a03cba4870da068712b537206f708b8487f938a723cb6da670bf5f27f4643bdd

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
163KB

MD5
1517c06279dcb9ea6c341a139e820255

SHA1
317265fcc1a6120f41c53faed9752da3fb3a9c2b

SHA256
7b0ac593bb223ddfacb0ed6ce63fe518600b88f15383369d155287354b7f4a88

SHA512
3170f31db8c546917f39d53ade387f8cdf163a7914073b07110dc8ab2f5e1c5b527620a88f9187c0f405b1b31de9e066225df5d139d26a837238387a57d3a1bd

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
163KB

MD5
ede8dac1613e6ef8bcb3d0856f1b813b

SHA1
b47a6c7bb1a5f946c720c9a415c5a36fc1a2a36d

SHA256
df9420f6cab6642fdaf3ce00146acc63440a5d4c7960ea598c22ca3e6503aeba

SHA512
28bb0792d235549488418c6bf970a2a7942102a212e06c294bb751fd09b3fae54dd524c0cbd4896a69aacac5a46ac69bf1b6d288122114b96e54dff370255abb

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
163KB

MD5
bd62bedb32d2bb61910f2c4597166598

SHA1
c8ba72682910db9fe642faaea44e5a740c9621ce

SHA256
eb9bc7d3b08073f1abeae8a102ee10fd2ae52e6a2faebecfa3a032afb2d3819a

SHA512
4a778939eecaa0eb91979a31da50b5e0070fc7cfde10f3ac122b5c03075bd52c6d3e56a6b02c616dcbdc404bf32fef9be22119fbb5d447eb49daf653cf484a3f

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
163KB

MD5
d4deedcb4b792263c6940de3f21172c0

SHA1
f56fdaacf8eeb323adb86276b4a6345409022dd2

SHA256
c88c8a9bfdd5230d787cd460810a57eb2412bb5c05c9d94bb3b8e1fb2f1fbc4b

SHA512
d777a834381ab0263b9395ed45c76ac5b89aba2cbf5d4f050ca48065158d86d9c229c8d51f6a1fe642bc9ca2a39336fd8405a3d597983d09026b9def07713abd

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
163KB

MD5
55faf14b7b51c355abd0d8eb7780b519

SHA1
412e4e2018009943c9c8b60d3bbcf819b5476f76

SHA256
e1bbd8eb155d77a3f5071e339cc958c533455f4b9ba111381b4b806d53c3ffb0

SHA512
7f51a19c9539463eb9888af1538ad2ffa656e645d6f1cd4b4aa19a2713290776fafc05f238cfe7d27bb6aa528bedd968b612532a48b18e6cd6d0d21a724591b0

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
163KB

MD5
f6f6876fa1c72a283e27d083568768ae

SHA1
2d49f675404d9adae3778e76295c2a9ecdc1f62d

SHA256
e7583a69dca94582e6e469c4cbff37fe89e578a4666e071a66cb7f626f65441c

SHA512
0ad04f0714e26d0ab0fc195476ca43b5ac5d6ed91f400bf1ef738a228d69fcd3141b6e51239894897cc03e6ab5e6f16bb969a61e31a7fc2ae2d044468c433946

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
163KB

MD5
2d957513f8a8dc4bf1740c12a97d0221

SHA1
126601651e629121b7ba5ed6afb6a2909abaa095

SHA256
c029faf650ab837caca265577bf3f0880fbf5725683ea211392b62bd1e933f12

SHA512
f4fbc10b207f0d1b8d70c2a2e2140314f376dfa79f02624e6f23a2476e7ec570b88218da6442950522e1801823f781e136bc3b9c5c6667031c015afdaf3083db

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
163KB

MD5
e6d4e3ea8271dc36d39f882fd70c80af

SHA1
9843015f00cc20a40f6dc13d818b31465633a6fb

SHA256
9d479f9faec24c473e5f0b3fc82381767c00b5c32c3f00353b5e384947e0f124

SHA512
1155401a686c13fb713400c60380dc973c8cfcfb9544302a4872fc1783e30ce0c8734052b1ef885245cbb5b3c5e09579eb7e5fe9fefddab75772907f28afec6a

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
163KB

MD5
f586ba19e4b7fb1f7125f689260a143a

SHA1
80ba26d0d1416734fa7c01e5b6a43ce4808c02c1

SHA256
d4e738a7ef387170f6a05a0d81ed4f3609cfe4dcd22120c716b62f9eb5dd321a

SHA512
3d731f1dce637c00009d5a11063acbac2743c82364bfb15cf6b4ac924677c382c57780203fc35563f89a2d6304175f96941fb1fc504270adb1044cfb74a42960

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
163KB

MD5
be931a9604a13446e75b571ccb214f6a

SHA1
cf4020dc5c426f6da45ecc338b270943daebdc8a

SHA256
2682cc58c587391d1f0d8cc68bfbb8a64d9e9127dba3fe3c2a61bb77866cd9ea

SHA512
84c4bc7586f52babb660bb96b97918f0915013f5dc8f891a20d70a65052c9fec52d7d0f024ebe04e19cd3c869e14df5460e20d303494bb388aa438635deea116

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
163KB

MD5
f30f79293a365ec3c7b233d729842d56

SHA1
829c0f889e63eeb2dee7be8224cb50f76c26c615

SHA256
a4db720de719d3f4da57d8f18dd3577c2ec38c0686fc8edfa261bf30ab365717

SHA512
fe7e56666dec34edd40fb7ba335a0f6edc957b382dc5744d89c1be658fc3022f221bf6e1b1db4d7665f4ace0bc7676a480ab5077380166d20d3c2b9b9c873840

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
163KB

MD5
7cb763e53d6a831ad3535aef1236ce2e

SHA1
a2b6ac420e5e2fc0eca5e36d9d770b75f1964a12

SHA256
eedc1e1dbff491ef5480de9847173ce709a4fced177a513c2aba8ebde84815cc

SHA512
9e8d1aea7f6fa76cab896f53b9ae17efa4d902cd71dcab7f0ab6e6bfade326175ded3a80bc5e6262c14a12126feeef297911ff53988db39368c290b1205ecbd4

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
163KB

MD5
fe37ffcf9cc5983d95ca2cb620806271

SHA1
61b662177d1cc714aa0e3e8d6b087b65ec88c6ed

SHA256
fc1de91863e0a47fee81bb00d58bc96a167d053089b164269f1d3b498390a392

SHA512
6be9a87b86b5cdde0c2fbe12941710c14d8776d08eff088f75e1bb3d811b448ee519e36aa958af386c0557b18048b458612ab8bdd7ea42a6e448e96c7d65bbf9

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
163KB

MD5
d8bf0e9141aaa11092d5f62d03365140

SHA1
fec9e827f663060d2dfff10da7b0203f1fee00ec

SHA256
d4a921f83cca5b174a4b2761509f7764c34770d7181b9eef04208cf2be574982

SHA512
87cf6eade239fe428f9eb7eaa0729024384a26d0b4f3fe893eece573204c6994c9e33d9e6c20b681072ec27b661b8c9764d54140a82bf40656e005d46c9d0de3

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
163KB

MD5
e33bef881dd5f0ab5d64120c97b57741

SHA1
9a354f6e0e0dc7f28cd974c5169a651e03f97711

SHA256
a8142d00c6433adeb5d3b42a0a6a586c8cf6665b2dcf84e1d663bd4c680c0297

SHA512
1daa71b55d532077564a2c508692a617bacafe10271618e6f9119f2f7d0d2abb758a23895417dabcff6e3f4929442c478080dcb8c55048f0a76348fb638e4bd9

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
163KB

MD5
d6feadd506febe5440eec72437dced68

SHA1
c7ec3a62d7464d9585b1105cc62c4dfb5fd2281e

SHA256
cb991777511adfa5ef9c5e52207315a3bc68d25ec841ec05bdbd3205802075ec

SHA512
02bf1a43cae60ef7cb59c07215cdde60a9885ee182e14ccdbf9e0cf9aa368e33c29e6b4a2359156d85ee022c10c4ccc548cb239f60da90edf946872b90f14cf6

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
332ea67e538df26a609c4bb21581b5d6

SHA1
d37d286c1af4671f4cba6d3898f0c1b2e274451b

SHA256
d6797eb732a05ee9c10f3da7914a3d9229df634199054bbdbf376bfe124724dc

SHA512
b945edacfd03d3358afe494b9609fa8dbd82e2cdde9a10992ba369c974f346c496e27814aeaf497c8ea00bcf08187be29814a502bb8b5e9909f1d45317ec0bd7

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
d448f99dd2e27e526bb2be74e02ffb25

SHA1
06951cff1ad2e5f32e2f90cf22a6549420604759

SHA256
266084e13e0db80fedb4efa06824df4b662592b9e5e953a46b9015dbd280d4fc

SHA512
22b87c6bf384c81276dbf46d554b8dd2461d521cd6f5a3c2d7ff704ee9e201fa4fd9c75372b0450101db66ecb0bdd51e1d6e38d630f53c614dbf7b703b47bc18

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
163KB

MD5
abae07698ecfa1d9d4506081341ec952

SHA1
3ccfea3301b0fb96b2c91dca9b0f6638c021e7cc

SHA256
54af23fc57288a461d880b7b48b927876e5c089c3a7cc807a8a4c7f94e17fb40

SHA512
d79076b707d1f0bc7b79057de6c0c46968e2aba460fe5af8953d610dc8acf16cd70ec739432369ba19a6a44a24434c2bb7f05c76e4d2d548d29f08ff157f421d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
163KB

MD5
f267612d994bbabfcc7d1ec71b6512b4

SHA1
e8e0c7b68cf3ff71670f6cde3f447ea83faa5a65

SHA256
b8beb0043953b7e683442b65b8e4d1683d9805cbe141320db0e7e75de28cb978

SHA512
f626c8eeb122ef3234f2c3c6ab641b6b9b3d56de459cc525650ca71ba3a471e899717921f1b57151803a9ff468f0d592fc6ffd662e852797ff96aede612bf0e6

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
163KB

MD5
02c32a9c75e12306492ff7603f82c0ba

SHA1
db71b351ad3f583fa6ce1757cb940309f0b35242

SHA256
9a6bfd399507122909e2dd7fe70d24978fa2b894d81cc502c593dad1f008d4ab

SHA512
c7285625ece4426b1605cde246e316411132ab198a679ab9b4c4ed808d8f4e8a4d5888045705fd23c88780e1d3cc1a714ea87028e94ec83add9573f2a71e2a52

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
163KB

MD5
b0b2b192bff638662d243ee32c001bbe

SHA1
3635a079a179f9f8cf59718a3689472e1dfa1d20

SHA256
b5877383745c3c6a5d512a5c17a4367ce86472970cc13d6e858fab8c623b44f5

SHA512
71f278be8991f4c1b669303e968b0ad599706cd9899501c962940d7ed8cd22cf4525843753186266baf2ad0e2596676c3af926fe7702ed14938f752bec6c0742

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
163KB

MD5
b6c3d3ccc14938351bf625b654c57ddb

SHA1
89ed102b462fc011197e93a44fd62815c20abfff

SHA256
7a194538779ea98ede852588d979c804d0ac34b1f9232eb5fad3c673e9a7da44

SHA512
44968abd805add9406d76010ce37862e6297a8bee00a8629ad782988a7049e38e873e7a1f46ab5006fcc4522b7d48feaa49de9f07cd56fdc3136d3957baa9315

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
163KB

MD5
7a73a655ece3b5bd21f16c9455bfc345

SHA1
defb4f86dee76da41b9a995da6f2aae6fd0b3cf3

SHA256
8695e89f03602876ba48483e51026a043d57032605a5a4dfc559e2f53249413d

SHA512
606b845b9efbe7f792f0db50367ae6c9116e59994fdaa417541561e46248fd42aea48380ad1c443490c5c5c3b3b5fb31ce76497befbcee1d529ef827ad3db035

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
163KB

MD5
ac9ea7ecd274991ba8224b9a5d5d9c01

SHA1
1c34105065b9924ce155f7cb356446f5a38142c9

SHA256
5950b9457d9d13385be8fe6585156124739d857a2b031b3d5b04df8e91661d6b

SHA512
664889f56c3652707bcecbe7ec026094aab340f44cb843e2dfe124f171f7036175b6781d26ea4829555256543b4c31583d21bbcdd6a5aefd407e44c6cb55baa8

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
163KB

MD5
600a5ce488c0d2ca6ba765ec89f9d414

SHA1
fe3cd29813988f586f6fb53f99c1c527b0f5a269

SHA256
098d340c9b8196aaf84ffc8f2fc131386cf7f017bc60b2f758dde49588c65990

SHA512
f1743508c8d2e5491ba222247f02d0b534e261a7ea417193918991424c6aa5145ca75f4cd5d063eae0b3f934b0f7cdc4712c477ecf28f51d3f861a4530f541c8

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
163KB

MD5
c9589a590a4d5c359d3a89d1e9d2f21e

SHA1
06b1b0f0ba33bf0a3b577b4a160a21ec4fd18f68

SHA256
7b0f29c4b28ef95ac4b94b3344a4e7c5e23861225d53527fc14db69e0226cc35

SHA512
932545ba1d97a06cef1689802f7d355ce0aa3c2176929e693a48c47d001672f41f8899e7232b9298b9b6e75d6773299f4009ff4b0a45d9341f90b189ab508ef7

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
163KB

MD5
6629c87609f599f689eb944bd4e7abe4

SHA1
a5501ef684a434d2b97b9ec6b46cad150772c5a6

SHA256
690fbecbb505f7d634c831b7753c5cd668a207ddbc79f2e19d3ae80726c7c7b6

SHA512
5378c9e0ac5324dc14c487234266076ad978fac9144317c472891cb5a4f12d839086c2bce8241f294597483170cd727612e7177fdda8a9c9466bae2207c5d6ea

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
163KB

MD5
e5674096c3620ab073cb69319cad1c63

SHA1
fae1b841f6aa1b8f76401a328cd04ce8043e180f

SHA256
1e649bf1517a881a8aaf33267f5915fb1d9877143c6711db9706634410fc61be

SHA512
b371f6eac0d92bbcbe52de535d6c310e3780ea0e4d339726ca6692d77507e3e4b19f90192638719bf8db4e3948598c7ada62275514f625e1b0691f6d3c2577cd

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
163KB

MD5
e5094b634fe8bdcbb1bf7e388f1fa195

SHA1
098686da4ba2dc23385c6f58315762cd804bd85e

SHA256
a1207033276be001ce7d7dcb6a22b1409719e64282843ef40a05f14670cdb689

SHA512
3b9b9a796188e8636fe04d1249492c2db8243252899cc1e0ab315c43b8139d56bf1a6b3c88ae212cc977dc0ed5cc7ef2983eb70bacda121896dbbeed628a4427

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
163KB

MD5
6f12792b29da203b552ebaee490aca96

SHA1
1abbab3c92bd11b33cda634bd7b95d781e7f1f6b

SHA256
130934a0795571d90c746d03f9b50aa1744f1f7db633107dd999f611997dad01

SHA512
7713f60703b1d54d6a7e8d45cf1f85dc53f158da1ae0fb379522226c44fb30bc464f5a2c55b964559e6726a1020f2d7cc1923334270f73ca6f080502b1717d44

Download Submit
memory/392-416-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/392-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/464-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/464-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/660-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/660-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/928-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/928-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/992-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/992-412-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1004-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1004-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1008-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1008-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1240-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1240-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1444-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1444-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1896-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1896-414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-446-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2296-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2296-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-422-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2868-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2868-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3136-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3136-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3180-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3180-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3228-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3228-424-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-444-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3324-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3324-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3384-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3384-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3392-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3420-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3420-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3500-384-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3640-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3640-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3692-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3692-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3852-420-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3852-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3936-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3936-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4276-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4276-450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-398-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4500-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4500-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-456-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4796-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4796-396-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4828-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4828-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4996-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5080-392-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5080-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download