berbew | aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbd

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
Size

93KB
MD5

795f948b48514195d516e39e38e44e40
SHA1

44c810ea55ee24cb205557059f90410018d8d931
SHA256

aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbd
SHA512

18c009750a8cbb7ff00792e493d3976c78416d7707e0c57d75df29b17d4ccd5789186e5f841a910e9665ae49c83a1bc3be03edf0e6de693ba12e1bf8758c78e2
SSDEEP

1536:ZnQcOY6qHHesG0GgSiKoOlrGGJ1DaYfMZRWuLsV+1Z:pj1zeZ0I/lpJgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bmbplc32.exeDdjejl32.exeDhkjej32.exeBmemac32.exeChjaol32.exeCmqmma32.exeDhhnpjmh.exeDobfld32.exeDaqbip32.exeDmgbnq32.exeBcjlcn32.exeCfdhkhjj.exeDfiafg32.exeDkifae32.exeDdakjkqi.exeBfhhoi32.exeCnicfe32.exeCjbpaf32.exeDhmgki32.exeBelebq32.exeDanecp32.exeCenahpha.exeDddhpjof.exeCjkjpgfi.exeaea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exeCndikf32.exeChmndlge.exeCdcoim32.exeCajlhqjp.exeDgbdlf32.exeDeagdn32.exeCagobalc.exeChcddk32.exeDogogcpo.exeBjfaeh32.exeDmjocp32.exeCmiflbel.exeBclhhnca.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 39 IoCs

Processes:

Bcjlcn32.exeBfhhoi32.exeBmbplc32.exeBclhhnca.exeBjfaeh32.exeBmemac32.exeBelebq32.exeChjaol32.exeCndikf32.exeCenahpha.exeChmndlge.exeCjkjpgfi.exeCmiflbel.exeCdcoim32.exeCnicfe32.exeCagobalc.exeCfdhkhjj.exeCajlhqjp.exeChcddk32.exeCjbpaf32.exeCmqmma32.exeDdjejl32.exeDfiafg32.exeDanecp32.exeDhhnpjmh.exeDobfld32.exeDaqbip32.exeDhkjej32.exeDkifae32.exeDmgbnq32.exeDdakjkqi.exeDhmgki32.exeDogogcpo.exeDmjocp32.exeDeagdn32.exeDddhpjof.exeDgbdlf32.exeDknpmdfc.exeDmllipeg.exe

pid	Process
1560	Bcjlcn32.exe
4404	Bfhhoi32.exe
3376	Bmbplc32.exe
3256	Bclhhnca.exe
4732	Bjfaeh32.exe
1780	Bmemac32.exe
1812	Belebq32.exe
4524	Chjaol32.exe
4708	Cndikf32.exe
1800	Cenahpha.exe
4896	Chmndlge.exe
2364	Cjkjpgfi.exe
4836	Cmiflbel.exe
4088	Cdcoim32.exe
2056	Cnicfe32.exe
4864	Cagobalc.exe
792	Cfdhkhjj.exe
4328	Cajlhqjp.exe
4924	Chcddk32.exe
4056	Cjbpaf32.exe
2908	Cmqmma32.exe
4624	Ddjejl32.exe
1808	Dfiafg32.exe
5008	Danecp32.exe
1216	Dhhnpjmh.exe
904	Dobfld32.exe
920	Daqbip32.exe
4920	Dhkjej32.exe
4936	Dkifae32.exe
2184	Dmgbnq32.exe
388	Ddakjkqi.exe
2820	Dhmgki32.exe
3900	Dogogcpo.exe
3500	Dmjocp32.exe
2796	Deagdn32.exe
2724	Dddhpjof.exe
4284	Dgbdlf32.exe
3624	Dknpmdfc.exe
1340	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Bmbplc32.exeCjbpaf32.exeDkifae32.exeDddhpjof.exeCajlhqjp.exeDmgbnq32.exeDeagdn32.exeaea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exeCenahpha.exeCdcoim32.exeDanecp32.exeDhmgki32.exeDmjocp32.exeCmiflbel.exeCagobalc.exeDfiafg32.exeDhhnpjmh.exeDogogcpo.exeCnicfe32.exeDobfld32.exeChcddk32.exeDgbdlf32.exeBelebq32.exeDaqbip32.exeCndikf32.exeChmndlge.exeCjkjpgfi.exeDknpmdfc.exeDdjejl32.exeBcjlcn32.exeBclhhnca.exeDhkjej32.exeChjaol32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2960	1340	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cdcoim32.exeDdakjkqi.exeDeagdn32.exeDhmgki32.exeBcjlcn32.exeChjaol32.exeCajlhqjp.exeCjbpaf32.exeDhhnpjmh.exeDanecp32.exeDmgbnq32.exeBmbplc32.exeCfdhkhjj.exeChcddk32.exeCmqmma32.exeDdjejl32.exeCndikf32.exeCjkjpgfi.exeCmiflbel.exeDmjocp32.exeDmllipeg.exeBclhhnca.exeDkifae32.exeDddhpjof.exeDknpmdfc.exeaea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exeChmndlge.exeCagobalc.exeDobfld32.exeDogogcpo.exeDhkjej32.exeDgbdlf32.exeBfhhoi32.exeBelebq32.exeCnicfe32.exeDfiafg32.exeDaqbip32.exeBjfaeh32.exeBmemac32.exeCenahpha.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe

Modifies registry class 64 IoCs

Processes:

Belebq32.exeDdjejl32.exeDkifae32.exeBcjlcn32.exeaea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exeCagobalc.exeDmjocp32.exeBclhhnca.exeChjaol32.exeCjkjpgfi.exeChcddk32.exeCjbpaf32.exeDhkjej32.exeDogogcpo.exeBmbplc32.exeCnicfe32.exeCmqmma32.exeCndikf32.exeDgbdlf32.exeCenahpha.exeDmgbnq32.exeBmemac32.exeDhmgki32.exeDddhpjof.exeDhhnpjmh.exeBfhhoi32.exeChmndlge.exeDeagdn32.exeCdcoim32.exeDfiafg32.exeDobfld32.exeDaqbip32.exeDanecp32.exeCfdhkhjj.exeDknpmdfc.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exeBcjlcn32.exeBfhhoi32.exeBmbplc32.exeBclhhnca.exeBjfaeh32.exeBmemac32.exeBelebq32.exeChjaol32.exeCndikf32.exeCenahpha.exeChmndlge.exeCjkjpgfi.exeCmiflbel.exeCdcoim32.exeCnicfe32.exeCagobalc.exeCfdhkhjj.exeCajlhqjp.exeChcddk32.exeCjbpaf32.exeCmqmma32.exe

description	pid	Process	procid_target
PID 3284 wrote to memory of 1560	3284	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe	83
PID 3284 wrote to memory of 1560	3284	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe	83
PID 3284 wrote to memory of 1560	3284	aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe	83
PID 1560 wrote to memory of 4404	1560	Bcjlcn32.exe	84
PID 1560 wrote to memory of 4404	1560	Bcjlcn32.exe	84
PID 1560 wrote to memory of 4404	1560	Bcjlcn32.exe	84
PID 4404 wrote to memory of 3376	4404	Bfhhoi32.exe	85
PID 4404 wrote to memory of 3376	4404	Bfhhoi32.exe	85
PID 4404 wrote to memory of 3376	4404	Bfhhoi32.exe	85
PID 3376 wrote to memory of 3256	3376	Bmbplc32.exe	86
PID 3376 wrote to memory of 3256	3376	Bmbplc32.exe	86
PID 3376 wrote to memory of 3256	3376	Bmbplc32.exe	86
PID 3256 wrote to memory of 4732	3256	Bclhhnca.exe	87
PID 3256 wrote to memory of 4732	3256	Bclhhnca.exe	87
PID 3256 wrote to memory of 4732	3256	Bclhhnca.exe	87
PID 4732 wrote to memory of 1780	4732	Bjfaeh32.exe	88
PID 4732 wrote to memory of 1780	4732	Bjfaeh32.exe	88
PID 4732 wrote to memory of 1780	4732	Bjfaeh32.exe	88
PID 1780 wrote to memory of 1812	1780	Bmemac32.exe	89
PID 1780 wrote to memory of 1812	1780	Bmemac32.exe	89
PID 1780 wrote to memory of 1812	1780	Bmemac32.exe	89
PID 1812 wrote to memory of 4524	1812	Belebq32.exe	90
PID 1812 wrote to memory of 4524	1812	Belebq32.exe	90
PID 1812 wrote to memory of 4524	1812	Belebq32.exe	90
PID 4524 wrote to memory of 4708	4524	Chjaol32.exe	91
PID 4524 wrote to memory of 4708	4524	Chjaol32.exe	91
PID 4524 wrote to memory of 4708	4524	Chjaol32.exe	91
PID 4708 wrote to memory of 1800	4708	Cndikf32.exe	92
PID 4708 wrote to memory of 1800	4708	Cndikf32.exe	92
PID 4708 wrote to memory of 1800	4708	Cndikf32.exe	92
PID 1800 wrote to memory of 4896	1800	Cenahpha.exe	93
PID 1800 wrote to memory of 4896	1800	Cenahpha.exe	93
PID 1800 wrote to memory of 4896	1800	Cenahpha.exe	93
PID 4896 wrote to memory of 2364	4896	Chmndlge.exe	94
PID 4896 wrote to memory of 2364	4896	Chmndlge.exe	94
PID 4896 wrote to memory of 2364	4896	Chmndlge.exe	94
PID 2364 wrote to memory of 4836	2364	Cjkjpgfi.exe	95
PID 2364 wrote to memory of 4836	2364	Cjkjpgfi.exe	95
PID 2364 wrote to memory of 4836	2364	Cjkjpgfi.exe	95
PID 4836 wrote to memory of 4088	4836	Cmiflbel.exe	96
PID 4836 wrote to memory of 4088	4836	Cmiflbel.exe	96
PID 4836 wrote to memory of 4088	4836	Cmiflbel.exe	96
PID 4088 wrote to memory of 2056	4088	Cdcoim32.exe	97
PID 4088 wrote to memory of 2056	4088	Cdcoim32.exe	97
PID 4088 wrote to memory of 2056	4088	Cdcoim32.exe	97
PID 2056 wrote to memory of 4864	2056	Cnicfe32.exe	98
PID 2056 wrote to memory of 4864	2056	Cnicfe32.exe	98
PID 2056 wrote to memory of 4864	2056	Cnicfe32.exe	98
PID 4864 wrote to memory of 792	4864	Cagobalc.exe	99
PID 4864 wrote to memory of 792	4864	Cagobalc.exe	99
PID 4864 wrote to memory of 792	4864	Cagobalc.exe	99
PID 792 wrote to memory of 4328	792	Cfdhkhjj.exe	100
PID 792 wrote to memory of 4328	792	Cfdhkhjj.exe	100
PID 792 wrote to memory of 4328	792	Cfdhkhjj.exe	100
PID 4328 wrote to memory of 4924	4328	Cajlhqjp.exe	101
PID 4328 wrote to memory of 4924	4328	Cajlhqjp.exe	101
PID 4328 wrote to memory of 4924	4328	Cajlhqjp.exe	101
PID 4924 wrote to memory of 4056	4924	Chcddk32.exe	102
PID 4924 wrote to memory of 4056	4924	Chcddk32.exe	102
PID 4924 wrote to memory of 4056	4924	Chcddk32.exe	102
PID 4056 wrote to memory of 2908	4056	Cjbpaf32.exe	103
PID 4056 wrote to memory of 2908	4056	Cjbpaf32.exe	103
PID 4056 wrote to memory of 2908	4056	Cjbpaf32.exe	103
PID 2908 wrote to memory of 4624	2908	Cmqmma32.exe	104

C:\Users\Admin\AppData\Local\Temp\aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe
"C:\Users\Admin\AppData\Local\Temp\aea503ef7ca25be865be19bd51d7d3a62294f949a17cf5f4f98d802e96476cbdN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Bfhhoi32.exe
    C:\Windows\system32\Bfhhoi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\Bmbplc32.exe
      C:\Windows\system32\Bmbplc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 404
        41⤵
        Program crash
        
        PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1340 -ip 1340
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
93KB

MD5
be848275896060bcd2b873ac85a8f344

SHA1
db6ce331dc107a3762fefa6a054a5f851a21daa9

SHA256
f764b0433b6d8c9f4f58dbd3c2e604a76618f60d3d70267d7ea5ff6591682310

SHA512
24b1ecb06e84e34b589735ab2f17202621ceb6d52b9c8e88348e65a35999340cd44f1df567f0a5837c01efd88250594c8f29b8e08d79e8fbb04626c789102a0b

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
93KB

MD5
cc5aecb1f3d5f9b3f7821ae71d864655

SHA1
2b43d1cf4bf47487d77bfe5bb7f4fcb83f5c78e4

SHA256
2fa0097bf806f0d9820bbac737a4638612c66f9885a3b9e7f32103b5f4c8a0aa

SHA512
5a2c435b3dcf075ce993abe962ef8ef48e833d13f3b75fd465e97944941362a2323f4c6919caf6cf1e7a3d77ee04c74174437efec107d5363c3b9fb82cc0ae61

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
93KB

MD5
84f7480d2b4169ffb7ec3dc239b3cacc

SHA1
834fa05c9414fbc788f9d75422dde1a853071745

SHA256
452d2d21b9220011cb68fd74283e7c8225bff37201320d236726580c5c4d5449

SHA512
97c960cc6e9b43fb962251fb7c9b529cf3399e3aac83b3e20e2117279817582c9a3284927641bd5967950ba09a0062dc9932980084687147bbb45becae533dec

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
93KB

MD5
b05cde4faf2859fa4c8021fbc9c4544d

SHA1
a0363c39bfa65223a93c6042f3ea659f8d3acd43

SHA256
a3793b8b114da80450d1e7a29f93136e9af35817c585257a784a5fddc09c3ce0

SHA512
e6b97cae5bb43fa7923f32ef7759517fc5c911c462cf9378a855c1686802dae5fcbb013cde7a6163a7824c0fb87c805b2320f8804d565847fec920588f8d7cee

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
7d9ed0775842f59375031e7e43fa229d

SHA1
2d544f14b5d299cc7a71d6e90f323b90a19265d6

SHA256
7659e8557910e3f536eb616910272177f003569f9369bf4c1b5723bd42ac9f3e

SHA512
69fb27f1cc4047fe41a61b374f6ec1e4cb7237c028b810b63123f4132480343e4015f365024510e10d750a31b8152ea08ec6404afa3fb50b1b9ffe97f9561bd3

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
93KB

MD5
f6a36c750b012e932bb9ce605cff0613

SHA1
771dc46be61d2f939f548685ea5e1cbdb6038ca9

SHA256
5a8c05de84f362e6d53afe3fc0f9290627b7f9145f38676fad6df7989da033a0

SHA512
499e73f2e63f86c1b4b457d94038fe09466fe01b37bb3457db2c538a5be4501ca163556193cb80cc62352a5aa3b5df77d4eded4ecfcb86ad858405a7c5111e4d

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
93KB

MD5
75f9c5f2a254978c888510dc7ffa77a9

SHA1
a14b0ca1a5455a571c458bda60bf542643780f45

SHA256
2e1a226b6d0cd812a44ae7ebb15801efbdbe94f0ee8f8bc3d0f4745a1c8e5bc8

SHA512
26dbddd107558e03e06ecb687d4a003377e98d2282ff30ac429c1d9146152c94f5298a4dd457147bc242059057eaed933611b598df51238fadc02db52a8b72ee

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
b28079b625a667e5d786a7d26f316d0c

SHA1
923de1d3c2c7250e9f290409407260ea2b2cf648

SHA256
033f1158b70febf97c53f503b1cba168f12bb91e4d5decd42fe8b9884693dc26

SHA512
dbf7cd6d5abce8adbc0d4f75b48e9a71c2e122b9f597edbb37a79459909069151b58723e388cc2f2a537739264313422d39ffc59efcebbd3656cac090990faa9

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
12b9fa6ed466cebc6591f0b9ec762ddb

SHA1
50cce97fcf98e633e02a7a9825939f56609e8c1f

SHA256
4b6ccedc4af4b37b58ec737a969f9faace5d22b8fef5cc0d4ba985c9233c5ed3

SHA512
8128688e24e24f6a32c6e605d3dfdee7b68e50e9290d689afcf84c1935fe0f48d985f66a88371fc2acdf690048a163e9d557fa8ed8f52efaa885442e4266d272

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
879282c140449364923f5272da854d1e

SHA1
583e6fb8ac1f4e9d7cc7fda5293bc196ca0b94df

SHA256
a6c10bb08ac6fac7dbad88cea742a6aa8464433bf5aa0173ff14d28735b1bfa2

SHA512
5eabfac8144a35c64e818d3c5d3fdd8cbe1bc00eb2152c21f3a29cc48033dc910c1b0ef56f9450540f6a542ba0e3e5106a0c89670bfd42ea81de6a05ccd88bdb

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
93KB

MD5
3fdcdecd2397292761dccdb2921ee086

SHA1
5a675144a0105116f4df37014475b1c21e23f8f1

SHA256
6c61094ac42d1a343416b0f227bcd622ea8bf68fa612389db5e0e9b97df360f6

SHA512
48ab79f5377786af66d1420af6a7d2bb069327d652b14bdef452750fd87e2537670577c3287e2e23a95a1903cf2fcf9ac4ab86391b91bc31fa3357930183cb56

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
93KB

MD5
1bb1d5040854d43e54de37b60b04faaa

SHA1
c4ca73fe0c035c97354baba3cb58815dc9160406

SHA256
9cab0ad8e7ce5bb5536fa43b79ba4fada9291fe0f677afff7919ee85224df573

SHA512
fd2de1ef2ad92565e5936ca99ab2f65fe18f742cd6d33e6d9fa631316d12ae2213ae04e36050a5265ee42beeb87891e1570a6cfaa8598719e2cc4289b0b234a3

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
93KB

MD5
898174da3eb4b18b308e33af62966453

SHA1
7eea911bdcb686db774de3ca61ab8c514e42f524

SHA256
6cb62db86a7f39482523945762270124c988950b213c45bd69e32ad3077f1dec

SHA512
c29090fa29f56c8fdae44f973ae9993b9084c889b538e8ccc51456c0bfcd49f7504735439d652999e5918915c4f201bef29f0cac8ffed83aa69428ecdeb84457

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
93KB

MD5
66d2892d72b31c24b57069950fb77dbf

SHA1
40951003b31ce851fb56e6007858c6b062ef30d3

SHA256
9c2eae342e03787ecb44c2c8cffcfe900c44fd08af95b7d6caea5574165bb627

SHA512
422e7327e437f7875931c7bc29a0bafcfeb9be960cc4a93b22bf3ca384042821917a4e9480d62314aada4a89f69ca825e6faabf20ffe2e0fb9e7c2cf976a8e3f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
93KB

MD5
782544ab0d378f4786582c8622377357

SHA1
2814583b9f0dc99adee09949484f6266b655e6c6

SHA256
80c63abc27d149520a05549e61e4be4bcc2a268c9edbbd7ef43658f8a5ff38ff

SHA512
01d381b7c2d3f2865726417b924aea70dd3ad37bc2cd209cc7634607b9cbb5bb3c242ec1680ca03926bc87914489668df2b94af6437f10ce29c66ac09039db4e

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
93KB

MD5
a3baa6f34594efeb77558d22069dbddb

SHA1
e965d1417e099de2e59534280f725ef9e3ac2e39

SHA256
8870a876fb7f357508c70890af433853ecccc4f0f773d27ca5c3254f08e5e5e0

SHA512
3be06cf0b0393821587f71e85f40386a82ff6fa8691cfde726bbd744bae50cad5b743c1788307a24c8346459832e9b3e4cfb14f86b0b42361b056946f5e51244

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
93KB

MD5
d025605ce1612c254b711276b89277fe

SHA1
9e11d63226a2330b863335bd571f3cbf955fbd42

SHA256
93967603aa564616188caa3330a381485521cb69773402c9cf753c340fb5b25f

SHA512
b74f0f188a418f5601abff195c6beca3f044dbbb771a8cc9dd23104f75a8fd69d386bd1cd83e1591829b6d195c5b6fb7ae655a60baad0337ec04732f939cf520

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
93KB

MD5
09c675e1e953b87f69ea3ba10128199a

SHA1
960ff53276ff1cdd5fe90ab91ac92f5ceba99660

SHA256
2b7c4bb661a379c24202857bfd59592a3bb56af3e7e995c3e8539ec17a4b7db9

SHA512
38c94705458c3da775716ed068fc73b17a34781a7327f00af69511745f83225ab7e84c38fef1d3c864110107980db3b7c29d189f72c19f2d7b414e7e46037837

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
93KB

MD5
afe59f514c1f54f5d5cf276ce0530325

SHA1
25ea18405915ec7d19ec680d7c7b3d0c4ed0d638

SHA256
084943f537c651bec49f51efc5ae5a7f8f3ccd6d3fb151e57a5a9ce7bab7f067

SHA512
4294d8f5aed2e53639fdf5b194f66c12ca00194f90f6cd3055ef06fc768057c0c7915891da20781e96d9bd175d6baf93a5784ae8e817b6f4f042dca5bce8a2b9

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
93KB

MD5
a43aea7f879b7af19470906fcff053ad

SHA1
412ed4fef8b5e3aefa51a38cf5dc38c4f1eeeec2

SHA256
e4ee277055bc3cc4e6ce395ea1837b0f9b8b648eb1df76977c08210a205c9810

SHA512
1ae3d2ca6a8315e0dbb3073275b286e7ec93cb9687d59e58490ee9b3ad36f401e41ea936c3a36e91bd80f64f205d07d3040380f59f8ff2175ceb988b89202d53

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
93KB

MD5
99322be01d77687563481edccadc8b5a

SHA1
3d3c7a490ea8de9b736ad9e33f276ed83037c0bd

SHA256
b5669fdd67499cd880d99aac805a71041af6ecdd19bd5813cf4a21555876caad

SHA512
442f89bead2da80d3be0325b865c62df19cb684a07cc0887de6c99f837eb3e658f1900e77703931ad7e51be8bcc9897c0ba4a518366e5d780c90afd42fa1a3e7

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
93KB

MD5
691723ea01a75bd67b0a0c5cd9e83e37

SHA1
7a8351ad32ba316db5f6c1a305b7c01960e7763a

SHA256
990921941f7b3a12d366badef37cf8bfd61453bfaa620a2c903091042b2bccc9

SHA512
762a6a80deb7e79e6ddcee96a4d6e48a2c3b3fd33a54e2698a25ed0b0689b92616e01bae8d4856743d2e3bf61b4b987008d0f4f0425325132a9f13c8ead39ab8

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
93KB

MD5
bc8c3e4db0d91a28eb8808ac420803d8

SHA1
2de68e6088d2a8cb33355e7a9ce6ca7ab5a5cf39

SHA256
010b6be8c19166f6d98d3e668ed538541df70df7ee2de5beeffd83626d9cf455

SHA512
bbdf8cd4c6efe70a5ad8420471afae6411dc6460844a4b87b6ccbda7975c16570be51d45d5c2319f9313ca0195f111b922ce75fb04b2c5b38a165b1abbe691f0

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
ee220e30ccb5f542404d4c07b0d4dd1e

SHA1
d2312d1e4e4bc711a1be941f5afb19138994cb99

SHA256
74a040da64e0c407d14a5be1ede18c821f50bc5e116c73563711669a36f278a7

SHA512
bf1c5a8837d8f1f7cddd293cd0588e921709e98a391621201581325eebff80ac43317210ba485c5fb87080ae5c9ef38d91ca0b19189b1a7435bce75f71ae0671

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
57342f5dc11ad35f16f959b33337e776

SHA1
7c36ea91ac79b4fec6ada620e9e1c4788cccd24d

SHA256
40efad2afbfbdceadec21c2f247980bbacbabf6a5c7f81412ef93118a1852b97

SHA512
4c4a3cc4de7cdb07c5204597796204d62a0c6876d75e44155655e074a1d394e9c3f2bf5af020748138ce211c546d5918e766e860ab5398d61584575e2098c844

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
a0480a64dd4e924dc714d86cfae30618

SHA1
d6fca5a7efe9a6de70437ab4c66c0361250736de

SHA256
4eacbb5cdd2f510c54ff977b54c5d40c28de9ec4a5e72d227140e2a44e6772a2

SHA512
70d1bade6f8df2e702c617e0caafc018cfc2d06aa51282959c42005273389db6453e5e0105f55c939ff552d75185279752960d9742d415f256ae2cfabe2c8fe1

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
bcbd4ea264297c2d55f134fa2e4bc125

SHA1
cc88c15fefe3e714bb52b0aeb57818d372474794

SHA256
3d9ec12750282f08de00a59c0749ef455a3d779a1169e0c90c231ddba66d106a

SHA512
bae314edba1907d7242c616f808c2e3dd8a86394ab404aaf2add29dbeba12389d7495e08ab2c723e137be7f17a9166894225241264175f6d011ab9a169d79bc8

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
75490289c6f5dd914ef9a24e041ff8dd

SHA1
2464a83b2cc733623274d1f15c6ded6d6220d173

SHA256
a1ac9a624a83f6942c09dcc348f18d3ae1b2f94ca797e575d78426df69c7791b

SHA512
20988f5505c7ec48e0eb2f4d50ac08c14b6c80eb1f75e33cfbfcabd9877b0d9da4f61ad07808ad5c940c8e9e0c38f0358ebfb37231d1373c01e6add17b7d6225

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
44e985f16b214fc9696aa2005f01f763

SHA1
fe960702ac3331150b97bf38b619f907262831e5

SHA256
4497511b1375f95904105ff7853855e333073be352212415f8849e5ca1a32113

SHA512
b32a6ed903f2e9b36f5df8e6129960551f389d35200364f2b3fa38c8188e6360bea32f2f71fee8b921c5df26ce928a1e04481f5cef1326b66d5c89fbfe2919f7

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
8037d92f4d10a9af13214567345600b3

SHA1
785e8eebf53763f6130fdfbf0ffc82e6dfb222f9

SHA256
15c7c64ae13de5b2040548ee93e424ca58a82c15f9178816acb7428ea4729c96

SHA512
3e627809e4e9c887bec2a61be33bcb769e53a48cc8dedafd4d5807b4b9df456ce171f2b7ef85653a5b27cb6f2e197b407b7ac48f5fbd16a2bc6bc2df02fbf065

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
28f83ba33facc9af8217bde2b77fb86d

SHA1
54e0095540f8b624769a457bc85d642945b54c45

SHA256
81964f7f1c172ff3abe48f2683b6317e8c59e4e96c81131821789b69ad795948

SHA512
a64834937ea3569688430f84350153ba7cdc368ace38e48ec33d3ecb604f1251f3b835a60db10be282608e8d9d703c4101b07b6ba2cf6a46ef5975d479fd387c

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
93KB

MD5
2779794ba670aa4b0452eddb4733fffc

SHA1
add556406cf12e42509321318feeb830f62ba391

SHA256
7782316ec4c23e9516ec1c4d0661a58b80eb1e31a6120b68e748d1731a046cb4

SHA512
daa1baeeff92e0887c456d4abeba94b615665980ce565114ce4eba75f910a5347b16bb2370691e8c3d95b87458dc625570c5752394c042c800281ea4c30e073c

Download Submit
memory/388-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3376-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download