Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 00:07

General

  • Target

    a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe

  • Size

    270KB

  • MD5

    27eb334dc77a18c002e3675f01b7b1fb

  • SHA1

    205791331f39949effdaafe0a8103b117c05d43c

  • SHA256

    a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21

  • SHA512

    171cfad63c9fe6dc08d67462307eb5593f94d095e25b0729f341981ad86b19b4236765775bda15bc1588a955707e79eab23d722151b451432a59d956ac3895a9

  • SSDEEP

    6144:l+7p6Gl/p6QWGKa4gXWG6hRNjpck4MetpS+f2uXLO+AGb+oPri2O3py69mNoRqzM:l+J6hb2XtpD2ub7A2Vri730697qy5oNK

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe
    "C:\Users\Admin\AppData\Local\Temp\a7ec50b2270729e85a965f8271898643dc915aaf3e1d9f311dcfa650968fee21.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\Ecbenm32.exe
      C:\Windows\system32\Ecbenm32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\Ejlmkgkl.exe
        C:\Windows\system32\Ejlmkgkl.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\SysWOW64\Emjjgbjp.exe
          C:\Windows\system32\Emjjgbjp.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:736
          • C:\Windows\SysWOW64\Eoifcnid.exe
            C:\Windows\system32\Eoifcnid.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Windows\SysWOW64\Fbgbpihg.exe
              C:\Windows\system32\Fbgbpihg.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\SysWOW64\Ffbnph32.exe
                C:\Windows\system32\Ffbnph32.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:4116
                • C:\Windows\SysWOW64\Fmmfmbhn.exe
                  C:\Windows\system32\Fmmfmbhn.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3256
                  • C:\Windows\SysWOW64\Fcgoilpj.exe
                    C:\Windows\system32\Fcgoilpj.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:4368
                    • C:\Windows\SysWOW64\Ffekegon.exe
                      C:\Windows\system32\Ffekegon.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:1188
                      • C:\Windows\SysWOW64\Fmocba32.exe
                        C:\Windows\system32\Fmocba32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:4520
                        • C:\Windows\SysWOW64\Fcikolnh.exe
                          C:\Windows\system32\Fcikolnh.exe
                          12⤵
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:376
                          • C:\Windows\SysWOW64\Ffggkgmk.exe
                            C:\Windows\system32\Ffggkgmk.exe
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2368
                            • C:\Windows\SysWOW64\Fifdgblo.exe
                              C:\Windows\system32\Fifdgblo.exe
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3884
                              • C:\Windows\SysWOW64\Fckhdk32.exe
                                C:\Windows\system32\Fckhdk32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:4232
                                • C:\Windows\SysWOW64\Fjepaecb.exe
                                  C:\Windows\system32\Fjepaecb.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:1496
                                  • C:\Windows\SysWOW64\Fqohnp32.exe
                                    C:\Windows\system32\Fqohnp32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:2932
                                    • C:\Windows\SysWOW64\Fcnejk32.exe
                                      C:\Windows\system32\Fcnejk32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:4960
                                      • C:\Windows\SysWOW64\Fjhmgeao.exe
                                        C:\Windows\system32\Fjhmgeao.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:2212
                                        • C:\Windows\SysWOW64\Fmficqpc.exe
                                          C:\Windows\system32\Fmficqpc.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Suspicious use of WriteProcessMemory
                                          PID:1636
                                          • C:\Windows\SysWOW64\Fodeolof.exe
                                            C:\Windows\system32\Fodeolof.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:5040
                                            • C:\Windows\SysWOW64\Gjjjle32.exe
                                              C:\Windows\system32\Gjjjle32.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:2616
                                              • C:\Windows\SysWOW64\Gqdbiofi.exe
                                                C:\Windows\system32\Gqdbiofi.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                PID:624
                                                • C:\Windows\SysWOW64\Gcbnejem.exe
                                                  C:\Windows\system32\Gcbnejem.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  PID:3692
                                                  • C:\Windows\SysWOW64\Giofnacd.exe
                                                    C:\Windows\system32\Giofnacd.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    PID:4264
                                                    • C:\Windows\SysWOW64\Gqfooodg.exe
                                                      C:\Windows\system32\Gqfooodg.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:620
                                                      • C:\Windows\SysWOW64\Gcekkjcj.exe
                                                        C:\Windows\system32\Gcekkjcj.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        PID:2720
                                                        • C:\Windows\SysWOW64\Gjocgdkg.exe
                                                          C:\Windows\system32\Gjocgdkg.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:4032
                                                          • C:\Windows\SysWOW64\Gpklpkio.exe
                                                            C:\Windows\system32\Gpklpkio.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:908
                                                            • C:\Windows\SysWOW64\Gpnhekgl.exe
                                                              C:\Windows\system32\Gpnhekgl.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              PID:1196
                                                              • C:\Windows\SysWOW64\Gifmnpnl.exe
                                                                C:\Windows\system32\Gifmnpnl.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                PID:936
                                                                • C:\Windows\SysWOW64\Gppekj32.exe
                                                                  C:\Windows\system32\Gppekj32.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  PID:1004
                                                                  • C:\Windows\SysWOW64\Hapaemll.exe
                                                                    C:\Windows\system32\Hapaemll.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    PID:3388
                                                                    • C:\Windows\SysWOW64\Hikfip32.exe
                                                                      C:\Windows\system32\Hikfip32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      PID:3136
                                                                      • C:\Windows\SysWOW64\Hmfbjnbp.exe
                                                                        C:\Windows\system32\Hmfbjnbp.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        PID:764
                                                                        • C:\Windows\SysWOW64\Hpenfjad.exe
                                                                          C:\Windows\system32\Hpenfjad.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          PID:3936
                                                                          • C:\Windows\SysWOW64\Hbckbepg.exe
                                                                            C:\Windows\system32\Hbckbepg.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            PID:4144
                                                                            • C:\Windows\SysWOW64\Hjjbcbqj.exe
                                                                              C:\Windows\system32\Hjjbcbqj.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              PID:3516
                                                                              • C:\Windows\SysWOW64\Hmioonpn.exe
                                                                                C:\Windows\system32\Hmioonpn.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                PID:1416
                                                                                • C:\Windows\SysWOW64\Hpgkkioa.exe
                                                                                  C:\Windows\system32\Hpgkkioa.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • Modifies registry class
                                                                                  PID:2684
                                                                                  • C:\Windows\SysWOW64\Hbeghene.exe
                                                                                    C:\Windows\system32\Hbeghene.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    PID:216
                                                                                    • C:\Windows\SysWOW64\Hfachc32.exe
                                                                                      C:\Windows\system32\Hfachc32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:4804
                                                                                      • C:\Windows\SysWOW64\Haggelfd.exe
                                                                                        C:\Windows\system32\Haggelfd.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:2264
                                                                                        • C:\Windows\SysWOW64\Hpihai32.exe
                                                                                          C:\Windows\system32\Hpihai32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          PID:1732
                                                                                          • C:\Windows\SysWOW64\Hfcpncdk.exe
                                                                                            C:\Windows\system32\Hfcpncdk.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:4152
                                                                                            • C:\Windows\SysWOW64\Hjolnb32.exe
                                                                                              C:\Windows\system32\Hjolnb32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              PID:3544
                                                                                              • C:\Windows\SysWOW64\Hmmhjm32.exe
                                                                                                C:\Windows\system32\Hmmhjm32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                PID:4780
                                                                                                • C:\Windows\SysWOW64\Ipldfi32.exe
                                                                                                  C:\Windows\system32\Ipldfi32.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • Modifies registry class
                                                                                                  PID:1112
                                                                                                  • C:\Windows\SysWOW64\Ibjqcd32.exe
                                                                                                    C:\Windows\system32\Ibjqcd32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • Modifies registry class
                                                                                                    PID:804
                                                                                                    • C:\Windows\SysWOW64\Ijaida32.exe
                                                                                                      C:\Windows\system32\Ijaida32.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:4936
                                                                                                      • C:\Windows\SysWOW64\Impepm32.exe
                                                                                                        C:\Windows\system32\Impepm32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:3336
                                                                                                        • C:\Windows\SysWOW64\Iakaql32.exe
                                                                                                          C:\Windows\system32\Iakaql32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:2252
                                                                                                          • C:\Windows\SysWOW64\Ibmmhdhm.exe
                                                                                                            C:\Windows\system32\Ibmmhdhm.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Modifies registry class
                                                                                                            PID:4376
                                                                                                            • C:\Windows\SysWOW64\Ifhiib32.exe
                                                                                                              C:\Windows\system32\Ifhiib32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:1080
                                                                                                              • C:\Windows\SysWOW64\Iiffen32.exe
                                                                                                                C:\Windows\system32\Iiffen32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies registry class
                                                                                                                PID:3600
                                                                                                                • C:\Windows\SysWOW64\Ipqnahgf.exe
                                                                                                                  C:\Windows\system32\Ipqnahgf.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Modifies registry class
                                                                                                                  PID:2928
                                                                                                                  • C:\Windows\SysWOW64\Ibojncfj.exe
                                                                                                                    C:\Windows\system32\Ibojncfj.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Modifies registry class
                                                                                                                    PID:2536
                                                                                                                    • C:\Windows\SysWOW64\Ijfboafl.exe
                                                                                                                      C:\Windows\system32\Ijfboafl.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      PID:2508
                                                                                                                      • C:\Windows\SysWOW64\Iapjlk32.exe
                                                                                                                        C:\Windows\system32\Iapjlk32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:4528
                                                                                                                        • C:\Windows\SysWOW64\Idofhfmm.exe
                                                                                                                          C:\Windows\system32\Idofhfmm.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:4336
                                                                                                                          • C:\Windows\SysWOW64\Ifmcdblq.exe
                                                                                                                            C:\Windows\system32\Ifmcdblq.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:5032
                                                                                                                            • C:\Windows\SysWOW64\Imgkql32.exe
                                                                                                                              C:\Windows\system32\Imgkql32.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:4440
                                                                                                                              • C:\Windows\SysWOW64\Idacmfkj.exe
                                                                                                                                C:\Windows\system32\Idacmfkj.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:3784
                                                                                                                                • C:\Windows\SysWOW64\Ijkljp32.exe
                                                                                                                                  C:\Windows\system32\Ijkljp32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:4468
                                                                                                                                  • C:\Windows\SysWOW64\Jpgdbg32.exe
                                                                                                                                    C:\Windows\system32\Jpgdbg32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:3088
                                                                                                                                    • C:\Windows\SysWOW64\Jdcpcf32.exe
                                                                                                                                      C:\Windows\system32\Jdcpcf32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:2248
                                                                                                                                      • C:\Windows\SysWOW64\Jfaloa32.exe
                                                                                                                                        C:\Windows\system32\Jfaloa32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:1028
                                                                                                                                        • C:\Windows\SysWOW64\Jiphkm32.exe
                                                                                                                                          C:\Windows\system32\Jiphkm32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:1444
                                                                                                                                          • C:\Windows\SysWOW64\Jagqlj32.exe
                                                                                                                                            C:\Windows\system32\Jagqlj32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:1400
                                                                                                                                            • C:\Windows\SysWOW64\Jdemhe32.exe
                                                                                                                                              C:\Windows\system32\Jdemhe32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:3792
                                                                                                                                              • C:\Windows\SysWOW64\Jfdida32.exe
                                                                                                                                                C:\Windows\system32\Jfdida32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:456
                                                                                                                                                • C:\Windows\SysWOW64\Jjpeepnb.exe
                                                                                                                                                  C:\Windows\system32\Jjpeepnb.exe
                                                                                                                                                  72⤵
                                                                                                                                                    PID:3780
                                                                                                                                                    • C:\Windows\SysWOW64\Jaimbj32.exe
                                                                                                                                                      C:\Windows\system32\Jaimbj32.exe
                                                                                                                                                      73⤵
                                                                                                                                                        PID:3976
                                                                                                                                                        • C:\Windows\SysWOW64\Jfffjqdf.exe
                                                                                                                                                          C:\Windows\system32\Jfffjqdf.exe
                                                                                                                                                          74⤵
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:3636
                                                                                                                                                          • C:\Windows\SysWOW64\Jpojcf32.exe
                                                                                                                                                            C:\Windows\system32\Jpojcf32.exe
                                                                                                                                                            75⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:4684
                                                                                                                                                            • C:\Windows\SysWOW64\Jdjfcecp.exe
                                                                                                                                                              C:\Windows\system32\Jdjfcecp.exe
                                                                                                                                                              76⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:1624
                                                                                                                                                              • C:\Windows\SysWOW64\Jfhbppbc.exe
                                                                                                                                                                C:\Windows\system32\Jfhbppbc.exe
                                                                                                                                                                77⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:4372
                                                                                                                                                                • C:\Windows\SysWOW64\Jkdnpo32.exe
                                                                                                                                                                  C:\Windows\system32\Jkdnpo32.exe
                                                                                                                                                                  78⤵
                                                                                                                                                                    PID:4084
                                                                                                                                                                    • C:\Windows\SysWOW64\Jmbklj32.exe
                                                                                                                                                                      C:\Windows\system32\Jmbklj32.exe
                                                                                                                                                                      79⤵
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:4864
                                                                                                                                                                      • C:\Windows\SysWOW64\Jdmcidam.exe
                                                                                                                                                                        C:\Windows\system32\Jdmcidam.exe
                                                                                                                                                                        80⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:4588
                                                                                                                                                                        • C:\Windows\SysWOW64\Jfkoeppq.exe
                                                                                                                                                                          C:\Windows\system32\Jfkoeppq.exe
                                                                                                                                                                          81⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:4024
                                                                                                                                                                          • C:\Windows\SysWOW64\Kpccnefa.exe
                                                                                                                                                                            C:\Windows\system32\Kpccnefa.exe
                                                                                                                                                                            82⤵
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:1724
                                                                                                                                                                            • C:\Windows\SysWOW64\Kgmlkp32.exe
                                                                                                                                                                              C:\Windows\system32\Kgmlkp32.exe
                                                                                                                                                                              83⤵
                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:3068
                                                                                                                                                                              • C:\Windows\SysWOW64\Kkihknfg.exe
                                                                                                                                                                                C:\Windows\system32\Kkihknfg.exe
                                                                                                                                                                                84⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:1772
                                                                                                                                                                                • C:\Windows\SysWOW64\Kacphh32.exe
                                                                                                                                                                                  C:\Windows\system32\Kacphh32.exe
                                                                                                                                                                                  85⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  PID:4356
                                                                                                                                                                                  • C:\Windows\SysWOW64\Kdaldd32.exe
                                                                                                                                                                                    C:\Windows\system32\Kdaldd32.exe
                                                                                                                                                                                    86⤵
                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:4992
                                                                                                                                                                                    • C:\Windows\SysWOW64\Kbdmpqcb.exe
                                                                                                                                                                                      C:\Windows\system32\Kbdmpqcb.exe
                                                                                                                                                                                      87⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      PID:1160
                                                                                                                                                                                      • C:\Windows\SysWOW64\Kinemkko.exe
                                                                                                                                                                                        C:\Windows\system32\Kinemkko.exe
                                                                                                                                                                                        88⤵
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:1156
                                                                                                                                                                                        • C:\Windows\SysWOW64\Kaemnhla.exe
                                                                                                                                                                                          C:\Windows\system32\Kaemnhla.exe
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:684
                                                                                                                                                                                          • C:\Windows\SysWOW64\Kdcijcke.exe
                                                                                                                                                                                            C:\Windows\system32\Kdcijcke.exe
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:4016
                                                                                                                                                                                            • C:\Windows\SysWOW64\Kknafn32.exe
                                                                                                                                                                                              C:\Windows\system32\Kknafn32.exe
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              PID:3384
                                                                                                                                                                                              • C:\Windows\SysWOW64\Kmlnbi32.exe
                                                                                                                                                                                                C:\Windows\system32\Kmlnbi32.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                  PID:1484
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Kpjjod32.exe
                                                                                                                                                                                                    C:\Windows\system32\Kpjjod32.exe
                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:3324
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Kcifkp32.exe
                                                                                                                                                                                                      C:\Windows\system32\Kcifkp32.exe
                                                                                                                                                                                                      94⤵
                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                      PID:4808
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Kgdbkohf.exe
                                                                                                                                                                                                        C:\Windows\system32\Kgdbkohf.exe
                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                        PID:4240
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Kibnhjgj.exe
                                                                                                                                                                                                          C:\Windows\system32\Kibnhjgj.exe
                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                          PID:5128
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Kmnjhioc.exe
                                                                                                                                                                                                            C:\Windows\system32\Kmnjhioc.exe
                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            PID:5172
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Kpmfddnf.exe
                                                                                                                                                                                                              C:\Windows\system32\Kpmfddnf.exe
                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                                PID:5216
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Kkbkamnl.exe
                                                                                                                                                                                                                  C:\Windows\system32\Kkbkamnl.exe
                                                                                                                                                                                                                  99⤵
                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                  PID:5260
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ldkojb32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Ldkojb32.exe
                                                                                                                                                                                                                    100⤵
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:5296
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Lgikfn32.exe
                                                                                                                                                                                                                      C:\Windows\system32\Lgikfn32.exe
                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                        PID:5340
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Lkdggmlj.exe
                                                                                                                                                                                                                          C:\Windows\system32\Lkdggmlj.exe
                                                                                                                                                                                                                          102⤵
                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:5388
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Lmccchkn.exe
                                                                                                                                                                                                                            C:\Windows\system32\Lmccchkn.exe
                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                            PID:5432
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ldmlpbbj.exe
                                                                                                                                                                                                                              C:\Windows\system32\Ldmlpbbj.exe
                                                                                                                                                                                                                              104⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              PID:5472
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Lgkhlnbn.exe
                                                                                                                                                                                                                                C:\Windows\system32\Lgkhlnbn.exe
                                                                                                                                                                                                                                105⤵
                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                PID:5520
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Lijdhiaa.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Lijdhiaa.exe
                                                                                                                                                                                                                                  106⤵
                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                  PID:5564
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Lpcmec32.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Lpcmec32.exe
                                                                                                                                                                                                                                    107⤵
                                                                                                                                                                                                                                      PID:5612
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Lkiqbl32.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Lkiqbl32.exe
                                                                                                                                                                                                                                        108⤵
                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                        PID:5656
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Lnhmng32.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Lnhmng32.exe
                                                                                                                                                                                                                                          109⤵
                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:5696
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Laciofpa.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Laciofpa.exe
                                                                                                                                                                                                                                            110⤵
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                            PID:5748
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ldaeka32.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Ldaeka32.exe
                                                                                                                                                                                                                                              111⤵
                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:5792
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Lgpagm32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Lgpagm32.exe
                                                                                                                                                                                                                                                112⤵
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                PID:5832
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Lklnhlfb.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Lklnhlfb.exe
                                                                                                                                                                                                                                                  113⤵
                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                  PID:5872
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Lnjjdgee.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Lnjjdgee.exe
                                                                                                                                                                                                                                                    114⤵
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:5908
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Lddbqa32.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Lddbqa32.exe
                                                                                                                                                                                                                                                      115⤵
                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                      PID:5960
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Lgbnmm32.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Lgbnmm32.exe
                                                                                                                                                                                                                                                        116⤵
                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                        PID:6008
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Mnlfigcc.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\Mnlfigcc.exe
                                                                                                                                                                                                                                                          117⤵
                                                                                                                                                                                                                                                            PID:6052
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Mahbje32.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Mahbje32.exe
                                                                                                                                                                                                                                                              118⤵
                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                              PID:6112
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Mdfofakp.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Mdfofakp.exe
                                                                                                                                                                                                                                                                119⤵
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                PID:1420
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Mgekbljc.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Mgekbljc.exe
                                                                                                                                                                                                                                                                  120⤵
                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                  PID:5180
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Mjcgohig.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\Mjcgohig.exe
                                                                                                                                                                                                                                                                    121⤵
                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                    PID:5268
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Majopeii.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Majopeii.exe
                                                                                                                                                                                                                                                                      122⤵
                                                                                                                                                                                                                                                                        PID:5332
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Mpmokb32.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Mpmokb32.exe
                                                                                                                                                                                                                                                                          123⤵
                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          PID:5396
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Mgghhlhq.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Mgghhlhq.exe
                                                                                                                                                                                                                                                                            124⤵
                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                            PID:5460
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Mkbchk32.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Mkbchk32.exe
                                                                                                                                                                                                                                                                              125⤵
                                                                                                                                                                                                                                                                                PID:5548
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Mnapdf32.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Mnapdf32.exe
                                                                                                                                                                                                                                                                                  126⤵
                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                  PID:5652
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Mkepnjng.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Mkepnjng.exe
                                                                                                                                                                                                                                                                                    127⤵
                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                    PID:5732
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Mncmjfmk.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Mncmjfmk.exe
                                                                                                                                                                                                                                                                                      128⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                      PID:5820
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Mcpebmkb.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Mcpebmkb.exe
                                                                                                                                                                                                                                                                                        129⤵
                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                        PID:5892
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Mkgmcjld.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\Mkgmcjld.exe
                                                                                                                                                                                                                                                                                          130⤵
                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                          PID:5936
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Mnfipekh.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\Mnfipekh.exe
                                                                                                                                                                                                                                                                                            131⤵
                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                            PID:6040
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Mpdelajl.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\Mpdelajl.exe
                                                                                                                                                                                                                                                                                              132⤵
                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                              PID:6128
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Mdpalp32.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\Mdpalp32.exe
                                                                                                                                                                                                                                                                                                133⤵
                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                PID:5252
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Mgnnhk32.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Mgnnhk32.exe
                                                                                                                                                                                                                                                                                                  134⤵
                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                  PID:5444
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Nkjjij32.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Nkjjij32.exe
                                                                                                                                                                                                                                                                                                    135⤵
                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                    PID:5588
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Nnhfee32.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Nnhfee32.exe
                                                                                                                                                                                                                                                                                                      136⤵
                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                      PID:5756
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Nacbfdao.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Nacbfdao.exe
                                                                                                                                                                                                                                                                                                        137⤵
                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                        PID:5880
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Nqfbaq32.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Nqfbaq32.exe
                                                                                                                                                                                                                                                                                                          138⤵
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          PID:6020
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Nceonl32.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Nceonl32.exe
                                                                                                                                                                                                                                                                                                            139⤵
                                                                                                                                                                                                                                                                                                              PID:5136
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ngpjnkpf.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Ngpjnkpf.exe
                                                                                                                                                                                                                                                                                                                140⤵
                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                PID:5440
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Nnjbke32.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Nnjbke32.exe
                                                                                                                                                                                                                                                                                                                  141⤵
                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                  PID:5736
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Nqiogp32.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Nqiogp32.exe
                                                                                                                                                                                                                                                                                                                    142⤵
                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                    PID:5856
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Nddkgonp.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Nddkgonp.exe
                                                                                                                                                                                                                                                                                                                      143⤵
                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                      PID:6132
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ngcgcjnc.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Ngcgcjnc.exe
                                                                                                                                                                                                                                                                                                                        144⤵
                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                        PID:5608
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Nnmopdep.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Nnmopdep.exe
                                                                                                                                                                                                                                                                                                                          145⤵
                                                                                                                                                                                                                                                                                                                            PID:5868
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Nqklmpdd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Nqklmpdd.exe
                                                                                                                                                                                                                                                                                                                              146⤵
                                                                                                                                                                                                                                                                                                                                PID:5712
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Ndghmo32.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Ndghmo32.exe
                                                                                                                                                                                                                                                                                                                                  147⤵
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  PID:5240
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Nnolfdcn.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Nnolfdcn.exe
                                                                                                                                                                                                                                                                                                                                    148⤵
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:5864
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Nbkhfc32.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Nbkhfc32.exe
                                                                                                                                                                                                                                                                                                                                      149⤵
                                                                                                                                                                                                                                                                                                                                        PID:6160
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Nkcmohbg.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Nkcmohbg.exe
                                                                                                                                                                                                                                                                                                                                          150⤵
                                                                                                                                                                                                                                                                                                                                            PID:6216
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 408
                                                                                                                                                                                                                                                                                                                                              151⤵
                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                              PID:6316
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6216 -ip 6216
                                  1⤵
                                    PID:6284

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\SysWOW64\Ecbenm32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    8297254d35999377224f04a9953be2cd

                                    SHA1

                                    2ce150137e93e6200c443459e4f3584fb8cb0df8

                                    SHA256

                                    aca93cc9aa424764e501a34c1f838ca67970171bc406e22a4fbc80b49b6bf725

                                    SHA512

                                    42bb9f76de7d1ae288a2486506cb55c1bb2285fde3b53367566b6f9f3f771c942d8a66f381c1320591272d1dbffc814a8fc0ce170d227108c5c62401bed79bed

                                  • C:\Windows\SysWOW64\Ejlmkgkl.exe

                                    Filesize

                                    270KB

                                    MD5

                                    40eacd58a4091f1cff83ec6789866688

                                    SHA1

                                    7e5dea3d4caaffd8592ae793dca798649989fb23

                                    SHA256

                                    b428ea206fe3c8f1e006ab7ece593f570c513583471d7f03173c135294260601

                                    SHA512

                                    b63756f314fd348633f0c5f94bb6d790cbde3e4ca1180f32d83830ed90ac59b01fcdb6b72943372e5335743e0b4e99247a3ec85e3ae1c846682e8d4a3223d89e

                                  • C:\Windows\SysWOW64\Emjjgbjp.exe

                                    Filesize

                                    270KB

                                    MD5

                                    68dae113bbcf3e44b49efa016d4b8e5d

                                    SHA1

                                    e8e2d3818bc9b737a626a3ccb825d5ecf7a4d118

                                    SHA256

                                    bbb1208f95d24f1abc396e76ad40dd1cf1a528559fd42ea24aafd960fe63093c

                                    SHA512

                                    f45e208bc11ce48409584bdd75f5920bf257d49071519672a0ec1b5679c432084d5f490970f620a8703e7931afcbd1afb1c94deb3651ba6b00e041d07c2063d5

                                  • C:\Windows\SysWOW64\Eoifcnid.exe

                                    Filesize

                                    270KB

                                    MD5

                                    577c3ec2de51c987fe63f9f1b982f4ea

                                    SHA1

                                    c2a12a993fe57e4880a95acf37fa7e7843419de2

                                    SHA256

                                    6b761a3e38aa523b75dee1a9d3fabd882358be85519320505579a1bf04cb53cc

                                    SHA512

                                    e4a5f5e42a3278ec579236daa800bb5ad1472d1c69e272529a2667f8cb0b5dced90a4880e929900dddc0b6f9d9388d5e8c252c5fc6eb272240f3bf8885ad4eb8

                                  • C:\Windows\SysWOW64\Fbgbpihg.exe

                                    Filesize

                                    270KB

                                    MD5

                                    6644bcbeb04a0357480705c5e63f7bbf

                                    SHA1

                                    1f5311523a6029b8d19e3ae9fa3dd522d33e33a3

                                    SHA256

                                    62d23d6e6ae572156521c7d7e95deced5657ba29775b704023d12a8458fa1d80

                                    SHA512

                                    08da5bccb039bbbc5959231c43de49c9c8abe9cd0082894b5f1b6fdc97b010e889f20af0625db90f5275c011ac0bcbe0abcb91878d44413f52e0405faea536e4

                                  • C:\Windows\SysWOW64\Fcgoilpj.exe

                                    Filesize

                                    270KB

                                    MD5

                                    3dc835418799aa490c53a8b33dfd2bd1

                                    SHA1

                                    0015bbb062a0f04d973736efaa166f3a27208d22

                                    SHA256

                                    75f75f329601e0db805fa86a4e1bb78f6b07138f9af315a3163dc5bcfbce3b50

                                    SHA512

                                    0273f4e31d2d1151aba1276cd03b459f1b0276ff5c5143c3d3aa1821155204e732941338f1627317eba40adaf45b42065b59c482c8b627b9906fd3505a55767e

                                  • C:\Windows\SysWOW64\Fcikolnh.exe

                                    Filesize

                                    270KB

                                    MD5

                                    d0adfd0edc59ebf0acf66d42aaa337fc

                                    SHA1

                                    6313fb8e3a7d5c644b44760f9d7c582c1151f641

                                    SHA256

                                    fd78f3c4a5ad424d59a8b5936f1ae29a41e44e2a443390c9fb413336a1824ab9

                                    SHA512

                                    f8c53c7f24f77272ef4bfe18a479884b423a72a9a46d7f72cbbf5a2302279f0f56512d3e8709c7411ed6997b604bb418d9d652f1c0851607a4294e4dadadcf05

                                  • C:\Windows\SysWOW64\Fckhdk32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    47e6869219d22a812a26f4bceadd9c18

                                    SHA1

                                    1d1fdbf0e880d7a54033252b5f00bbca5dd7f5f0

                                    SHA256

                                    d5a34e05a23c26950737a4f32bd13c823081db38383e0fbe74b1693cb5f0af8c

                                    SHA512

                                    15482be651bd5abe56997da00b1e805657448c8117caf939241d13c926ced53778a482219d372c220b502940c65e306e064c7603f5884c357f9a8201aec2c405

                                  • C:\Windows\SysWOW64\Fcnejk32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    5e0cb0f3ab158a66baf016f228b99d98

                                    SHA1

                                    ea99d38d0cd9b6b2701759b764dabe816c1f1f26

                                    SHA256

                                    c9ad11a34eb5be2ea12493bd8186d31223ba4479abfb8fa7c43cb412402c8bb1

                                    SHA512

                                    1fbe28c368ffcaa39b60ab249d839dde14566184604d57884908f83f12d24c2a988781b67387325abb85870fb0223ed8eb3a7a321a8a1f2504480cb3fe6fe0ca

                                  • C:\Windows\SysWOW64\Ffbnph32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    a7768a9074b399ba83dfb57faeb135f9

                                    SHA1

                                    088569f7bc28bfd493b4c0f15cbbedf9fabc6931

                                    SHA256

                                    01b427a7a365af96c4eb537eccca32233f5ee08c606e7e7a4b3dae17c11774fe

                                    SHA512

                                    a2e23e8b183e48b49b5f91522aa7aeedb141ef0104c2344caca3ef1f723bf1fd6a1cbd2883e64eb445e2e01955618638ce40e118e20f39f41434a0b4ae657636

                                  • C:\Windows\SysWOW64\Ffekegon.exe

                                    Filesize

                                    270KB

                                    MD5

                                    55789139c0ecb4ae3127d6fbb01b6a80

                                    SHA1

                                    3e7b4184a534f507b3a5473764454415f2559c58

                                    SHA256

                                    c5eb771021d45a5c7ac739c2e6e50161f890c628f0cf3206b6f9114be5429ed4

                                    SHA512

                                    e9bcd383d0043290f32995b77c991c82d9e595ed7c10027a65c986333b42447cca7a3c9b43427a89024cc30df86ffcd672cb5e5770f10389f97fd94847f48062

                                  • C:\Windows\SysWOW64\Ffggkgmk.exe

                                    Filesize

                                    270KB

                                    MD5

                                    852d292f278f459873bf8feb6f632668

                                    SHA1

                                    e2f125cb6e295d5d3ffae50622cb2b78193b1b0b

                                    SHA256

                                    2f2ea3f916833256306f6b268a65d10698880a5b8df1c0768985480daa114afe

                                    SHA512

                                    5d19e5105d0a53b40c5dd2a5727ef02f17e7614a95a6c2fe7af25815a0e976cf345e16b73135d9a01b840c6e4460618a2d9396d63f74a500c2f95b8707981998

                                  • C:\Windows\SysWOW64\Fifdgblo.exe

                                    Filesize

                                    270KB

                                    MD5

                                    f3db13ca0fdd0d87696fc2126dfe9a51

                                    SHA1

                                    22a3200c7f6ff193068f9bf4bfedb673432648fe

                                    SHA256

                                    af66baae09f40e995a594b5e2aee1b95221be10ea95d1d5b91ff4a61186999da

                                    SHA512

                                    21047b0428349a61387ac1e5fd9b282100774caa73fbdb4fbc3afba8379cc819931079fed5ad45e07b25437c162946c3f3cd20e2d18d40babad3c434aaa92925

                                  • C:\Windows\SysWOW64\Fjepaecb.exe

                                    Filesize

                                    270KB

                                    MD5

                                    eba712c1d61d212329f7079f1fa914d5

                                    SHA1

                                    130dc2ed417c0db6eeb57ca24ca2f426df9ef8c2

                                    SHA256

                                    f07503522c01414833074ac32b736a90e112e0d78e5e23d27106603baf5f2f5d

                                    SHA512

                                    9d0449674d234222042d3d8a0dfd230f08a4cbfa2edc6f9471d34c8cbf0905a6f1487e17151fb9eb6a1ed5918c2b2bbf8f2d9252797a9f663db1cb7a922bd088

                                  • C:\Windows\SysWOW64\Fjhmgeao.exe

                                    Filesize

                                    270KB

                                    MD5

                                    ed34663dd8dbbf530d06a966c018a532

                                    SHA1

                                    5b3f51bd32290bca4e2c270b787e2e2fd668581e

                                    SHA256

                                    6d04bc3d8b70ea6dc84f8f9b4df9fb5c030ede1e136a289e2c02f05d96d17393

                                    SHA512

                                    7e6c38f8a5174898639c054760949aec5aa575db5c19e03ed25d23e6b0133300d5f8b381875da8bfcb3b7c0a8a25d39215731fcee592251ecb8d4659e2cc56ca

                                  • C:\Windows\SysWOW64\Fmficqpc.exe

                                    Filesize

                                    270KB

                                    MD5

                                    a88f6d2912cd645f20d1275b97add722

                                    SHA1

                                    365c3dc827cfcde3fa32d4a3e12e1ca87574227f

                                    SHA256

                                    1449455f99af25aca7042ada9597daed1cc73c5d50651cbc0b59fbc5f48c2d98

                                    SHA512

                                    6711793640a40e902ecc4c34ee10d4a9d3180ace19a519d6230b6595f98a9c07d85e796abee9a0f22b15d91221fed21a43174a148807dc0dea24916319024732

                                  • C:\Windows\SysWOW64\Fmmfmbhn.exe

                                    Filesize

                                    270KB

                                    MD5

                                    79db038e3a79ede48143a28efbb7b73d

                                    SHA1

                                    9ba53d7756aa4ed93fcc4b1333ba7aa16e1cd2d2

                                    SHA256

                                    9084a2629f2fc1758eb0e0faae32e32e8ab48e0492675bdb7effc1ca07306530

                                    SHA512

                                    8cae10ddcd5f1af646cf65e1ae0e169c3d130a658a4b3bf81c55be637db2bd1eb9da05eb9e50dfaebf3d13772d6df64b04959d530cb66c542494cfa0b420989f

                                  • C:\Windows\SysWOW64\Fmocba32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    9f018a108017ae701649db7a047dbad0

                                    SHA1

                                    98c633b3af310edf5651539cc16f490817bf4a04

                                    SHA256

                                    1402f15a4f5f403155c9333b26e79c9cf878d2b8da623314e63cbbcfd5ea54af

                                    SHA512

                                    1b6731fdcf39a95c279f0bef6511ab7ab76c0a7e09fe0ac38e48d459294295d7ca57d7c381814bb17dd04e1e3ea7e49b7d3a7b8e44f04440c42c2be5ded07de7

                                  • C:\Windows\SysWOW64\Fodeolof.exe

                                    Filesize

                                    270KB

                                    MD5

                                    3ac1137dad1acf071b955a54a40a05f1

                                    SHA1

                                    fffe2d22b84a34b3841badc11c679ad462481c1a

                                    SHA256

                                    356c60291b2df3f5227b0455d29d0d807742c6233565f3599bdd9a7faf6d271f

                                    SHA512

                                    a942bc4e2cc464769e02d0805a3dfef076387602d285d5cbcdfe3bae0c040c16ecf59ea78d7736107d2fdae1774b2e08dd7da6e11c55a67d9938904aa5c3a059

                                  • C:\Windows\SysWOW64\Fqohnp32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    c5dd15996eae01f9e68e63e34e9ddacf

                                    SHA1

                                    2e3c95511e3215d24463beea636402e61f01e8a9

                                    SHA256

                                    5859636c9f1fda4ee132ba61751f0caa2e8838872e110ed6ee3b482199ff2aee

                                    SHA512

                                    75dcc3b595745b7eb2cc6bd2917b1716b3145c078dac240d5354e00a4961563bf669c300bea03a2786f16ef3705ef4b4dbf8ac4ef2e76485f3c1d10550159b09

                                  • C:\Windows\SysWOW64\Gcbnejem.exe

                                    Filesize

                                    270KB

                                    MD5

                                    9a51f9d0c8cebcd9f08dea8bca33ac35

                                    SHA1

                                    05f6be0c801bba4b6c527f58179152046ba4e1b0

                                    SHA256

                                    e85733398e352be3738737c2f23ae0fb394373de19b9b63032c5665bc3d5fa16

                                    SHA512

                                    165b533b401310a69fc66d4eb9c68f4ead7a3a2649e188cb9c758920610c04326ae9d1ae047db211ae9d582983473884a3ec7b07bc0a293de118aa98b7e6c8cd

                                  • C:\Windows\SysWOW64\Gcekkjcj.exe

                                    Filesize

                                    270KB

                                    MD5

                                    bfb8bbf6d5d2db032fb6e452012e7831

                                    SHA1

                                    de0bfa075a13fc98d71284728dab3759abcdbc1f

                                    SHA256

                                    ab0454facf69515a40b9711a67651214d9182d1d8d21fc8e862c0439230ca0e6

                                    SHA512

                                    23722f5969073e991100927c3a67b1964368db05484336f1fabdd05e5f3e086434ce742558441abb44818d773ffbe7f2b3d3144fdff622f0ce7bff6b47e46d8f

                                  • C:\Windows\SysWOW64\Gifmnpnl.exe

                                    Filesize

                                    270KB

                                    MD5

                                    559921a26c021299867995d6bf9abc21

                                    SHA1

                                    b42b9abda744d59d011c84849971a942e9770f23

                                    SHA256

                                    55e6fe9f4ce3a6e85716417f9222599876cbfcc116a834f300e2c120927aa0bd

                                    SHA512

                                    2eddf06b1964e0e8c2a85b008b03c88c3514b615132c8dcc88b7ea2a73b575a3dbae900c8db93f281c719c2422692073726abe05fe35960b9df21d365084f7fe

                                  • C:\Windows\SysWOW64\Giofnacd.exe

                                    Filesize

                                    270KB

                                    MD5

                                    16f63cc16339b65421e49431b6a65b27

                                    SHA1

                                    fb07f58f80d8c5651c05ce7f6e4aceb511125df8

                                    SHA256

                                    d3aafbe7413b35b81cfed84f77c4beedddf50b4f025a92713c5a27e3e13fd9c5

                                    SHA512

                                    a26f3c47abe553fe7ad37e3758ecf85094b4bdcd0cddf5a91941fc8e9c9fd9271397771232725e96abe10093bda909d6d2b29bb8fa7f4e87134e412d2dce0b2f

                                  • C:\Windows\SysWOW64\Gjjjle32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    8ae550460f89a95b7ef5c241a0f3ed46

                                    SHA1

                                    1be60c74c06990dd7394e25e0db859a23a5ecb2d

                                    SHA256

                                    f565a559880f28abc3b0b7d0baccd41283fd3594e3d051abdbc74a05f3be7b1c

                                    SHA512

                                    e1c5de3ec6bd37084b47a32313c362f7c01de77b3130e8b79a692a0ec67bf393388755455385c51ba37e72d7d6088936c491d48ae224d13a7679ec00b1d7ab22

                                  • C:\Windows\SysWOW64\Gjocgdkg.exe

                                    Filesize

                                    270KB

                                    MD5

                                    953995fef08592d5dde491865aac23d6

                                    SHA1

                                    e37ee3ebab84f6fc945a836dbc955393925365d6

                                    SHA256

                                    ec01e710ec1d53ccc5ee1d7bc0c95a76a8df62ba6f85de6c312dd8e2a87bd393

                                    SHA512

                                    d2eebc845ad29a88113e1289797ab44e1bb8da8d2ba620d79cc6b71f93a5c183c934a84b784379913fcba3acef548bff8eddab2b617b925791b5c114303a6774

                                  • C:\Windows\SysWOW64\Gpklpkio.exe

                                    Filesize

                                    270KB

                                    MD5

                                    7dde096a7287dab0f4716950fabd2a85

                                    SHA1

                                    f016ac4695e76592a66004894beb39be083afdb3

                                    SHA256

                                    b57d3503ee096d77946517738353d2cce05fa715d5d569866b85a92e37d8e5c4

                                    SHA512

                                    463c391ffbef65807c290929e3f49706e1b7976c567dae3ef944bdd8624b4978ae1c307b7393dcb875a57d6560986226125494f0a0ec48f0d77fe3d7b938080e

                                  • C:\Windows\SysWOW64\Gpnhekgl.exe

                                    Filesize

                                    270KB

                                    MD5

                                    cf7e53a1f2b2bf5224a55488f9dc884a

                                    SHA1

                                    38b7bbb26611f3f09113f1ff459e41e7a3be23dc

                                    SHA256

                                    e366f446fedbb0c23d118a0a6ba88d17a2a13291ac7a6e6e87b114d1a52089de

                                    SHA512

                                    40a852b902045d5165acf8b17cd5e21fab6eaa019270a824b5f714aa067b1221989dabaad496eeeb0f26b74111b873b759d2c5deb805ef86c6234545cd698215

                                  • C:\Windows\SysWOW64\Gppekj32.exe

                                    Filesize

                                    270KB

                                    MD5

                                    4e6e161e6b44b8a301df18e3ab9aaf16

                                    SHA1

                                    43e7bd0d66b949cbb55104bcd892bdf7d95ee709

                                    SHA256

                                    42e618e6560a69f632f614c35f285c2ba40eae9b01dd0e7f93f5ab17c1f8ffb4

                                    SHA512

                                    5665ce849e724e07703fd4917e9ca3d8a825e3c5177c287d8751da8ee67c4fd6b918e86df8e9e53f57b6155a1660a7dc0da2142af0e531ff1871180f6fc6dcf3

                                  • C:\Windows\SysWOW64\Gqdbiofi.exe

                                    Filesize

                                    270KB

                                    MD5

                                    f0659acf0282a7f77cf90109691a3cb3

                                    SHA1

                                    9975ca9a0d0853a5f18edd74578b30a95b7c57d1

                                    SHA256

                                    8e79b0f940b49717c40d8a01b349bd31e6c6985274e1aa05177c3d7bdcd7e323

                                    SHA512

                                    1068b3ca12980687dc95b70a51a1f1e579c2c78151baae9080f608c6eccd7436ba3080da391de9b2707d39bca4f137aeb94fbe8a5e9485ee0e14181fb30b5c35

                                  • C:\Windows\SysWOW64\Gqfooodg.exe

                                    Filesize

                                    270KB

                                    MD5

                                    6d20743960555965e7ce599b19366aeb

                                    SHA1

                                    93ccf7df6efd32dd24a87876910c9b5c5a1a7251

                                    SHA256

                                    3bd5cf93dd5a28a885537a966ab31d11d7108889bef270c7bb55b0870c003955

                                    SHA512

                                    789d5b308989e4134831b09927074cc6b6d91b36aaf5fe22aab2a3e3000c9af1bd685b1fc665eb6cab2f1e666a6fdf79938ff3c175c1de19c8ee493452b11d1b

                                  • C:\Windows\SysWOW64\Hapaemll.exe

                                    Filesize

                                    270KB

                                    MD5

                                    7c07d89ee9493c4ac492bec996651915

                                    SHA1

                                    e455c202ceacc10eab1667397e2d6e5d95c18a0b

                                    SHA256

                                    a6e91a39c9501e8878b0ad894998110bc42894f2689eab7f5fd99c2dfd6e48bb

                                    SHA512

                                    dbfba9581a43992546ce8c3cb1b54dd4576cb29c9bcfc5e34b75ca0879c0f1e2cf1b9856465f645a54b1bf06ff432a5e5478ea31a986fa504efcd2699300ee43

                                  • memory/216-308-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/376-87-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/620-204-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/624-176-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/736-28-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/764-269-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/804-352-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/908-223-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/936-240-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1004-247-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1080-386-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1112-351-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1188-72-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1196-231-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1416-292-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1432-8-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1496-119-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1636-158-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/1732-327-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2108-0-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2212-144-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2252-370-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2264-320-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2368-96-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2508-406-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2536-404-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2616-168-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2684-298-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2720-208-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2780-40-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2928-394-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/2932-128-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3136-262-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3256-55-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3336-368-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3388-255-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3516-291-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3524-16-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3544-334-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3600-392-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3692-184-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3784-436-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3884-108-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/3936-274-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4032-216-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4116-48-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4144-284-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4152-328-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4232-112-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4264-196-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4336-418-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4368-68-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4376-376-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4440-430-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4468-442-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4520-84-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4528-412-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4628-31-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4780-340-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4804-310-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4936-358-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/4960-136-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/5032-424-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB

                                  • memory/5040-160-0x0000000000400000-0x0000000000434000-memory.dmp

                                    Filesize

                                    208KB