Analysis

  • max time kernel
    97s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 03:33

General

  • Target

    e050d6204299aaf0dcfe2bc3a1361640_NEIKI.exe

  • Size

    1.2MB

  • MD5

    e050d6204299aaf0dcfe2bc3a1361640

  • SHA1

    5cd4b5365ed813ce1e1c2c4d45cb552e03ed3a6c

  • SHA256

    43db54686373b803d2d2860b87c64bb09b7f685d2fc3cddcf6aff61556a0b289

  • SHA512

    faf3cbe9936cee148bc4114cf918f336a2503c13c4b61fd9f707df5253f5fe79da662cdd96f266296f2c223616824de6e1ba350a81b546762a0167e2d08165a3

  • SSDEEP

    24576:RdTpm0BmmvFimm0MTP7hm0BmmvFimm0SGT8P402fo06YE1+91vK3xDWGk4A:BiLiZGT8P4Zfo06h1+91vOaGBA

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Malware Dropper & Backdoor - Berbew 32 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e050d6204299aaf0dcfe2bc3a1361640_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\e050d6204299aaf0dcfe2bc3a1361640_NEIKI.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\Ibojncfj.exe
      C:\Windows\system32\Ibojncfj.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\Iiibkn32.exe
        C:\Windows\system32\Iiibkn32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\SysWOW64\Iabgaklg.exe
          C:\Windows\system32\Iabgaklg.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\SysWOW64\Idacmfkj.exe
            C:\Windows\system32\Idacmfkj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\SysWOW64\Jpjqhgol.exe
              C:\Windows\system32\Jpjqhgol.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3216
              • C:\Windows\SysWOW64\Jbkjjblm.exe
                C:\Windows\system32\Jbkjjblm.exe
                7⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3168
                • C:\Windows\SysWOW64\Jangmibi.exe
                  C:\Windows\system32\Jangmibi.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3464
                  • C:\Windows\SysWOW64\Kdopod32.exe
                    C:\Windows\system32\Kdopod32.exe
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2880
                    • C:\Windows\SysWOW64\Kmgdgjek.exe
                      C:\Windows\system32\Kmgdgjek.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:3300
                      • C:\Windows\SysWOW64\Kpepcedo.exe
                        C:\Windows\system32\Kpepcedo.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:2768
                        • C:\Windows\SysWOW64\Kagichjo.exe
                          C:\Windows\system32\Kagichjo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:1032
                          • C:\Windows\SysWOW64\Kibnhjgj.exe
                            C:\Windows\system32\Kibnhjgj.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1644
                            • C:\Windows\SysWOW64\Kajfig32.exe
                              C:\Windows\system32\Kajfig32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of WriteProcessMemory
                              PID:3372
                              • C:\Windows\SysWOW64\Kpmfddnf.exe
                                C:\Windows\system32\Kpmfddnf.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4748
                                • C:\Windows\SysWOW64\Kgfoan32.exe
                                  C:\Windows\system32\Kgfoan32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:4640
                                  • C:\Windows\SysWOW64\Liekmj32.exe
                                    C:\Windows\system32\Liekmj32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4524
                                    • C:\Windows\SysWOW64\Lalcng32.exe
                                      C:\Windows\system32\Lalcng32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:700
                                      • C:\Windows\SysWOW64\Lpocjdld.exe
                                        C:\Windows\system32\Lpocjdld.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:2588
                                        • C:\Windows\SysWOW64\Lcmofolg.exe
                                          C:\Windows\system32\Lcmofolg.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:1156
                                          • C:\Windows\SysWOW64\Liggbi32.exe
                                            C:\Windows\system32\Liggbi32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:3164
                                            • C:\Windows\SysWOW64\Lmccchkn.exe
                                              C:\Windows\system32\Lmccchkn.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Suspicious use of WriteProcessMemory
                                              PID:4440
                                              • C:\Windows\SysWOW64\Lpappc32.exe
                                                C:\Windows\system32\Lpappc32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Modifies registry class
                                                PID:660
                                                • C:\Windows\SysWOW64\Ldmlpbbj.exe
                                                  C:\Windows\system32\Ldmlpbbj.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Modifies registry class
                                                  PID:3104
                                                  • C:\Windows\SysWOW64\Lgkhlnbn.exe
                                                    C:\Windows\system32\Lgkhlnbn.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    PID:2168
                                                    • C:\Windows\SysWOW64\Lkgdml32.exe
                                                      C:\Windows\system32\Lkgdml32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Modifies registry class
                                                      PID:4852
                                                      • C:\Windows\SysWOW64\Lnepih32.exe
                                                        C:\Windows\system32\Lnepih32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • Modifies registry class
                                                        PID:2568
                                                        • C:\Windows\SysWOW64\Laalifad.exe
                                                          C:\Windows\system32\Laalifad.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          PID:1948
                                                          • C:\Windows\SysWOW64\Ldohebqh.exe
                                                            C:\Windows\system32\Ldohebqh.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:748
                                                            • C:\Windows\SysWOW64\Lcbiao32.exe
                                                              C:\Windows\system32\Lcbiao32.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:2040
                                                              • C:\Windows\SysWOW64\Lkiqbl32.exe
                                                                C:\Windows\system32\Lkiqbl32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:4264
                                                                • C:\Windows\SysWOW64\Lilanioo.exe
                                                                  C:\Windows\system32\Lilanioo.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:3868
                                                                  • C:\Windows\SysWOW64\Laciofpa.exe
                                                                    C:\Windows\system32\Laciofpa.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Modifies registry class
                                                                    PID:32
                                                                    • C:\Windows\SysWOW64\Lpfijcfl.exe
                                                                      C:\Windows\system32\Lpfijcfl.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      PID:2020
                                                                      • C:\Windows\SysWOW64\Lcdegnep.exe
                                                                        C:\Windows\system32\Lcdegnep.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:4380
                                                                        • C:\Windows\SysWOW64\Lgpagm32.exe
                                                                          C:\Windows\system32\Lgpagm32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          PID:4716
                                                                          • C:\Windows\SysWOW64\Ljnnch32.exe
                                                                            C:\Windows\system32\Ljnnch32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            PID:1928
                                                                            • C:\Windows\SysWOW64\Lnjjdgee.exe
                                                                              C:\Windows\system32\Lnjjdgee.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              PID:1328
                                                                              • C:\Windows\SysWOW64\Lphfpbdi.exe
                                                                                C:\Windows\system32\Lphfpbdi.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                PID:3084
                                                                                • C:\Windows\SysWOW64\Lcgblncm.exe
                                                                                  C:\Windows\system32\Lcgblncm.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  PID:3020
                                                                                  • C:\Windows\SysWOW64\Lknjmkdo.exe
                                                                                    C:\Windows\system32\Lknjmkdo.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:3492
                                                                                    • C:\Windows\SysWOW64\Mnlfigcc.exe
                                                                                      C:\Windows\system32\Mnlfigcc.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • Modifies registry class
                                                                                      PID:4032
                                                                                      • C:\Windows\SysWOW64\Mpkbebbf.exe
                                                                                        C:\Windows\system32\Mpkbebbf.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        PID:4720
                                                                                        • C:\Windows\SysWOW64\Mdfofakp.exe
                                                                                          C:\Windows\system32\Mdfofakp.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          PID:1668
                                                                                          • C:\Windows\SysWOW64\Mgekbljc.exe
                                                                                            C:\Windows\system32\Mgekbljc.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • Modifies registry class
                                                                                            PID:1904
                                                                                            • C:\Windows\SysWOW64\Mjcgohig.exe
                                                                                              C:\Windows\system32\Mjcgohig.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              PID:1624
                                                                                              • C:\Windows\SysWOW64\Majopeii.exe
                                                                                                C:\Windows\system32\Majopeii.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Modifies registry class
                                                                                                PID:1728
                                                                                                • C:\Windows\SysWOW64\Mdiklqhm.exe
                                                                                                  C:\Windows\system32\Mdiklqhm.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • Modifies registry class
                                                                                                  PID:556
                                                                                                  • C:\Windows\SysWOW64\Mgghhlhq.exe
                                                                                                    C:\Windows\system32\Mgghhlhq.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • Modifies registry class
                                                                                                    PID:1360
                                                                                                    • C:\Windows\SysWOW64\Mjeddggd.exe
                                                                                                      C:\Windows\system32\Mjeddggd.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1960
                                                                                                      • C:\Windows\SysWOW64\Mamleegg.exe
                                                                                                        C:\Windows\system32\Mamleegg.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:776
                                                                                                        • C:\Windows\SysWOW64\Mdkhapfj.exe
                                                                                                          C:\Windows\system32\Mdkhapfj.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:920
                                                                                                          • C:\Windows\SysWOW64\Mgidml32.exe
                                                                                                            C:\Windows\system32\Mgidml32.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • Modifies registry class
                                                                                                            PID:5100
                                                                                                            • C:\Windows\SysWOW64\Mkepnjng.exe
                                                                                                              C:\Windows\system32\Mkepnjng.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              PID:1916
                                                                                                              • C:\Windows\SysWOW64\Mncmjfmk.exe
                                                                                                                C:\Windows\system32\Mncmjfmk.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies registry class
                                                                                                                PID:5092
                                                                                                                • C:\Windows\SysWOW64\Mpaifalo.exe
                                                                                                                  C:\Windows\system32\Mpaifalo.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:3348
                                                                                                                  • C:\Windows\SysWOW64\Mcpebmkb.exe
                                                                                                                    C:\Windows\system32\Mcpebmkb.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:4880
                                                                                                                    • C:\Windows\SysWOW64\Mkgmcjld.exe
                                                                                                                      C:\Windows\system32\Mkgmcjld.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:412
                                                                                                                      • C:\Windows\SysWOW64\Mjjmog32.exe
                                                                                                                        C:\Windows\system32\Mjjmog32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1244
                                                                                                                        • C:\Windows\SysWOW64\Maaepd32.exe
                                                                                                                          C:\Windows\system32\Maaepd32.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:4884
                                                                                                                          • C:\Windows\SysWOW64\Mdpalp32.exe
                                                                                                                            C:\Windows\system32\Mdpalp32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies registry class
                                                                                                                            PID:2276
                                                                                                                            • C:\Windows\SysWOW64\Mcbahlip.exe
                                                                                                                              C:\Windows\system32\Mcbahlip.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • Modifies registry class
                                                                                                                              PID:3572
                                                                                                                              • C:\Windows\SysWOW64\Nkjjij32.exe
                                                                                                                                C:\Windows\system32\Nkjjij32.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1504
                                                                                                                                • C:\Windows\SysWOW64\Nnhfee32.exe
                                                                                                                                  C:\Windows\system32\Nnhfee32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:1112
                                                                                                                                  • C:\Windows\SysWOW64\Nqfbaq32.exe
                                                                                                                                    C:\Windows\system32\Nqfbaq32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:3508
                                                                                                                                    • C:\Windows\SysWOW64\Ndbnboqb.exe
                                                                                                                                      C:\Windows\system32\Ndbnboqb.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      PID:1456
                                                                                                                                      • C:\Windows\SysWOW64\Ngpjnkpf.exe
                                                                                                                                        C:\Windows\system32\Ngpjnkpf.exe
                                                                                                                                        67⤵
                                                                                                                                          PID:904
                                                                                                                                          • C:\Windows\SysWOW64\Njogjfoj.exe
                                                                                                                                            C:\Windows\system32\Njogjfoj.exe
                                                                                                                                            68⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:4984
                                                                                                                                            • C:\Windows\SysWOW64\Nnjbke32.exe
                                                                                                                                              C:\Windows\system32\Nnjbke32.exe
                                                                                                                                              69⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:3732
                                                                                                                                              • C:\Windows\SysWOW64\Nqiogp32.exe
                                                                                                                                                C:\Windows\system32\Nqiogp32.exe
                                                                                                                                                70⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:1912
                                                                                                                                                • C:\Windows\SysWOW64\Ncgkcl32.exe
                                                                                                                                                  C:\Windows\system32\Ncgkcl32.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  PID:1772
                                                                                                                                                  • C:\Windows\SysWOW64\Ngcgcjnc.exe
                                                                                                                                                    C:\Windows\system32\Ngcgcjnc.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:4988
                                                                                                                                                    • C:\Windows\SysWOW64\Njacpf32.exe
                                                                                                                                                      C:\Windows\system32\Njacpf32.exe
                                                                                                                                                      73⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:4444
                                                                                                                                                      • C:\Windows\SysWOW64\Nbhkac32.exe
                                                                                                                                                        C:\Windows\system32\Nbhkac32.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:3196
                                                                                                                                                        • C:\Windows\SysWOW64\Nqklmpdd.exe
                                                                                                                                                          C:\Windows\system32\Nqklmpdd.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          PID:1836
                                                                                                                                                          • C:\Windows\SysWOW64\Ncihikcg.exe
                                                                                                                                                            C:\Windows\system32\Ncihikcg.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:376
                                                                                                                                                            • C:\Windows\SysWOW64\Nkqpjidj.exe
                                                                                                                                                              C:\Windows\system32\Nkqpjidj.exe
                                                                                                                                                              77⤵
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:2004
                                                                                                                                                              • C:\Windows\SysWOW64\Njcpee32.exe
                                                                                                                                                                C:\Windows\system32\Njcpee32.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                PID:520
                                                                                                                                                                • C:\Windows\SysWOW64\Nbkhfc32.exe
                                                                                                                                                                  C:\Windows\system32\Nbkhfc32.exe
                                                                                                                                                                  79⤵
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  PID:1604
                                                                                                                                                                  • C:\Windows\SysWOW64\Ndidbn32.exe
                                                                                                                                                                    C:\Windows\system32\Ndidbn32.exe
                                                                                                                                                                    80⤵
                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:5132
                                                                                                                                                                    • C:\Windows\SysWOW64\Nggqoj32.exe
                                                                                                                                                                      C:\Windows\system32\Nggqoj32.exe
                                                                                                                                                                      81⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:5168
                                                                                                                                                                      • C:\Windows\SysWOW64\Nkcmohbg.exe
                                                                                                                                                                        C:\Windows\system32\Nkcmohbg.exe
                                                                                                                                                                        82⤵
                                                                                                                                                                          PID:5204
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 412
                                                                                                                                                                            83⤵
                                                                                                                                                                            • Program crash
                                                                                                                                                                            PID:5292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5204 -ip 5204
        1⤵
          PID:5268

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\Iabgaklg.exe

                Filesize

                1.2MB

                MD5

                18f0dbc688e1c98e5a2c6ded494af442

                SHA1

                cd77acdda60908ecf2a916c95b7cb93ae6f20b60

                SHA256

                4669050a010b3937dc6822ce13db99512c3d29f1b458068da5e9d4bf2d14b6b8

                SHA512

                0c44e9e99a88ebe23fa40ef5944518e5201bafbe85b36c6e5ad4f17cb6c8ac91612f4f740be67e771d6643c90cf5448c4cad087eedd6fdbcedf4ab463537bb78

              • C:\Windows\SysWOW64\Ibojncfj.exe

                Filesize

                1.2MB

                MD5

                cb2961c68648f60135aced65cc5b7139

                SHA1

                4a4b7fc30c9f56179d2c2c3a98bd1e783d3e3d35

                SHA256

                05d0e75c2fd1485c6e0c815378335689e9be77c7d7d749828a72abaefe8c2aa4

                SHA512

                f4ea360912151627ce9c62f2aec8da51c084d88533b86635af10c209bc126e3e0db4713561527ee34fec39812701eab184b72231060b9955628e0cd62eeeac9e

              • C:\Windows\SysWOW64\Idacmfkj.exe

                Filesize

                1.2MB

                MD5

                22c7163ec1ba27e8e28de11077f45bee

                SHA1

                bfec0b59fdd6db7398bd2614d1163a3c7625d5a8

                SHA256

                d66184974957baa7aed82ef60ffcb8290ef4db153950c9966cdafaf14f745e66

                SHA512

                d7aacd815111a756ae9ca3fd680fa526d0b558ed7fc937ea98df23b7fbde828e976402b4d8ac5c308966eab589a320bd5290e62c56a765c06f61a6f9ae84e2c4

              • C:\Windows\SysWOW64\Iiibkn32.exe

                Filesize

                1.2MB

                MD5

                2131dd8db446f9bfce85a6217906f26c

                SHA1

                25f33173ac8c06887bd1eb3e0a8c6654051ff627

                SHA256

                c99361081340911884c53aac38a3280d1cb1efa564eaa84d39ce1348d5f5c2ad

                SHA512

                9bffdec6513007283aee33cf4c483af61ad41a2e9ef5f66c2479fff32b7ba7e155d9b0364f42d02a22fab4470ace93664275c032b79a6515d4064cd4b3a8fd8c

              • C:\Windows\SysWOW64\Jangmibi.exe

                Filesize

                1.2MB

                MD5

                9f0219fd1e94dea60d841904bd5c09c5

                SHA1

                eae300bd046f6b23efee1eeab24c07ce3a7bb411

                SHA256

                1cd06f644e76e967bfef96ea4d1bcb9f698f6bd2a238e860155702bb61466429

                SHA512

                ea8c121f305fac59f8ba78c4dbfa2c18c3e7cff85a0c5928cd0a5791403fd4f560267d696c5e74a6de3b3f1a48f3056e49a4a57f80d53bbc4284fc3056678d65

              • C:\Windows\SysWOW64\Jbkjjblm.exe

                Filesize

                1.2MB

                MD5

                4bc80a956ffb06812297f0a74c9a352a

                SHA1

                beffdafdab3a6502551fa15fa19c71c15904460d

                SHA256

                7a9f5582630859232c37c7610737e3468cdf9a35845c7bd336bf6e74578eb509

                SHA512

                5dc921422af5e3891a780362bb8000845b474cdf1abb86e29e7f711e84e0913f2d4bbce134f4505cd8879041117f7275b26106ce01ccb5dcf388b8150e74d9b9

              • C:\Windows\SysWOW64\Jpjqhgol.exe

                Filesize

                1.2MB

                MD5

                44f1829b9176127df994df0bc1809272

                SHA1

                c83328e7e0c7dea4b675e8d024b4f6b1803b5860

                SHA256

                4c8ad83c832d06f42e4969b52092764f98374f822b89b00ef30f3626b9618730

                SHA512

                de0c7bd9ec519ded5eab3094e4c1663f370e52a1a6828a01086498ff9362461af903957a289d9f61461d0b45b374299f93c9b90102d5783c32c649f6a4f56433

              • C:\Windows\SysWOW64\Kagichjo.exe

                Filesize

                1.2MB

                MD5

                a108eb9795e9a4a68b3459d82601142b

                SHA1

                ca31146744d70c02d244ccdd31b2f107e158aed2

                SHA256

                cd4dd3f83af5e05a88ba126657ba9f0e7baa314ae5eaf4fb8d517a3827b942e3

                SHA512

                67315378e61dbb9592f0fe451e47f9916b01d11a3b56dab2c7ccb69b3516661050d9293387bd08009b6ef05d941e39195aeb88f9f030a0f04062db15f713de5f

              • C:\Windows\SysWOW64\Kajfig32.exe

                Filesize

                1.2MB

                MD5

                cc8c2851aaa80781eeed8e0f0e6a462d

                SHA1

                27d52c254fc85705d17c2ef78d3e420e1b0752dc

                SHA256

                8f840079c61073b78c892ed1d2e419cee1a5d1e3463ae11e346dae58eb8be290

                SHA512

                dd1fde498e2361e0ada821b6d7db3493f8c7e10ef0d4c9a477607b5172d4400095c91f4a5497a8b8b4641ba5b8346bee330e91cfc99342ca7f0377e08d9017d7

              • C:\Windows\SysWOW64\Kdopod32.exe

                Filesize

                1.2MB

                MD5

                43a26432b404200b70663cd60bfe69fa

                SHA1

                0efd4dde155bfe2aa36ba402bfd70413b0d29c97

                SHA256

                4a818e74ff90708608f8ef94523112cb970a5807a85cdc761f753407ee26a533

                SHA512

                f73cc2fd8bd757142ed058c95daeb1fecb0b42da53bc108a30411e460e039245f2f4098a115b66de6c44d5be4cd6ae63fd5c945bef0cc3ad553abd4cd8f31834

              • C:\Windows\SysWOW64\Kgfoan32.exe

                Filesize

                1.2MB

                MD5

                d7388ec5642a737eeb6008cac5876bda

                SHA1

                e51921ab47a075f33cead84606468a3193d2616e

                SHA256

                f9ea040f68c2d239f8ceffd8392b155eb1ebae2f80fa3ded88e059f8af5eafe9

                SHA512

                cc9d4518aa4fdf9764e48e8445f3cae843b0f3efe536c67f5ae206dccbede10641bf0b352709e72181118da89911218945d4d608ed81a534e3d3e988704a8b98

              • C:\Windows\SysWOW64\Kibnhjgj.exe

                Filesize

                1.2MB

                MD5

                39004f972eacc4d0d03d098a08b658a0

                SHA1

                ba2646337087e02342f25df70ee09386ee44cdbc

                SHA256

                e6c2630817ae7f06fc9567f4d917891dfa9d3971794e235ad165dc95bc9b759d

                SHA512

                da4eca0e5e9e582828e0fd513e9e97daadd1e9812b0b564f18d3162bd6c1cd40707e8dd92c285ecbb979a34462d838b5746026e095309e377904caec32e23b14

              • C:\Windows\SysWOW64\Kmgdgjek.exe

                Filesize

                1.2MB

                MD5

                d3e5562cd69909e87c243d15b450d1a2

                SHA1

                ed0515ae0dbe3e6b23af9841b17ed805f51b6830

                SHA256

                ef5b48557027198a236f788246a9a0cce01fe6c1f97a13e6bb096a2bb784a777

                SHA512

                3889cde8b09044cbea9c59ef016c9384d795a64970876b320f3703ee6b390e17e38fe2e2dc0414b263bff43d1a6da4bad2c93f62265005bece4a905f6dca57d7

              • C:\Windows\SysWOW64\Kpepcedo.exe

                Filesize

                1.2MB

                MD5

                7eda82a1d83a696c18a09141b12ffc31

                SHA1

                f6d64eee6d811b285cf604f1666c9dd4d35a6dbd

                SHA256

                8ba1fdb8c2f5e420845b6501b1717c694bda294f4a2e6dbcf93e933e121eb40c

                SHA512

                681f0e28ca30f72dea0a08df691d6259b960ea456393a3a0b59b96cda772b2c523fa81051ee95e4b64bbc22d065c441eeaf51cdfaf237be82dfa12fe36c20c09

              • C:\Windows\SysWOW64\Kpmfddnf.exe

                Filesize

                1.2MB

                MD5

                1a27602efe1c90035b668ac07ba742a9

                SHA1

                6e0ffccb6ea918890134db302f00a117cc2ca2a9

                SHA256

                955e105d2cb88266e421e306bc844e372fe62a28c6ef5ebcfd92a724bfbfbc92

                SHA512

                bae3a6eb3b4c53e5caa8d8629d7e63a4e238ae5c52d38a6aa8dc003a98b947501c87dde2daebdcf113e846311a99d7b9cd7a2f57e620fc84db20509d7f86eff3

              • C:\Windows\SysWOW64\Laalifad.exe

                Filesize

                1.2MB

                MD5

                1d4dd553b10e10c3be53bb70ed37651f

                SHA1

                03104140f2fabbc62f731eb622bbdd373318ed13

                SHA256

                69c49397eaf6c75754ebdeefb9a590774e0a1a2cd49804549759852d555c2e27

                SHA512

                59eec93cf0584ae078c40f4632acfa21fe51c0212fa36b015d7fe09bb1f9cd283a0b22c1b09a6ef2e9a4ecaa8169bc2ee48eebc30c970e675105dd8173900280

              • C:\Windows\SysWOW64\Laciofpa.exe

                Filesize

                1.2MB

                MD5

                c737f2728d52b4611547a258149d81dd

                SHA1

                9a1fb4fb46fa99e78ee3ff50ec8e74d291397590

                SHA256

                39b07dd66b31314c4db37be691b915cd6c432bb9757f6796ecec2b22252e4b32

                SHA512

                1c49f535e03af50cf2a6bc43e1d21148386d86540069e1703197f842d7f49c4b5b61fc0986e4ccdee07ec57200c2c0fbd327dbc6e2bf15c0f96e66797b76c5cb

              • C:\Windows\SysWOW64\Lalcng32.exe

                Filesize

                1.2MB

                MD5

                bfbb59cc836f4d5c2accf6d47d42ba6e

                SHA1

                bde6bda2dcaba4c24a20da5fe0157de94fdbd28f

                SHA256

                dbe63edd77d377f3f743950092c584bd551747044c7665e3b7dfce2ef3075b82

                SHA512

                33347a50015c2c712ade0d4f85c849287c010c98a045b9e75eb9dff8e0c9c7d218195478c1abb679f838acdbab90003984cb36a9541f401d889676d5c9bf8f30

              • C:\Windows\SysWOW64\Lcbiao32.exe

                Filesize

                1.2MB

                MD5

                161f44d656e1a916ab75d400bf167344

                SHA1

                4194d0b15d99783c79b3184309a9fc253bcfea7f

                SHA256

                f3c9bc156f4231631effeb0c1b57a2e413dd112615ad2de4cd4190afeaf29182

                SHA512

                7bb4e21d8f43f366f95ddefff208247d49fc44f8108734ab04e15f8bababeb18cc6ae1f6719863536a95e84251b9031077596251036a2e611fd19bd486710696

              • C:\Windows\SysWOW64\Lcmofolg.exe

                Filesize

                1.2MB

                MD5

                d9665ef1de2f5ac8fa8e3d23ac544f1d

                SHA1

                f37dd76409dd09a93335d74b2c778a7bb1196e82

                SHA256

                976cbbe762e71b5c05c5c07c59ffc2ed0de6dc67dc958ea938b5518fdcd22622

                SHA512

                a2fbb89d9c042580dc16ce208007984e86064da0ca2873c92ad6331fe465331baff4a08175c0c63d79b0bf89d2e17239f0e03c51dd56e3fc3a3b68e3a12706ff

              • C:\Windows\SysWOW64\Ldmlpbbj.exe

                Filesize

                1.2MB

                MD5

                8c076bc8261566eb15327213209ea3de

                SHA1

                c44c9dcd2153295fc9a42333a892806e9421bf27

                SHA256

                bf12d38f344f8942094ceb1ec5a3fff188354505954409c1e24637d3e685f5aa

                SHA512

                f825677fcf3043d52b1cdf155501b47aa1f2255073d080c5f4bc26cd79ed530ee6ab52e648f66188f09ee11cf75d7113cb4e953419d29f1c251612ec064f39f1

              • C:\Windows\SysWOW64\Ldohebqh.exe

                Filesize

                1.2MB

                MD5

                bfef6e7f178962e7001b150cbd1a59e8

                SHA1

                f1aa83bb56e46f08ca0ca63c80ab5c8553c285f9

                SHA256

                4d37d1a4cb6459157e8cc45597b4e952dfcd3be85daf887cbb23c497be64e2c9

                SHA512

                63d8bef390d3ba9dac710bfa5b2b97927a5baa05908c8cd622db5d71d07fbea97c2886dd3b3a5f8e323afacab2eb2237451d91916eb6fd4098cc1c09b8684781

              • C:\Windows\SysWOW64\Lgkhlnbn.exe

                Filesize

                1.2MB

                MD5

                e5f8a63fc5fce2d550ec69c8b424e2e4

                SHA1

                75b3798bff1fccc08bc8d04d485726046cc5c274

                SHA256

                1c9768408d80b46b86a5acb90aa4858d9c5a2d0b52f8e4318c6b6127332bec4d

                SHA512

                38d1f801ef7fff820a29b8b79dd60db682909f3e76fd305a46367822a9dc1b5cf148f3fdda992ac00bfe208b57b0b5f9f1aed2368e354616f57d89305f008fa3

              • C:\Windows\SysWOW64\Liekmj32.exe

                Filesize

                1.2MB

                MD5

                fe0092d0c97b0b1723c64ede465f84d4

                SHA1

                19c6e4a20085b1b6e19429681ff8e3835b45b2a7

                SHA256

                1b1cabdf4b6c41feabfb9d6f0f5faefc2e35010fc3059cbb7d747ba8092f3ea2

                SHA512

                47912a778df323a59ed4c5d09a929982c3dd160bddb702b4cb83cdb2787e5c7e93ff0f6014b329038a20d2d7eefb6351e3c48c9ae8d24a4da76d5233bc1591ad

              • C:\Windows\SysWOW64\Liggbi32.exe

                Filesize

                1.2MB

                MD5

                85bad5425db850992b5e3b02c11fccd4

                SHA1

                87d67a52628ca177f3e61335bc85318b6c5c3aa3

                SHA256

                7638df6e157f299ba15d43cddcc2e07cb87240f6691af300086f443d891a8f9b

                SHA512

                cb5906530f15304a6a0aa0d2815e640b965dfaaf9d6ed317faaf6fd9fafad3eb767da291340cc19e8d9f31b48c814fabe7910a778d1047e44d4261d78f961533

              • C:\Windows\SysWOW64\Lilanioo.exe

                Filesize

                1.2MB

                MD5

                9c942478d41aaae0221a39f6d01476f5

                SHA1

                5e30e4ee252008ba26786fe2787e766f287bcc2d

                SHA256

                cb50ce2c63484f2adfb30dce09b50c55c331eca409d31e8bae92d48d9971d858

                SHA512

                79601377669bbeee81545d87521392c1c3feb68a95c855adaf68ccc8ae08eeffbe517c7efea8084032c6287d24ea4f00a3c7852df203839727da05a51a83d3bd

              • C:\Windows\SysWOW64\Lkgdml32.exe

                Filesize

                1.2MB

                MD5

                996bc6a675657f59bccc3d9ae1efa8e6

                SHA1

                337fe7a9482d808d28c4d17333b48ac1857b3fd7

                SHA256

                2939a1265b35b6e59bdad849925626e6b1684c3f6c3eda44eddf86560a110f3d

                SHA512

                7289d327eb808e81d050dd926afca04bfa585aaee1c17a8b8bee42ae821cfa0159daa91735b22f6931ed48a01d3913dd1c7479f3716e47a90ca6b710c7d27e7e

              • C:\Windows\SysWOW64\Lkiqbl32.exe

                Filesize

                1.2MB

                MD5

                7a86e06ac5a93e43ccfc161c0dd5e53a

                SHA1

                8694544eae60f15efc8c1a6ed47680e1383e406b

                SHA256

                deab1a48999151e370876fcc0d62bdc0d4e84e3eaf5b978790e6aabb7d3a2d20

                SHA512

                b8923a943d8a14a9d8592e748ae3b74e899b4895d85186bcc807dbb0f79e779983713d69f951298a949a44f114781c36524fa4215d4bc737fb50dc6ca6d2927f

              • C:\Windows\SysWOW64\Lmccchkn.exe

                Filesize

                1.2MB

                MD5

                6052cffbe31667cfcc1c2216905e362e

                SHA1

                859373439eac23d11e201b7466b6e91bb776b1dc

                SHA256

                40618376f784edc63537613332fa21d86b665bbe408c51adce84270e96f0e872

                SHA512

                ffc2148ec9710010bd05fc78dbc5714236d1c94bf0887ccb019c4f7d4378e780a8e37bdccae06a4e01b802b5e6bc042a74473a3a1d9adc7339a6a1962f5daf22

              • C:\Windows\SysWOW64\Lnepih32.exe

                Filesize

                1.2MB

                MD5

                661628f5c0416edb47fafec06ec3108c

                SHA1

                9af420a81b631caabc28fbbc70b861c1c3b3765b

                SHA256

                f0266037b86241df81432300920aa91e453c1a6bfdcd4abb8aafe3957fb360ef

                SHA512

                078485068d04c3294bba086e6fea78934c9218d078f192ba0f04783f696d9a94f9726e84644e4ddd2aea2a47d1eed6dc0e79576efad89d29affc558dd3679401

              • C:\Windows\SysWOW64\Lpappc32.exe

                Filesize

                1.2MB

                MD5

                56c2e3c588a08c12efbdbf453322a269

                SHA1

                c65a8b3f56cb11b2ec188522b2c03df6d788a4db

                SHA256

                da7268b1aee9b0964462f4a00381f356c8fe5a15c8d747660b4e557fa2bf4ab0

                SHA512

                8375163f39c1106887ec19ae7a8543642b210098e693ae5a44941e9bf6840394b39ba3949595b4682fddfa72afd28c960d7f7f614038272e61259722e578e3e6

              • C:\Windows\SysWOW64\Lpocjdld.exe

                Filesize

                1.2MB

                MD5

                6a2cb24896aae3a7240e44cb1f664448

                SHA1

                859024968c567dcf11cd386f451e0df82eda488e

                SHA256

                b267bbf3d8a3a20c340be3712da439e87c1885c01962d7119b314b97f759e24b

                SHA512

                ee9ded0b27d651bb1af4e58ada592e02bd988c6c522c02f45e9a7065a3fe3979050b1a54ab2bc82521849fa3e8ded0b0caa488ea395dc947bcc619269ac99c48

              • C:\Windows\SysWOW64\Ndninjfg.dll

                Filesize

                7KB

                MD5

                0e1a4fe68dc9168f7c2bb7b73e80ab7c

                SHA1

                e57c7746fb66670a2b4e560ef9e95af078adb1ad

                SHA256

                42deae5cd87088ae540eeaf5dc56de68f79af8293f7a513fd736a21634c9f5d4

                SHA512

                f2b0acec2b70beb0c70934fd6c3279719e78b4235361e4346ad1a6c8ccd51773bf1ce556dd92d777a3603fd3113267b3f23e661f31851336d6df530033cb5403

              • memory/32-532-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/376-489-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/412-507-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/520-487-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/556-517-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/660-542-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/700-547-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/748-536-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/776-514-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/904-498-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/920-513-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1032-551-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1032-88-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1112-501-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1156-545-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1244-506-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1328-527-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1360-516-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1456-499-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1504-502-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1604-486-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1624-519-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1644-107-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1668-521-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1728-518-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1772-494-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1836-490-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1872-20-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1904-520-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1912-495-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1916-511-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1928-528-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1948-537-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/1960-515-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2004-488-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2020-531-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2024-0-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2024-559-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2040-535-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2168-540-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2276-504-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2300-36-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2568-538-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2588-546-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2744-12-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2768-79-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2768-552-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2880-64-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/2880-554-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3020-525-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3084-526-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3092-24-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3092-558-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3104-541-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3164-544-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3168-556-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3168-48-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3196-491-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3216-557-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3216-39-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3300-72-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3300-553-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3348-509-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3372-108-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3464-555-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3464-55-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3492-524-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3508-500-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3572-503-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3732-496-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/3868-533-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4032-523-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4264-534-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4380-530-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4440-543-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4444-492-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4524-548-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4640-549-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4716-529-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4720-522-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4748-550-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4852-539-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4880-508-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4884-505-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4984-497-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/4988-493-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/5092-510-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/5100-512-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/5132-485-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/5168-484-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB

              • memory/5204-483-0x0000000000400000-0x0000000000436000-memory.dmp

                Filesize

                216KB