Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 13:11

General

  • Target

    525a74bc977b863c3c6c9beea3458b8cb5113ec572a00c527818643d2d1fc7e3_NeikiAnalytics.exe

  • Size

    199KB

  • MD5

    d6d77ed2b00e5ed270c4ce5afcbec890

  • SHA1

    688a9605b271c860807b8430219a0bf7ef2c134a

  • SHA256

    525a74bc977b863c3c6c9beea3458b8cb5113ec572a00c527818643d2d1fc7e3

  • SHA512

    ba40b05a1849320d61a36efc11a3a758e92841841068b75c1231bb3e870a3fc93637eff1c188018cafeb51e4beeb07ab13eb185b115fc4f76e0c2d6148496426

  • SSDEEP

    6144:///aBRnk9WBEUSZSCZj81+jq4peBK034YOmFz1h:H/iYE+ZSCG1+jheBbOmFxh

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Malware Dropper & Backdoor - Berbew 35 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\525a74bc977b863c3c6c9beea3458b8cb5113ec572a00c527818643d2d1fc7e3_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\525a74bc977b863c3c6c9beea3458b8cb5113ec572a00c527818643d2d1fc7e3_NeikiAnalytics.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\Jdemhe32.exe
      C:\Windows\system32\Jdemhe32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\Jibeql32.exe
        C:\Windows\system32\Jibeql32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\SysWOW64\Jaimbj32.exe
          C:\Windows\system32\Jaimbj32.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3584
          • C:\Windows\SysWOW64\Jdhine32.exe
            C:\Windows\system32\Jdhine32.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4616
            • C:\Windows\SysWOW64\Jbkjjblm.exe
              C:\Windows\system32\Jbkjjblm.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3764
              • C:\Windows\SysWOW64\Jpojcf32.exe
                C:\Windows\system32\Jpojcf32.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:560
                • C:\Windows\SysWOW64\Jbmfoa32.exe
                  C:\Windows\system32\Jbmfoa32.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1780
                  • C:\Windows\SysWOW64\Jmbklj32.exe
                    C:\Windows\system32\Jmbklj32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4568
                    • C:\Windows\SysWOW64\Jpaghf32.exe
                      C:\Windows\system32\Jpaghf32.exe
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1044
                      • C:\Windows\SysWOW64\Jbocea32.exe
                        C:\Windows\system32\Jbocea32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2580
                        • C:\Windows\SysWOW64\Jkfkfohj.exe
                          C:\Windows\system32\Jkfkfohj.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3004
                          • C:\Windows\SysWOW64\Kmegbjgn.exe
                            C:\Windows\system32\Kmegbjgn.exe
                            13⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:5000
                            • C:\Windows\SysWOW64\Kbapjafe.exe
                              C:\Windows\system32\Kbapjafe.exe
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:1560
                              • C:\Windows\SysWOW64\Kilhgk32.exe
                                C:\Windows\system32\Kilhgk32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4132
                                • C:\Windows\SysWOW64\Kacphh32.exe
                                  C:\Windows\system32\Kacphh32.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2860
                                  • C:\Windows\SysWOW64\Kbdmpqcb.exe
                                    C:\Windows\system32\Kbdmpqcb.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:2144
                                    • C:\Windows\SysWOW64\Kmjqmi32.exe
                                      C:\Windows\system32\Kmjqmi32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:1664
                                      • C:\Windows\SysWOW64\Kdcijcke.exe
                                        C:\Windows\system32\Kdcijcke.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:1296
                                        • C:\Windows\SysWOW64\Kgbefoji.exe
                                          C:\Windows\system32\Kgbefoji.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:2024
                                          • C:\Windows\SysWOW64\Kmlnbi32.exe
                                            C:\Windows\system32\Kmlnbi32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:1456
                                            • C:\Windows\SysWOW64\Kcifkp32.exe
                                              C:\Windows\system32\Kcifkp32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:2320
                                              • C:\Windows\SysWOW64\Kibnhjgj.exe
                                                C:\Windows\system32\Kibnhjgj.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                PID:1740
                                                • C:\Windows\SysWOW64\Kmnjhioc.exe
                                                  C:\Windows\system32\Kmnjhioc.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Modifies registry class
                                                  PID:2880
                                                  • C:\Windows\SysWOW64\Kdhbec32.exe
                                                    C:\Windows\system32\Kdhbec32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    PID:1284
                                                    • C:\Windows\SysWOW64\Kkbkamnl.exe
                                                      C:\Windows\system32\Kkbkamnl.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:1624
                                                      • C:\Windows\SysWOW64\Lmqgnhmp.exe
                                                        C:\Windows\system32\Lmqgnhmp.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        PID:3776
                                                        • C:\Windows\SysWOW64\Lcmofolg.exe
                                                          C:\Windows\system32\Lcmofolg.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:2828
                                                          • C:\Windows\SysWOW64\Lgkhlnbn.exe
                                                            C:\Windows\system32\Lgkhlnbn.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • Modifies registry class
                                                            PID:2568
                                                            • C:\Windows\SysWOW64\Lkgdml32.exe
                                                              C:\Windows\system32\Lkgdml32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              PID:2468
                                                              • C:\Windows\SysWOW64\Lpcmec32.exe
                                                                C:\Windows\system32\Lpcmec32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • Modifies registry class
                                                                PID:3592
                                                                • C:\Windows\SysWOW64\Lgneampk.exe
                                                                  C:\Windows\system32\Lgneampk.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:1472
                                                                  • C:\Windows\SysWOW64\Laciofpa.exe
                                                                    C:\Windows\system32\Laciofpa.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:2428
                                                                    • C:\Windows\SysWOW64\Ldaeka32.exe
                                                                      C:\Windows\system32\Ldaeka32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Modifies registry class
                                                                      PID:448
                                                                      • C:\Windows\SysWOW64\Lklnhlfb.exe
                                                                        C:\Windows\system32\Lklnhlfb.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Modifies registry class
                                                                        PID:3416
                                                                        • C:\Windows\SysWOW64\Lnjjdgee.exe
                                                                          C:\Windows\system32\Lnjjdgee.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • Modifies registry class
                                                                          PID:3436
                                                                          • C:\Windows\SysWOW64\Laefdf32.exe
                                                                            C:\Windows\system32\Laefdf32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Modifies registry class
                                                                            PID:4268
                                                                            • C:\Windows\SysWOW64\Lddbqa32.exe
                                                                              C:\Windows\system32\Lddbqa32.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:2356
                                                                              • C:\Windows\SysWOW64\Lgbnmm32.exe
                                                                                C:\Windows\system32\Lgbnmm32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                PID:2948
                                                                                • C:\Windows\SysWOW64\Mjqjih32.exe
                                                                                  C:\Windows\system32\Mjqjih32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  PID:1348
                                                                                  • C:\Windows\SysWOW64\Mpkbebbf.exe
                                                                                    C:\Windows\system32\Mpkbebbf.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:4652
                                                                                    • C:\Windows\SysWOW64\Mciobn32.exe
                                                                                      C:\Windows\system32\Mciobn32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • Modifies registry class
                                                                                      PID:1200
                                                                                      • C:\Windows\SysWOW64\Mkpgck32.exe
                                                                                        C:\Windows\system32\Mkpgck32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:4776
                                                                                        • C:\Windows\SysWOW64\Mnocof32.exe
                                                                                          C:\Windows\system32\Mnocof32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          PID:4460
                                                                                          • C:\Windows\SysWOW64\Mpmokb32.exe
                                                                                            C:\Windows\system32\Mpmokb32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:264
                                                                                            • C:\Windows\SysWOW64\Mcklgm32.exe
                                                                                              C:\Windows\system32\Mcklgm32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              PID:4740
                                                                                              • C:\Windows\SysWOW64\Mkbchk32.exe
                                                                                                C:\Windows\system32\Mkbchk32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                PID:1672
                                                                                                • C:\Windows\SysWOW64\Mnapdf32.exe
                                                                                                  C:\Windows\system32\Mnapdf32.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:2364
                                                                                                  • C:\Windows\SysWOW64\Mpolqa32.exe
                                                                                                    C:\Windows\system32\Mpolqa32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:804
                                                                                                    • C:\Windows\SysWOW64\Mgidml32.exe
                                                                                                      C:\Windows\system32\Mgidml32.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies registry class
                                                                                                      PID:4136
                                                                                                      • C:\Windows\SysWOW64\Mjhqjg32.exe
                                                                                                        C:\Windows\system32\Mjhqjg32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:4820
                                                                                                        • C:\Windows\SysWOW64\Mncmjfmk.exe
                                                                                                          C:\Windows\system32\Mncmjfmk.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          PID:2152
                                                                                                          • C:\Windows\SysWOW64\Mpaifalo.exe
                                                                                                            C:\Windows\system32\Mpaifalo.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Modifies registry class
                                                                                                            PID:2404
                                                                                                            • C:\Windows\SysWOW64\Mglack32.exe
                                                                                                              C:\Windows\system32\Mglack32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              PID:1264
                                                                                                              • C:\Windows\SysWOW64\Mkgmcjld.exe
                                                                                                                C:\Windows\system32\Mkgmcjld.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:4572
                                                                                                                • C:\Windows\SysWOW64\Mnfipekh.exe
                                                                                                                  C:\Windows\system32\Mnfipekh.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Modifies registry class
                                                                                                                  PID:4152
                                                                                                                  • C:\Windows\SysWOW64\Mpdelajl.exe
                                                                                                                    C:\Windows\system32\Mpdelajl.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:4320
                                                                                                                    • C:\Windows\SysWOW64\Mcbahlip.exe
                                                                                                                      C:\Windows\system32\Mcbahlip.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:1536
                                                                                                                      • C:\Windows\SysWOW64\Nkjjij32.exe
                                                                                                                        C:\Windows\system32\Nkjjij32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        PID:4604
                                                                                                                        • C:\Windows\SysWOW64\Nnhfee32.exe
                                                                                                                          C:\Windows\system32\Nnhfee32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:4892
                                                                                                                          • C:\Windows\SysWOW64\Nqfbaq32.exe
                                                                                                                            C:\Windows\system32\Nqfbaq32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:5004
                                                                                                                            • C:\Windows\SysWOW64\Ngpjnkpf.exe
                                                                                                                              C:\Windows\system32\Ngpjnkpf.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • Modifies registry class
                                                                                                                              PID:1712
                                                                                                                              • C:\Windows\SysWOW64\Nklfoi32.exe
                                                                                                                                C:\Windows\system32\Nklfoi32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                PID:3132
                                                                                                                                • C:\Windows\SysWOW64\Nnjbke32.exe
                                                                                                                                  C:\Windows\system32\Nnjbke32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:436
                                                                                                                                  • C:\Windows\SysWOW64\Nqiogp32.exe
                                                                                                                                    C:\Windows\system32\Nqiogp32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:5044
                                                                                                                                    • C:\Windows\SysWOW64\Ncgkcl32.exe
                                                                                                                                      C:\Windows\system32\Ncgkcl32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:636
                                                                                                                                      • C:\Windows\SysWOW64\Njacpf32.exe
                                                                                                                                        C:\Windows\system32\Njacpf32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:3332
                                                                                                                                        • C:\Windows\SysWOW64\Nbhkac32.exe
                                                                                                                                          C:\Windows\system32\Nbhkac32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:2508
                                                                                                                                          • C:\Windows\SysWOW64\Nqklmpdd.exe
                                                                                                                                            C:\Windows\system32\Nqklmpdd.exe
                                                                                                                                            69⤵
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:4996
                                                                                                                                            • C:\Windows\SysWOW64\Ncihikcg.exe
                                                                                                                                              C:\Windows\system32\Ncihikcg.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:3632
                                                                                                                                              • C:\Windows\SysWOW64\Njcpee32.exe
                                                                                                                                                C:\Windows\system32\Njcpee32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:4760
                                                                                                                                                • C:\Windows\SysWOW64\Nbkhfc32.exe
                                                                                                                                                  C:\Windows\system32\Nbkhfc32.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:4932
                                                                                                                                                  • C:\Windows\SysWOW64\Nqmhbpba.exe
                                                                                                                                                    C:\Windows\system32\Nqmhbpba.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:1244
                                                                                                                                                    • C:\Windows\SysWOW64\Ncldnkae.exe
                                                                                                                                                      C:\Windows\system32\Ncldnkae.exe
                                                                                                                                                      74⤵
                                                                                                                                                        PID:1048
                                                                                                                                                        • C:\Windows\SysWOW64\Nkcmohbg.exe
                                                                                                                                                          C:\Windows\system32\Nkcmohbg.exe
                                                                                                                                                          75⤵
                                                                                                                                                            PID:2340
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 404
                                                                                                                                                              76⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2340 -ip 2340
        1⤵
          PID:508

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Jaimbj32.exe

          Filesize

          199KB

          MD5

          7c9806c5dc229cde793d7164ac0d430b

          SHA1

          06ce9fbd0c76cabfa9a5b196a8dbdb211c36a5f5

          SHA256

          68f5d9893204c5dd976ce3d67f470acef8a946c32332ca54722f926a50fd0edb

          SHA512

          c15ccde043638db056728d02fb2c1b4afe7bb9f2487edf73336b8289b2e50b2925f46212b281cae957323804926929940cfd2d02c18a32dd2f5c7691b3b0a035

        • C:\Windows\SysWOW64\Jbkjjblm.exe

          Filesize

          199KB

          MD5

          35ac64128ae29b96b1551337cfe7829e

          SHA1

          0389ef6ae7c44a5f8e1a603c7c68af3c3cdea1c7

          SHA256

          727120da38740b027d2fa7c71c047ec0fcdb946c7e247c6db7802dfcf826383b

          SHA512

          cb8b2b3a3d7a51eb5160783841d3736741dfdb8176ae0bc994cef854c4789cbf75e1a2efe17a36ccbc0d3f5799b5beeaec2601ab52242b9a36b21bf7e0637cf0

        • C:\Windows\SysWOW64\Jbmfoa32.exe

          Filesize

          199KB

          MD5

          0b189a511c5e33fa2dd50aaca2c0e106

          SHA1

          a8b8d7f9d922a0d7e4ffd11ff903e99b59865790

          SHA256

          97aebcb5ce2c999483cf6ad32181407cd689123ca107955b540bac1810cbb1df

          SHA512

          ccd485850011880baa12895ec70339041b49c82c7873b0ab24bf49a748a1048602a1ad420148bca3c24db8214445854e816088121704c64564ae4f3316b8c9cb

        • C:\Windows\SysWOW64\Jbocea32.exe

          Filesize

          199KB

          MD5

          bbb331191d3dacf6be9ae7b56351879c

          SHA1

          9de0ebe9043a76a6326d0c2b7d701e0a572ed5a0

          SHA256

          b0aa630a4a9b975052de98106014f818788c4dc51853699542e4de0c234c8e50

          SHA512

          a1902d2c6b3599beca76f9c546f2147c8fdad9d9b95804ba35db045b2309dde01a401c231aed0ca9ba82f071651bcf51e57baa2aabe0420d1435d76120ad92dd

        • C:\Windows\SysWOW64\Jdemhe32.exe

          Filesize

          199KB

          MD5

          dd3089a9ac888f3a7238f279d1ccbc41

          SHA1

          baa19689b11083282de47810c17432c5b85dec53

          SHA256

          6d8ce1838ebf0842de528b86c8d042d17db7f5d9ca9220d9fa37227ec0b42396

          SHA512

          cbbb877a1f49c4167d209c6b67782b17b949cbe6e8378dde75b9be53e579dbfac3ea59eb1941b4ee6d694e1ef71c374f9a6b8d085318480bdccbaff10f8d39c6

        • C:\Windows\SysWOW64\Jdhine32.exe

          Filesize

          199KB

          MD5

          660bebd72a7ac688747983dc2a5857f4

          SHA1

          195e9f0f4b316646a0dd3a55d4c4631fac271ef8

          SHA256

          632d4eb4d3972187730de38619da7a8e892923d493d4721ffdd5bb578cdc6e1f

          SHA512

          2f2d96d612e424eb051b4b04f0a58ad7db0b1fba3c9a7b55c62ea8560056d9ca340bf2bfafecf7870ab17b9bcf55b74cdc5dd90e582675f9db468c2d05c8f8ae

        • C:\Windows\SysWOW64\Jibeql32.exe

          Filesize

          199KB

          MD5

          9d4e715a40ebd26f8212a9cb60e10045

          SHA1

          c02ccbcf376c27e71708e068f720874173b62fe8

          SHA256

          0919f39f43be213eac69cb596aa42635064d1d43938b7b40b42ce09044d94be7

          SHA512

          d57ad40a89b51f5357d64f8e2d0c193044665b661000aa5942abf56cb08919b423e1a80137abe5279e5781efc122af74817991f859f53d8e2440925f7c7e7a9d

        • C:\Windows\SysWOW64\Jkfkfohj.exe

          Filesize

          199KB

          MD5

          9f045e60bed8bbc32c01da8aeb91e693

          SHA1

          0adeac9de5a1a03b43449a060ff71071abe001b3

          SHA256

          6b081faf0799013847c4257bc3e82a8168c8c33218d521339bb8549e0c191785

          SHA512

          f6efe4f200bd6382110e0c0003cfb0a651b07b8aa89075890aacb3487f7f163bd5db93a310794918e92f1da5629033df90964b888ca3e925a336804d79cc2c0c

        • C:\Windows\SysWOW64\Jmbklj32.exe

          Filesize

          199KB

          MD5

          f8e3a2bab47649e1667d49ede4e89568

          SHA1

          1dc1812a0073a33f55272edd4b2e3aa3f12f53b8

          SHA256

          3e456a20defa3d9ab9d401467f68616750303f9ec5df3fc0a5158c411b9db464

          SHA512

          34ec5b1752cbb1c220579817f4eaebef7edd549e55d9ccf72f8c6b249b19c6d6ba0983f1b938559ac3bc767bfdd5c94456d934888ba1957a017e0b026358923e

        • C:\Windows\SysWOW64\Jpaghf32.exe

          Filesize

          199KB

          MD5

          e34dcbc7afb1c645fb86fdc6b2dffca2

          SHA1

          8548f0c824cf4eb1298efb9ac8ddf57c303b1456

          SHA256

          e7986e8b0fbf3b4d055044c41d3fe034e0e4e5ca33d6c5ef1540ced0f5ed55ae

          SHA512

          928b107733320761d03c34314e07774da5898a5d6fa214045de6a584675b8725429d28ea976ebfa99796fcdfa3732adce598d49283deb7e94a8f1f8a6ffbaceb

        • C:\Windows\SysWOW64\Jpojcf32.exe

          Filesize

          199KB

          MD5

          318a20568baaae6ac926653d998690fe

          SHA1

          43e123f38db0e8dca8ff38134b9d8a96a2a3ba28

          SHA256

          3155786b38daa17e6d2160b5c19190a593969ecb590110e21cd4de18168c4853

          SHA512

          98916ede0f93b4cf6b64e6777221a87c940db7936110499b6b23631a7774934c34b23d791276b6c0c10bc0f0c46fb2095099ba77d0e5932cb8f95c2e941f7292

        • C:\Windows\SysWOW64\Kacphh32.exe

          Filesize

          199KB

          MD5

          bec122434e521efd0a563bb2f9886596

          SHA1

          63c5644b7374cd7f9165c5c1da3e79ba2ace9cc7

          SHA256

          32a6b2b418551bdedf5d8122bd4239c2588ed5fbea88eb3d36ddf9049420e008

          SHA512

          99da7fc0c45a4311b96a07fd19e8bc19cde744f3516c95a608cefaf2af158223815ab73b2b620c02072780bbd7ec9e60babc690d355c5c9a196e193823cf3a19

        • C:\Windows\SysWOW64\Kbapjafe.exe

          Filesize

          199KB

          MD5

          5732b29a3f410a8c37c56933ec268ef5

          SHA1

          b3ba61a4243b7c45941948813811ece74166ff22

          SHA256

          4d7f9c8f8c8cf2d1989dba4580a19ca9318c8d2ab588eb611e43964149519946

          SHA512

          f85a063c7e16e5cbf888a5e7d3caa593c48e9ce8e38bcf969c2bd6ae954f7ac9b3685b84d187b0914ae65fc2bfacb34973276e86e2bb639e79ff22c51ffc004e

        • C:\Windows\SysWOW64\Kbdmpqcb.exe

          Filesize

          199KB

          MD5

          dcec5ed4fd50c32eaefc208ab3fed844

          SHA1

          e80b58238212be31dec6f6273fc2ee7d65c6c56c

          SHA256

          5451f16b5ccd82ecf9f420124c7af22b6d93a2acc02bcd054cc75f472ee38d29

          SHA512

          9719b4b80bed6160aebf4cb8f2df33c305ce72b9f23b0a1752c2d35c16d8ff6040187afca076ff6425a379b8148b8febf79d7b9a50c72f7f91e6b3863bf0f792

        • C:\Windows\SysWOW64\Kcifkp32.exe

          Filesize

          199KB

          MD5

          d86861ebcc01cd3dc9efc40d545e8f40

          SHA1

          1b98ef5284fa8c8236822a4cc3d1b1eb67eb8e88

          SHA256

          39cb0af5c953121c67d507dc26371f77099fdc97afb6f78966eecd5f899b7cb4

          SHA512

          4065d1da4e9368370bdc6cc776630371c99459c7ed3e04a1036566d10cb80da0416980754eb2faf0fdc9d52abca5b7b991b14cd05b1722d4f2361168d481efe8

        • C:\Windows\SysWOW64\Kdcijcke.exe

          Filesize

          199KB

          MD5

          6229ee6a92c5377b1ff4a8bb941b1bdf

          SHA1

          30532735f4ef54b109c6d823519e8611731e586e

          SHA256

          100db3c4b81b627484b3eb047d7f683a0cb0768ec5a3276a18e7935ebfdf986a

          SHA512

          25e39c97b5dd923b9857456096a155cdd294048cb0b055e6c786a7cfb94bc53ee5786fedfd35d4d29e77a3de6f7e5011a5f7e261bf21c2ff5cfa31eab545345c

        • C:\Windows\SysWOW64\Kdhbec32.exe

          Filesize

          199KB

          MD5

          51a1ad7f55fd98a44caded544ef4a30e

          SHA1

          6416258094ddd955d065990bff2824b073ed1a92

          SHA256

          6117614350f0fbfbddd51a86f44e9e21426c2ccc432d0c10a647e985d54da5bb

          SHA512

          5e4163fc366bb76a4864de6dd9cf6ddc5050f566cbbb3299eb6e0b85197e430ce8ef816422d6a146ea750dbc956d6ff9826da013a27843bfe5e3a8b33ed110b7

        • C:\Windows\SysWOW64\Kgbefoji.exe

          Filesize

          199KB

          MD5

          1e67d4ad7f89452090eb9ece3cb453f5

          SHA1

          4747d63c91992780c2ac62b4cc1cd6742681b004

          SHA256

          951052812af368ef062055b1f7f151e1acc84b8ce21a2717f36042dc47600006

          SHA512

          9f5f528184c81ac3c5663b1f3d18e573939ca0609e5b1966d94a73b53c50cb3c4efa3f131a039437a65e24daf30a3ea903f6f17ef879afe1d70f9f07ed712b31

        • C:\Windows\SysWOW64\Kibnhjgj.exe

          Filesize

          199KB

          MD5

          ef0c6f5e8812a31142fb785ea0502fb0

          SHA1

          5f0b07ebda8e223228db4cf4808e1ea8cd9bdac7

          SHA256

          483e2b4ba8f34014e739ed291c007416e15d3f2b88f085b59aa6215a8251656d

          SHA512

          6014d4c6b9a92bce9a51577acf7013362b2db2e3f5a2802226cdee523f2bac73e3b5b636d53046fa999b03673e9e20cb24060be140400d4c67b9ba16f7e1b849

        • C:\Windows\SysWOW64\Kilhgk32.exe

          Filesize

          199KB

          MD5

          8c343a4b6aeb7dec799f06fb29f22fb2

          SHA1

          0f67ff0b0cf6628a84423f8c1f5eb9984a8718b0

          SHA256

          f5c3d8b58c7f9b9e8ba32ba99a952d8d182aa45f4fe1d8f24b12ec4265dc04bc

          SHA512

          95c1d46af9326b49ec273e4968f597b7dfe2dd7daa29c7aabe52f98bb30f041d795e7a94a2b9a5400b5277f10b0e86868d0fc9e8b01bbd590e78557ea1f01a8e

        • C:\Windows\SysWOW64\Kkbkamnl.exe

          Filesize

          199KB

          MD5

          7808bd76fc615a450448a3fc063ad3a1

          SHA1

          e755f3a0c95271083fb88bc20fdedf603671dce3

          SHA256

          01d73bec8dec9d3fe0a2c7dc4c72c237f354d88cd33580ce2442331d58dbe913

          SHA512

          72fc8dc1adb6a314d9364ad13dbb188ee0c300f2efa8991ba73bad720c97de8ea56c2eb7b0edbc712e4c68fb3f8c580759ea4d0a3c06d39c3c223787a07343b9

        • C:\Windows\SysWOW64\Kmegbjgn.exe

          Filesize

          199KB

          MD5

          eb806a91f499d4164799d1221551328f

          SHA1

          ca11f5b34bb792260d64200da744a1735edf7beb

          SHA256

          5d8588dd164afcfcf4d7d303c44525250e56e27acd0b50d87becd0d71078e2e2

          SHA512

          edaf7f08f601db0fbfe9852f0c1237467ad49d40288db6fbee591e486257ed95579eea1ca9aa6af5859feb0e59614c81dc7c9280f97b6b268d6ffdbea0b83b59

        • C:\Windows\SysWOW64\Kmjqmi32.exe

          Filesize

          199KB

          MD5

          40723b6c2ec96e7a55c6f9dea8d68e82

          SHA1

          2fa401feebb4a00282cf7ecdcbfb59daf28c3d1b

          SHA256

          25a7a28553ace1d1ab57a54680c0a159099409018e6ff878bdb4e7d2fb2415f2

          SHA512

          4e66b13daf1e1dd266a2c0590a2ff31e1dcf7894f2e80e22e355a2c13cab4725454ff3a00cf800fafdef56c0763923e776ed3d680c5b21689189af025d551a37

        • C:\Windows\SysWOW64\Kmlnbi32.exe

          Filesize

          199KB

          MD5

          7a4e51513b63bfbe3adaf1d2312ea98c

          SHA1

          e1a332ade604fac109e606a2f61869d789360734

          SHA256

          87f0cb66a623edef62a9b0b8542831ed1583329fce2e5de6035e4c7e538e37bf

          SHA512

          97d80352fca9e724d9d735c19113e91608ae11a6f4dd01825f155065191a15f034c3e3eda04df3057f87cd44d98b3dab3250e8bc254eefcb74600b7df55a134e

        • C:\Windows\SysWOW64\Kmnjhioc.exe

          Filesize

          199KB

          MD5

          c320859fed4baad338b11fccc48057c7

          SHA1

          667b49a9325cbc85ce534eab7dec6e2a95ac0d4d

          SHA256

          dd3dfdea7f3de53385f83ebf3b48f539e645b359460ff6cb59f1fda50bd8e6df

          SHA512

          3599b8b6372b9c01a3e814963567cb3596719df594328421308d7c6b170a2b1346de132aa87a771041d81d4cf763bbbdf0030dd8477fe24b7011f353721bc847

        • C:\Windows\SysWOW64\Laciofpa.exe

          Filesize

          199KB

          MD5

          703c6c0c97daa4bc3aaab4a76bc469b2

          SHA1

          466becd1bb2d58d94dcc9409bf89e1a659550a44

          SHA256

          65978b18f88153169e0dd0f474cc094d07a1080ff72cbcf0c62e441c8189e5b2

          SHA512

          5ecbca3a3ba4770e6dd724775a554c25224d2a2f172a4fff7ebf51c4ebd6d61bbb1b71b737a2cbf0b27c0ad0ac6276e678228b66408cdbef3c3525c4af39e67a

        • C:\Windows\SysWOW64\Lcmofolg.exe

          Filesize

          199KB

          MD5

          afa4da2cb4b4e5da28c1ef81af497cfe

          SHA1

          5f5a60acb8884ad80ff2166cd74c6cbf0306b3fc

          SHA256

          d066df4cb59f27224202de57324b153a83e5bd4b74b3cc583ff018756095ec09

          SHA512

          274bbfa72f6d2dc41243b0591b85a5f3fbc78ea959b4a3bf4826fb944d9a2e902e3ece82fbd06eab655395ddd0be6480c3923c6e60344a439f5ba58ea49a23b5

        • C:\Windows\SysWOW64\Lgkhlnbn.exe

          Filesize

          199KB

          MD5

          121b5c8fbf89a2376228a5249f96cb00

          SHA1

          9f4c8679e3e688f93934ecb58746bd4ee931116e

          SHA256

          903f84fc6730c9199eff97bc0cf29ff8b47fdbe880b758778c516ad9058d410e

          SHA512

          351ddaa4cc070d7073e4f52831428c06cf3f38013306bfd5da6b68ef17c7b12e2e7e6230a707974debebc78c5afdbcde1387cf3b5897c8d6960ea0cf8a77ee69

        • C:\Windows\SysWOW64\Lgneampk.exe

          Filesize

          199KB

          MD5

          637c8601777bc2805bda752d85bb1372

          SHA1

          f58a1ed30b545e143877955f3564a346a3595784

          SHA256

          523f200ddea293f96331a347478a1a7fac2f30e1410440733dcb4b4797ef0b6e

          SHA512

          d0dece1f92e94c38df2c8efaf109f126c57c817290c6313c9a91998cec598a1c58b1cbf23dc2357bcfa2fa64b89e63c95b83992227854908c0927d160dc81aef

        • C:\Windows\SysWOW64\Lkgdml32.exe

          Filesize

          199KB

          MD5

          12f06628d5c0e7ebb17baf79a535a230

          SHA1

          a3479d6257f0604ca0f8758f7701e5388a4a7d5e

          SHA256

          b73459ef4bb7c51100463f7cc0826fa44faeaee4cbd59ae4cb548c0755e6cfcd

          SHA512

          62bd6d1ad6dbabeb566ab25b779cd5cf7f89e6b4202257a31e5454a3c7d4bef19635cd57851cf2c9744562c70b4f0c4439c9cd1ba6dee4396b01e245ee8adaba

        • C:\Windows\SysWOW64\Lmqgnhmp.exe

          Filesize

          199KB

          MD5

          5369c2d58b0dc6c9f5f5d3e82f18b7ff

          SHA1

          7e7fec60e978d0cc6d66e7800e6b1f1236f05746

          SHA256

          614cf9e1f48ef0dc871e64d4c7180934113f87e3954592ad647635ddea418452

          SHA512

          6ce6e9b14a13fb615611310dc98c0c2edf5b6d643e0454a227808c4e2f5d5c702809d6e0897393e173be945f4695156dd6714e2703905b423f9e77a1f323ee2b

        • C:\Windows\SysWOW64\Lpcmec32.exe

          Filesize

          199KB

          MD5

          d4ae0db48d7a27ccae75df3a3cdb9d1e

          SHA1

          4d32a0c18d69e97b723e7bf0a40a7676aaea8fe0

          SHA256

          3011cf432f88e40828c0ff49237d902aaa7123dffcff359f21249b5ccd9bf6d0

          SHA512

          53a9ae40be54afc778ef1442721ee837c03d45842146e7ea2a52a53c938cee950a74e5cdc5b867cb8fe6ba8606b45258ee844fd9583c080b1c630e7d7ae3afdd

        • C:\Windows\SysWOW64\Mpolqa32.exe

          Filesize

          199KB

          MD5

          54c392ad384daa110ddafd529ab16fdc

          SHA1

          49404c6dd8d3a39fe3dc4ecffaa28425bc5c74b4

          SHA256

          d9e31d3bab46b7c3e2dfdcf87c8f0887b0b64cc4bb36622f1da1d776a2b10253

          SHA512

          53211ef5c2a08bf962362540f975eee4d2d8ae252730b816b2b516c253a5299dc96196990ed15bda417afd5992c0131eb909f67c427e5e2a5a2bc127f436fda4

        • C:\Windows\SysWOW64\Nkcmohbg.exe

          Filesize

          199KB

          MD5

          2c08e4cbda4db2590f47e45103eaa512

          SHA1

          8c2c3f72a72c90b9bf57a4cfab86c7d62c1f43a1

          SHA256

          709a67dd75a02a0b7c5e6cc2c484d5d6f0531a36254fb23449b7d9a1d2dd9933

          SHA512

          8944bd38007f804c6a14348687947b97034d2ca0bd3bb1e89f28ddba2e54c94f6d22bfcc8b0c0b2e0be4be3011562b0bc7a0c464f1cc8952b6311d489123953c

        • C:\Windows\SysWOW64\Nnjbke32.exe

          Filesize

          199KB

          MD5

          77f8e4e0cde2115912ce8f176486b2b5

          SHA1

          8e33853324e8741b00bab42ef9022427d03cd32c

          SHA256

          11fc11c4abc923f570b7425f083c8cdcf8da236fb449711b00f4829f76a60a2b

          SHA512

          bdb8087e51ac0e278d2459ea5cc7b2613894b5d296a9cd9faf2972c752f058617cc432257c63c32a0e2c020c6910367fcba7382e95478f04a5a43369e896a349

        • memory/264-527-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/264-329-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/436-514-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/436-443-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/448-263-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/560-49-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/636-455-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/636-513-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/804-353-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/804-524-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1044-72-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1048-510-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1048-503-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1200-315-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1244-502-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1264-387-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1284-193-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1296-145-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1348-299-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1372-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1456-160-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1472-249-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1536-411-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1560-105-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1624-201-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1664-136-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1672-345-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1712-436-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1740-177-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1780-56-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2024-153-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2144-128-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2152-521-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2152-371-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2320-168-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2340-509-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2356-287-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2364-347-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2364-525-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2404-520-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2404-377-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2428-257-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2468-232-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2508-472-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2568-229-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2580-81-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2828-216-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2860-120-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2880-185-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2948-297-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3004-89-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3132-437-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3132-515-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3332-465-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3416-273-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3436-279-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3584-29-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3592-241-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3632-479-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3632-511-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3764-41-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3776-208-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/3900-17-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4132-113-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4136-359-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4136-523-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4152-519-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4152-395-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4268-281-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4320-401-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4320-518-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4460-328-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4568-65-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4572-393-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4604-517-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4604-413-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4616-33-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4652-305-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4652-529-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4740-335-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4740-526-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4760-490-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4776-317-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4776-528-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4800-4-0x0000000000431000-0x0000000000432000-memory.dmp

          Filesize

          4KB

        • memory/4800-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4820-365-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4820-522-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4892-423-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4932-496-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4996-473-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/4996-512-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/5000-96-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/5004-425-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/5004-516-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/5044-453-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB