Analysis

  • max time kernel
    136s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 18:26

General

  • Target

    085e0333c240f0c653396fe6be65ed66d540326fe81e0047b4af887938eb0745.exe

  • Size

    477KB

  • MD5

    2093682b02f2e6852d9018b1a90d44cd

  • SHA1

    044e64af1dcf00af8204e018b9a20b3feb32d4f3

  • SHA256

    085e0333c240f0c653396fe6be65ed66d540326fe81e0047b4af887938eb0745

  • SHA512

    550d23717c17e3999e926990f9731a8c9cbdfa0c7e6107da932ffcfda2d2a5ef07ad39df8b35de4c64fb7d25013d3950faea4a8f8b2a7e5586c8924edc78e7ac

  • SSDEEP

    6144:KRzkYzzczzzzzzzzzzzzzzjzzzzzzzyzzzzzmp8pvon/TNId/1fon/T9P7GSon/I:KBklNIVyeNIVy2oIvPKO

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\085e0333c240f0c653396fe6be65ed66d540326fe81e0047b4af887938eb0745.exe
    "C:\Users\Admin\AppData\Local\Temp\085e0333c240f0c653396fe6be65ed66d540326fe81e0047b4af887938eb0745.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\Gbenqg32.exe
      C:\Windows\system32\Gbenqg32.exe
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\SysWOW64\Gfqjafdq.exe
        C:\Windows\system32\Gfqjafdq.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\SysWOW64\Giofnacd.exe
          C:\Windows\system32\Giofnacd.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\SysWOW64\Gmmocpjk.exe
            C:\Windows\system32\Gmmocpjk.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\Gmoliohh.exe
              C:\Windows\system32\Gmoliohh.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3260
              • C:\Windows\SysWOW64\Gpnhekgl.exe
                C:\Windows\system32\Gpnhekgl.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2104
                • C:\Windows\SysWOW64\Gbldaffp.exe
                  C:\Windows\system32\Gbldaffp.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4044
                  • C:\Windows\SysWOW64\Gfhqbe32.exe
                    C:\Windows\system32\Gfhqbe32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:964
                    • C:\Windows\SysWOW64\Gmaioo32.exe
                      C:\Windows\system32\Gmaioo32.exe
                      10⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3520
                      • C:\Windows\SysWOW64\Hfljmdjc.exe
                        C:\Windows\system32\Hfljmdjc.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:5088
                        • C:\Windows\SysWOW64\Habnjm32.exe
                          C:\Windows\system32\Habnjm32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:5060
                          • C:\Windows\SysWOW64\Hbckbepg.exe
                            C:\Windows\system32\Hbckbepg.exe
                            13⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4504
                            • C:\Windows\SysWOW64\Hmioonpn.exe
                              C:\Windows\system32\Hmioonpn.exe
                              14⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:5068
                              • C:\Windows\SysWOW64\Hbeghene.exe
                                C:\Windows\system32\Hbeghene.exe
                                15⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3788
                                • C:\Windows\SysWOW64\Hippdo32.exe
                                  C:\Windows\system32\Hippdo32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:4540
                                  • C:\Windows\SysWOW64\Hibljoco.exe
                                    C:\Windows\system32\Hibljoco.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:1200
                                    • C:\Windows\SysWOW64\Ipldfi32.exe
                                      C:\Windows\system32\Ipldfi32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Suspicious use of WriteProcessMemory
                                      PID:4684
                                      • C:\Windows\SysWOW64\Iakaql32.exe
                                        C:\Windows\system32\Iakaql32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:1352
                                        • C:\Windows\SysWOW64\Icjmmg32.exe
                                          C:\Windows\system32\Icjmmg32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:4476
                                          • C:\Windows\SysWOW64\Iannfk32.exe
                                            C:\Windows\system32\Iannfk32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:1904
                                            • C:\Windows\SysWOW64\Imdnklfp.exe
                                              C:\Windows\system32\Imdnklfp.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:1460
                                              • C:\Windows\SysWOW64\Ifmcdblq.exe
                                                C:\Windows\system32\Ifmcdblq.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Modifies registry class
                                                PID:4408
                                                • C:\Windows\SysWOW64\Iabgaklg.exe
                                                  C:\Windows\system32\Iabgaklg.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Modifies registry class
                                                  PID:532
                                                  • C:\Windows\SysWOW64\Ifopiajn.exe
                                                    C:\Windows\system32\Ifopiajn.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Modifies registry class
                                                    PID:2428
                                                    • C:\Windows\SysWOW64\Jdcpcf32.exe
                                                      C:\Windows\system32\Jdcpcf32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Modifies registry class
                                                      PID:348
                                                      • C:\Windows\SysWOW64\Jiphkm32.exe
                                                        C:\Windows\system32\Jiphkm32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • Modifies registry class
                                                        PID:4220
                                                        • C:\Windows\SysWOW64\Kdopod32.exe
                                                          C:\Windows\system32\Kdopod32.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:1628
                                                          • C:\Windows\SysWOW64\Kgmlkp32.exe
                                                            C:\Windows\system32\Kgmlkp32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            PID:4100
                                                            • C:\Windows\SysWOW64\Kilhgk32.exe
                                                              C:\Windows\system32\Kilhgk32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Modifies registry class
                                                              PID:4812
                                                              • C:\Windows\SysWOW64\Kdcijcke.exe
                                                                C:\Windows\system32\Kdcijcke.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:3276
                                                                • C:\Windows\SysWOW64\Kipabjil.exe
                                                                  C:\Windows\system32\Kipabjil.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:4980
                                                                  • C:\Windows\SysWOW64\Kcifkp32.exe
                                                                    C:\Windows\system32\Kcifkp32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Modifies registry class
                                                                    PID:3796
                                                                    • C:\Windows\SysWOW64\Kajfig32.exe
                                                                      C:\Windows\system32\Kajfig32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Modifies registry class
                                                                      PID:3176
                                                                      • C:\Windows\SysWOW64\Kdhbec32.exe
                                                                        C:\Windows\system32\Kdhbec32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        PID:3992
                                                                        • C:\Windows\SysWOW64\Kgfoan32.exe
                                                                          C:\Windows\system32\Kgfoan32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          PID:2516
                                                                          • C:\Windows\SysWOW64\Liekmj32.exe
                                                                            C:\Windows\system32\Liekmj32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Modifies registry class
                                                                            PID:4224
                                                                            • C:\Windows\SysWOW64\Lalcng32.exe
                                                                              C:\Windows\system32\Lalcng32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              PID:3480
                                                                              • C:\Windows\SysWOW64\Ldkojb32.exe
                                                                                C:\Windows\system32\Ldkojb32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Modifies registry class
                                                                                PID:4004
                                                                                • C:\Windows\SysWOW64\Lkdggmlj.exe
                                                                                  C:\Windows\system32\Lkdggmlj.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  PID:4800
                                                                                  • C:\Windows\SysWOW64\Lmccchkn.exe
                                                                                    C:\Windows\system32\Lmccchkn.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:1044
                                                                                    • C:\Windows\SysWOW64\Lpappc32.exe
                                                                                      C:\Windows\system32\Lpappc32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      PID:2948
                                                                                      • C:\Windows\SysWOW64\Lcpllo32.exe
                                                                                        C:\Windows\system32\Lcpllo32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:884
                                                                                        • C:\Windows\SysWOW64\Lkgdml32.exe
                                                                                          C:\Windows\system32\Lkgdml32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          PID:4688
                                                                                          • C:\Windows\SysWOW64\Lnepih32.exe
                                                                                            C:\Windows\system32\Lnepih32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:3292
                                                                                            • C:\Windows\SysWOW64\Ldohebqh.exe
                                                                                              C:\Windows\system32\Ldohebqh.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • Modifies registry class
                                                                                              PID:5104
                                                                                              • C:\Windows\SysWOW64\Lgneampk.exe
                                                                                                C:\Windows\system32\Lgneampk.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                PID:3724
                                                                                                • C:\Windows\SysWOW64\Lpfijcfl.exe
                                                                                                  C:\Windows\system32\Lpfijcfl.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:2624
                                                                                                  • C:\Windows\SysWOW64\Lcdegnep.exe
                                                                                                    C:\Windows\system32\Lcdegnep.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    PID:3488
                                                                                                    • C:\Windows\SysWOW64\Lklnhlfb.exe
                                                                                                      C:\Windows\system32\Lklnhlfb.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      PID:3160
                                                                                                      • C:\Windows\SysWOW64\Lnjjdgee.exe
                                                                                                        C:\Windows\system32\Lnjjdgee.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:2288
                                                                                                        • C:\Windows\SysWOW64\Lphfpbdi.exe
                                                                                                          C:\Windows\system32\Lphfpbdi.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:1940
                                                                                                          • C:\Windows\SysWOW64\Lcgblncm.exe
                                                                                                            C:\Windows\system32\Lcgblncm.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • Modifies registry class
                                                                                                            PID:4500
                                                                                                            • C:\Windows\SysWOW64\Mnlfigcc.exe
                                                                                                              C:\Windows\system32\Mnlfigcc.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:1448
                                                                                                              • C:\Windows\SysWOW64\Mgekbljc.exe
                                                                                                                C:\Windows\system32\Mgekbljc.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:4588
                                                                                                                • C:\Windows\SysWOW64\Mpmokb32.exe
                                                                                                                  C:\Windows\system32\Mpmokb32.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Modifies registry class
                                                                                                                  PID:2076
                                                                                                                  • C:\Windows\SysWOW64\Mcklgm32.exe
                                                                                                                    C:\Windows\system32\Mcklgm32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:2184
                                                                                                                    • C:\Windows\SysWOW64\Mkbchk32.exe
                                                                                                                      C:\Windows\system32\Mkbchk32.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Modifies registry class
                                                                                                                      PID:4524
                                                                                                                      • C:\Windows\SysWOW64\Mpolqa32.exe
                                                                                                                        C:\Windows\system32\Mpolqa32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1252
                                                                                                                        • C:\Windows\SysWOW64\Mjhqjg32.exe
                                                                                                                          C:\Windows\system32\Mjhqjg32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies registry class
                                                                                                                          PID:1616
                                                                                                                          • C:\Windows\SysWOW64\Mncmjfmk.exe
                                                                                                                            C:\Windows\system32\Mncmjfmk.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies registry class
                                                                                                                            PID:2744
                                                                                                                            • C:\Windows\SysWOW64\Mdmegp32.exe
                                                                                                                              C:\Windows\system32\Mdmegp32.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:1692
                                                                                                                              • C:\Windows\SysWOW64\Mglack32.exe
                                                                                                                                C:\Windows\system32\Mglack32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                PID:4196
                                                                                                                                • C:\Windows\SysWOW64\Mjjmog32.exe
                                                                                                                                  C:\Windows\system32\Mjjmog32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2520
                                                                                                                                  • C:\Windows\SysWOW64\Maaepd32.exe
                                                                                                                                    C:\Windows\system32\Maaepd32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:3740
                                                                                                                                    • C:\Windows\SysWOW64\Mdpalp32.exe
                                                                                                                                      C:\Windows\system32\Mdpalp32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:4308
                                                                                                                                      • C:\Windows\SysWOW64\Njljefql.exe
                                                                                                                                        C:\Windows\system32\Njljefql.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:4732
                                                                                                                                        • C:\Windows\SysWOW64\Nacbfdao.exe
                                                                                                                                          C:\Windows\system32\Nacbfdao.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:2084
                                                                                                                                          • C:\Windows\SysWOW64\Ngpjnkpf.exe
                                                                                                                                            C:\Windows\system32\Ngpjnkpf.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:3128
                                                                                                                                            • C:\Windows\SysWOW64\Njogjfoj.exe
                                                                                                                                              C:\Windows\system32\Njogjfoj.exe
                                                                                                                                              70⤵
                                                                                                                                                PID:4364
                                                                                                                                                • C:\Windows\SysWOW64\Nqiogp32.exe
                                                                                                                                                  C:\Windows\system32\Nqiogp32.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  PID:4336
                                                                                                                                                  • C:\Windows\SysWOW64\Ncgkcl32.exe
                                                                                                                                                    C:\Windows\system32\Ncgkcl32.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:5056
                                                                                                                                                    • C:\Windows\SysWOW64\Njacpf32.exe
                                                                                                                                                      C:\Windows\system32\Njacpf32.exe
                                                                                                                                                      73⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:4420
                                                                                                                                                      • C:\Windows\SysWOW64\Nbhkac32.exe
                                                                                                                                                        C:\Windows\system32\Nbhkac32.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:4700
                                                                                                                                                        • C:\Windows\SysWOW64\Nkqpjidj.exe
                                                                                                                                                          C:\Windows\system32\Nkqpjidj.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2488
                                                                                                                                                          • C:\Windows\SysWOW64\Nnolfdcn.exe
                                                                                                                                                            C:\Windows\system32\Nnolfdcn.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            PID:3932
                                                                                                                                                            • C:\Windows\SysWOW64\Nkcmohbg.exe
                                                                                                                                                              C:\Windows\system32\Nkcmohbg.exe
                                                                                                                                                              77⤵
                                                                                                                                                                PID:3824
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 400
                                                                                                                                                                  78⤵
                                                                                                                                                                  • Program crash
                                                                                                                                                                  PID:2808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3824 -ip 3824
        1⤵
          PID:4032

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Gbenqg32.exe

          Filesize

          477KB

          MD5

          3488a3da73a7b7ee482d1fa6df4afd65

          SHA1

          51769dad7e5dc2481d742e20a51459550311f55b

          SHA256

          4279e09d3646d675ff8a9e8ce6db71a48f502660a14f1e6b2f4757233c93eb3e

          SHA512

          b4b4cede1cb1a3c7a81bf7190824aafa451dd7ed6128b9f0d564a4b7f8b7d52596ef73e03174e81c828426d5f14b29dc28bbfe6c56281e709fa79c101a3e09dd

        • C:\Windows\SysWOW64\Gbldaffp.exe

          Filesize

          477KB

          MD5

          76c6e93b777bd358588be1e6b5a58859

          SHA1

          8075ab81f8fe64619524eabe1b137d8a5eba7863

          SHA256

          038c2e690b9696c83303857c4e60628112226ef10622b7a7a53c4a0bbf97696e

          SHA512

          1fe8c9286dfe00309d28dbdeb0f3dd376306b7dd71355d5e1a6d374eab661067dc5d2b1584af290faabc65bbffc3aad788d1d4da190dd18eee77b76143c7d37c

        • C:\Windows\SysWOW64\Gfhqbe32.exe

          Filesize

          477KB

          MD5

          48eef80cff6ea6dbbf5083161ea2cdad

          SHA1

          99a5f50cd1ecc2b3ec1b3abdc31713e63c3ac508

          SHA256

          981d4600f27624b3ef2ab1aa09e1dc8c9350d119eece2a151e5e68b62b10b730

          SHA512

          e6e390b76ac139bb41185f4bf1595e0c682bcd5ebaeafaafbdac85a9a36016b741c1de89c737ec45a6ffee9ca326b9c1f52e5d4d7f422cca24c38ca6778f8741

        • C:\Windows\SysWOW64\Gfqjafdq.exe

          Filesize

          477KB

          MD5

          5450c7d2586dbe41fac204a40ae446e5

          SHA1

          34865f6bdfa3a5d9da9c9399a83d309569afdb82

          SHA256

          407dc3c2ef4f4cd20bf586ec103cff0fba558538df584864c96904d35d26beb5

          SHA512

          a38967c640672881600f6e94931b6fef62420f9afb747e0bbca1e81c46e981d2d4c634e1df7f6445147d4ac15302651280e73bf49e5a3949136bc8d17260a1c7

        • C:\Windows\SysWOW64\Giofnacd.exe

          Filesize

          477KB

          MD5

          a08f7446bf93f7596c0ba9f72a01afb0

          SHA1

          a4cb461ac24fd33e0a1c66d9eec74fca5eadbb5c

          SHA256

          d1c637e515d612c5a615baf49de6bd22aeff1c5259c527a67de47c769a769f25

          SHA512

          6069e635f036fa0f80286f8484d4f48d00998f87db0f987e25f584691de5ae3e1928c9d61f428bf1392be53003a5fc6c644e9dffd19a93064db74f9b6f20cf37

        • C:\Windows\SysWOW64\Gmaioo32.exe

          Filesize

          477KB

          MD5

          92c2db449c1f32d6125e6359bb97087d

          SHA1

          500eb996ef1d7b09c024d12e0c4336d77056fb20

          SHA256

          a55465e45bf504f2652f89af80968f965117548d8d61d1fb8cca8042bb47b350

          SHA512

          0585ccd5eee4108aa68972035b205d9e3aa4a120f8136188900ec527bd8de3fbcff140b950d30ab3a9724f36a5c0ac403790365bd7bc1ca0ef8e1bcd97836b8e

        • C:\Windows\SysWOW64\Gmmocpjk.exe

          Filesize

          477KB

          MD5

          0398f60822a9dd61d85a93cdf82ff55b

          SHA1

          f992e6d8ffd1ea662ac4dd649f1d91ba4907a03e

          SHA256

          d2f4109726558c74a58e40cddc70c55ded449b8f9391b9897827f29716d4ef29

          SHA512

          e595da725612879b893f60576356c5324c09f2fcab9be929ffe4cff097133504bd62c61858fba803b8d6e9263e8479ccd6fd7a08db260af96f066d7b45511044

        • C:\Windows\SysWOW64\Gmoliohh.exe

          Filesize

          477KB

          MD5

          2549fbd2312bb1852c41ace70e6dd644

          SHA1

          210bf15c150a4a37f534e0f851858f8a93477bea

          SHA256

          c6bd4246974229d6019729cab867d54f8b19ae7b305288b43224552b042f85b2

          SHA512

          4f3895fd900514420b1b1252caf6adba6e53c55e9615899354bdd6fb136312b0bfd7c87369aca9ca6bc61395c8a1e534048062759684ffb870b58312bd0b808e

        • C:\Windows\SysWOW64\Gpnhekgl.exe

          Filesize

          477KB

          MD5

          b070e72d2888e8d490ad76fa88bc7e08

          SHA1

          74cbbf0e006145918fe227b1a0c899d7eca87878

          SHA256

          686682658966e456cf1ef30ec4c9e5f3da4f3ce67805e4bdce03304583107e83

          SHA512

          38ac8f09e68e42cfad007c3b8662ab8937298d3acfc3f2aa54fd37ac45ef978c501605f2ebf15844f64d515ed6dca62b7cd44ec50cd60107be55424a7f6d1265

        • C:\Windows\SysWOW64\Habnjm32.exe

          Filesize

          477KB

          MD5

          81552f80a79f6865d8b326ee4ca6c1d4

          SHA1

          1dcdf592826d857de1b5c076ed2453f6fc288e17

          SHA256

          895bdb2cb0fdd2e0208db4efc5dee4e298621f1b86aef0028bfd8212b76f8acd

          SHA512

          09413aa0e75a917c15f5d7414a25f2b59296ded392853386a15bdfb073669e6d1168c0406ab8ae1b93bd2ad84605e41e95b504e31d2316476ef099321f5c2b0c

        • C:\Windows\SysWOW64\Hbckbepg.exe

          Filesize

          477KB

          MD5

          193f8fa89a1ed4a5a8a1f8a43d21a936

          SHA1

          db8eceb606351ee1e02a6f4c7c6da3e2b7d575b6

          SHA256

          d6dc90d71a5b3c4adbf5c1de2a021d9f55e2aa069e10b2756e36c9fc1e767d37

          SHA512

          01d28491d8782e07f339239621a9faabbceef7f92d14fd2ded27273e626289239a6ecb6dc4ebda489f627aedfa996573af4549270acc8d12de9b24a070953e20

        • C:\Windows\SysWOW64\Hbeghene.exe

          Filesize

          477KB

          MD5

          809827a13fdc768f0ca20df44e1fd9dd

          SHA1

          04391a3a40e2af150d36c02f397211c445d0d9ad

          SHA256

          82350a61eac948e08d6450ace396c9d53a553541a3b61e526a64d7bef10340c5

          SHA512

          d5838b767d3a1a1ba6ec129954dfaeb732c7fec951eb69dc9f297c21d519a8e60d2f5d10be4e2381bc480b9aa400007e3c9249e696618cb30b5cf7db85a12705

        • C:\Windows\SysWOW64\Hfljmdjc.exe

          Filesize

          477KB

          MD5

          729acfee2531c7f98da3b14942d75430

          SHA1

          f1789a65db1eae833f2a79faf93a762cf0d2afd3

          SHA256

          01c8cc4cf9a9aebb44bfc804f64566c5faa3f47f2bbd1c92450ceb3600d7d603

          SHA512

          d1ac88e8f8ae67ae081524cdfae7d31ccd8d7b39767280fa4b4af954b8e273b1e18983b8d0a6154be6316f57cf74125e84a945756dbb43e48e047af95a0b920f

        • C:\Windows\SysWOW64\Hibljoco.exe

          Filesize

          477KB

          MD5

          24658e1f0fb1695d7773c86707b00720

          SHA1

          9ed5fe43aef1685de292da585e2a020cb26cbd55

          SHA256

          ae2680a0ad923aaebbcbd0b4de9449cf7ce9d2b1b7977daea13585ea6803310f

          SHA512

          9a1a767e7814d39fd1c05c7b30635aee8265f2a38b47c24568ab0f313c65b8cd39eb255311df4b457b8157ceb5952934d490128ebd42e395a8b74b6fc88a9823

        • C:\Windows\SysWOW64\Hippdo32.exe

          Filesize

          477KB

          MD5

          8e3dcff2c6e976cc67632ae09421787f

          SHA1

          512cfdbf8f3532ed98c867aa868c59b14c074c2f

          SHA256

          7d5a1a9eb18f7c08e87f795e3030b16302bfdfc070541ad2a01c96cf764da544

          SHA512

          4c651e20f291b3a7636b0a00042709cb39b46269be74e5c89e9115664a836eadf177b33059da9c8befb6fd4bd1a40b947decf4ec4c6f271befca7f94fc9fc202

        • C:\Windows\SysWOW64\Hmioonpn.exe

          Filesize

          477KB

          MD5

          0d2da6e70a9bd7b064944dcaf4094a4d

          SHA1

          511d3b397d85cc4dbf96274744a8da889e109463

          SHA256

          154743cbff19f3548eb5254217c8fadbdfc353471723ee8311802c8f857f6ace

          SHA512

          9cdb5da2e61a755c5720e61782c8f1a90e114bf0d5aff3bb5e17fd06aa6cdc3629ba7c5a76f1b1c6792dbec9d01c17941e0b586540caf31b560157c6f2861bf6

        • C:\Windows\SysWOW64\Iabgaklg.exe

          Filesize

          477KB

          MD5

          9009944d9794f7682ddf92a01a7a7362

          SHA1

          51c89ca145791a49862943742fe672a3df7b73a1

          SHA256

          ee65e5e30c0aa3931575b20457e1d997a4891a859e41e9eead9050382d71ea5b

          SHA512

          cb42cbae80c6cfe0e04ae149569832bd080cf02292683554d16fdf534b109872c21ed43ae753a58c70428791ccd06f2f798986c471cbf6f78f50118019545a84

        • C:\Windows\SysWOW64\Iakaql32.exe

          Filesize

          477KB

          MD5

          0852668e0fd89e71af80f4495dfe76c0

          SHA1

          11fc1a918d3d329f680166b2a08c84114f9a8d67

          SHA256

          313f480e5cedf33274d1ee2fa36d7b73ec23ed98db7ba64269b1c7fa6cdb3237

          SHA512

          a769d7aea4bcc08ca202fb0d32f179cdd0a0136771c805750e7e6a8e3bda8637c6ef06da281a4efcda0fbd4f8df37ebc34cc80c12a5ac4d731757513211e47a2

        • C:\Windows\SysWOW64\Iannfk32.exe

          Filesize

          477KB

          MD5

          0028308240f15965a7ac140bf00603b2

          SHA1

          8e70c7ff5c581ba5c960ae73b40138afec12717c

          SHA256

          fa6924651b8ff99677c194a632f6aa9ee9ed4cc98554609cebb449cd555629fb

          SHA512

          bc05a68721db43f6ff25006f1605d756daeff38e605b3d3fcb6395bd648e49c0ce3c114852d264c55c3998461be5fd870ffb059c807ff74b23c2c10959049d13

        • C:\Windows\SysWOW64\Icjmmg32.exe

          Filesize

          477KB

          MD5

          d406f92d4cb7b830c7b4f7563255a1a9

          SHA1

          50dc46ec73302c970c90c955f14f499802e0497f

          SHA256

          1d54cfd30baae2c03d6fa32eccc6b056b6edbc566890f24dec52a525de76066e

          SHA512

          c8d7e6d1d0bbd50ab0a8cc2f7322b9df02181e0c73097525935b4da78a3c8e5331d6d69454a40194f60d469bc72a62f63c40a58d1a1525d8a1badbe03481c202

        • C:\Windows\SysWOW64\Ifmcdblq.exe

          Filesize

          477KB

          MD5

          dea2c0819388bb17dd19fc7fd049a7e5

          SHA1

          748ba6e879824e018f7c722c9e20318f1d19f6a3

          SHA256

          96676682b35f2548f89191253f698feaf9efcbaabc3f712c9a92b9e568d9f6ad

          SHA512

          e7cc9fc9470039614a7e4cc7869c76c3fbe7cac37e626b482416238b7bda877299d3be4a85e4c9db480257203f5093e75600480c630dcd09474a832be911518b

        • C:\Windows\SysWOW64\Ifopiajn.exe

          Filesize

          477KB

          MD5

          b7dd0a49d642ae9f61b9173f5c1287e5

          SHA1

          425f5e455b9757556d83df581933be5f8cd10dfe

          SHA256

          2310e04a5bd2d781d180a00ee7c0ff3c89c2b112bae639f3d4ca46a08dc23226

          SHA512

          117968147a2f2dcedb459fdbec14f5d4a785c9ea6d951c0c1bc2c497627d017d95109f78d95d7e462b367fc6536f9d971d5cf60b3e98ff9e5108f9eefdc3918a

        • C:\Windows\SysWOW64\Imdnklfp.exe

          Filesize

          477KB

          MD5

          3d5cf7c9cd6a9b4f6e89ab4e6126bebc

          SHA1

          6169a3772df7f671a58ad38dfff9aa808d08537d

          SHA256

          0499a1b1054f1e87f09ec42ef80b183d7133c3a8cd6106944abbd3b635568ad7

          SHA512

          42a853c62a8f76d1cc331192bf85697557adece1b577e78305f6d86047c0832c6aae8e247721f79c2b8893924c6965095d19e652798d95099d48f939a5db3139

        • C:\Windows\SysWOW64\Ipldfi32.exe

          Filesize

          477KB

          MD5

          19c60b326f6ee3e6903ab94acfc43291

          SHA1

          ae15aa11468c1dcb0ffcb534304b02bbfc681db2

          SHA256

          825d246445cf22967613a13733b5d709ae2000bd7eba62a9cb53e658f21c40a0

          SHA512

          ac1e670ff0666ae4a50db650a926143ae7a8e6f18a6deaf936661ad3d16efd7c47f1771e203a31e1dd36e987e99152a687d7c25db68796312dfe99d8d8b6c337

        • C:\Windows\SysWOW64\Jdcpcf32.exe

          Filesize

          477KB

          MD5

          37647f938ac09fbbb984be69daff56f7

          SHA1

          5abe39ae90d205f4bd54d6124cfd69db53be0142

          SHA256

          968bf7c67b2cc0b96115535ec3859e7eb550c4f8a958f681717354a1d66a2511

          SHA512

          5836b79533a8d19f91c616520490f522446d2497b3fe2e1ff6807ba227932308b30d1ac0ae251e51e543670984ec0d22e8a148f7129f726ab23cafdbda68f09f

        • C:\Windows\SysWOW64\Jiphkm32.exe

          Filesize

          477KB

          MD5

          3b2cf72eb9d5ece7f9e8dec240346dae

          SHA1

          8bb5bbd0583c78238fe35523610aa9018bc19ef7

          SHA256

          f3146b975f78fd1eae2501580b90d9fbf1da72598d8bfd91f6b98ceacbc1d125

          SHA512

          315f52e787f8794bd0570c26b177417fa3322b33b3b0726c98b61bfd58610dc66f566f3cbf4835e90d416a16811fc5d6a0a34e0cb7e62b864c95fef5b7834221

        • C:\Windows\SysWOW64\Kcifkp32.exe

          Filesize

          477KB

          MD5

          4daeb1667b6e46e4aadaf433f060a905

          SHA1

          91d03561c9472a673ca53b4c77807266b06b06ee

          SHA256

          c3752bbb901e0405a7aeae139a87548ca4e69bf0727537a662b526ec9700e136

          SHA512

          9d77cb72ca9dc36c46916273e39363ef6ea76db0e5fea69f3ea86f432beeb73faaa573a28397c74e0b113dd56fc186391fd32eaf40c9c12d2e9e39040684a129

        • C:\Windows\SysWOW64\Kdcijcke.exe

          Filesize

          477KB

          MD5

          c8d3dacfcd9b264f66102eae1a06d509

          SHA1

          04d43df82d55d8f574c0119cfd3f64fd5753429c

          SHA256

          7b61ecd64e067bfba4da7fce636d4801deb457bea304d19f4c4c1b1b5a4a60a5

          SHA512

          ae698bdfd6924f3ea22818e13ff4621b8cdc656ede49ee556868e7df13a69f9895944669b2da4df254eba919fd7dcdb19e10576e95933eab6344b6a4bad60d4e

        • C:\Windows\SysWOW64\Kdopod32.exe

          Filesize

          477KB

          MD5

          137b92cbeeb5a054730a3a73a55c93e8

          SHA1

          be1c00c389eb777a03d14433a1577ac99997d69a

          SHA256

          e1cb3c165c0f8290423aae690af5bd15e5ca03eda5bd01c7c8d466f31e861ab4

          SHA512

          e6fa6bc66a4de48b38c9780f9d9946d0832a4bc645bfe2317ee278cec258573619d10e4d22573a7fd4062eae41d90b667da50dbbd79cff2495c2baa6f9522a93

        • C:\Windows\SysWOW64\Kgmlkp32.exe

          Filesize

          477KB

          MD5

          22c0adfe2c9e848da011aab159539754

          SHA1

          57d89fc03e0b0ac165e4bcb0a23da87eaaa0aa2f

          SHA256

          4f04341cad0704e5f6fddc4bffe823149b4c60ea5db73bbd423781714c4bef91

          SHA512

          030d53926ae176e55c47f1ab2eff90d060d96f7e0d500f21f5c1ea895de2c7c713a01512ad8e117c8509c984371dd6ba0fd047e37a6d63f64d6b1c0840024bf3

        • C:\Windows\SysWOW64\Kilhgk32.exe

          Filesize

          477KB

          MD5

          16d48fa3649b653482967f6a81636767

          SHA1

          f2cf6ba2c5f1bc832bbdb56ea5f1049368ebad88

          SHA256

          3153c988c1149652ea6b16e1315824e9a406e4d3dd33e95e4686b0d9f57211ab

          SHA512

          8140c13ea2bef4fe786c3e152d898a7d64cecec6ddf256853640863aa6b2e1efe6fbc2f839a9626adb86d975d00c56f976f26a7ff5ec36b1e205161f20c4c0ff

        • C:\Windows\SysWOW64\Kipabjil.exe

          Filesize

          477KB

          MD5

          4bdc64c3d697c349915596c9cbbcfbef

          SHA1

          5d0239ca2d8d0a5390e1e12cb878b6e3648d0ed1

          SHA256

          88fb1fcc0febc7de44c2f90847c7aa7a7f9c4109826d265b1312078d37b07a85

          SHA512

          4b35a7393e76dd5b76f4f60fca2e989ee07df82e3998b5052c004f40f9fff75a80228bad3b122a2fee47e57ec44fc8e0c2a11ce315b36a0aacd049fcb473e3b8

        • C:\Windows\SysWOW64\Mnlfigcc.exe

          Filesize

          477KB

          MD5

          ad70400375354c19b23df2ec4dadc1c2

          SHA1

          9f3d84548bb87b52c307922c96a296a78fd3167a

          SHA256

          6018dcc1392766ab5521f32052c9fdc58d1f6699aff1394f353b427b30321aca

          SHA512

          259e997a8482704eb589dd384b737fbd7bdab23adf1699cb41c97811cfd1ae9b7e29c93bf0e583881e0ec7021d0e863e01fd6110c5129e908ae64fd27f27fa94

        • C:\Windows\SysWOW64\Nnolfdcn.exe

          Filesize

          477KB

          MD5

          5bc49858e65cafebd52f812f0546dadf

          SHA1

          48c0bdbe8572d3829e6c5b066ba74dc5fc2d33a0

          SHA256

          ee61a3a04cc48e6056d27669b78a0e35b99b0d5ef8737fb44993b69a1a39072e

          SHA512

          eabe0559a97721c8b7f8ad9eb1c20ed036d9873883d5a754152594adcac74d0a8e3333c37ea6c6c9dabdfed5728c22b15e851d7218b33ed15965826619806d0c

        • memory/348-200-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/532-185-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/880-13-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/884-317-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/964-65-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1044-309-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1092-1-0x0000000000431000-0x0000000000432000-memory.dmp

          Filesize

          4KB

        • memory/1092-0-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1200-129-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1252-549-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1252-408-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1352-149-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1448-378-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1448-557-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1460-169-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1460-618-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1544-25-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1616-418-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1616-547-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1628-221-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1632-33-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1692-543-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1692-426-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1904-161-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1940-369-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2076-394-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2084-533-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2084-462-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2104-60-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2184-400-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2288-365-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2428-193-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2488-521-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2488-505-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2516-275-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2520-539-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2520-438-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2624-347-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2744-545-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2744-420-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2948-311-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3128-531-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3128-469-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3160-359-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3176-266-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3260-44-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3276-240-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3292-329-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3480-287-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3488-353-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3520-73-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3724-341-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3740-448-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3788-113-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3796-257-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3824-519-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3824-516-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3932-518-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3932-510-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3992-273-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4004-293-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4044-61-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4100-225-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4196-432-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4196-541-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4220-208-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4224-281-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4308-450-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4308-536-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4336-484-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4364-529-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4364-478-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4408-177-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4420-524-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4420-493-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4476-153-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4500-559-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4500-372-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4504-97-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4524-551-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4524-402-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4540-120-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4544-20-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4588-555-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4588-384-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4684-137-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4688-326-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4700-498-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4700-525-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4732-460-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4800-303-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4812-233-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4980-249-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5056-526-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5056-486-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5060-89-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5068-109-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5088-81-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5104-335-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB