Analysis

  • max time kernel
    135s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-08-2024 21:40

General

  • Target

    482560a97054cc78722a3351869f5faeebcf0391e00edf83245704b73264c2d7.exe

  • Size

    59KB

  • MD5

    027c4efdcd2c2bbed76e9708cb334a2a

  • SHA1

    57a6b8d6044fa682b11835d6e13280cfe0804f5e

  • SHA256

    482560a97054cc78722a3351869f5faeebcf0391e00edf83245704b73264c2d7

  • SHA512

    b69e9eb8a8f6c103a6a9715cc7fe53ba7fb3bcd836868a81662f664f58dc7fd83950810c63cb504483f504709e30e86ca96c69998ede0d8d9f6f73cb93e23b5b

  • SSDEEP

    768:pcGZo10tXONSD4bfAJz5mgPszag7X5bV1lUdFw/EWBOkhbcu/1H5NKnXdnhgPD4N:i039ySDEfAJz5mGszag7J51lE0hih

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\482560a97054cc78722a3351869f5faeebcf0391e00edf83245704b73264c2d7.exe
    "C:\Users\Admin\AppData\Local\Temp\482560a97054cc78722a3351869f5faeebcf0391e00edf83245704b73264c2d7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\SysWOW64\Ndcdmikd.exe
      C:\Windows\system32\Ndcdmikd.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\Ngbpidjh.exe
        C:\Windows\system32\Ngbpidjh.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Windows\SysWOW64\Njqmepik.exe
          C:\Windows\system32\Njqmepik.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Windows\SysWOW64\Nnlhfn32.exe
            C:\Windows\system32\Nnlhfn32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Windows\SysWOW64\Ndfqbhia.exe
              C:\Windows\system32\Ndfqbhia.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4104
              • C:\Windows\SysWOW64\Ngdmod32.exe
                C:\Windows\system32\Ngdmod32.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1332
                • C:\Windows\SysWOW64\Njciko32.exe
                  C:\Windows\system32\Njciko32.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1492
                  • C:\Windows\SysWOW64\Npmagine.exe
                    C:\Windows\system32\Npmagine.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:5040
                    • C:\Windows\SysWOW64\Ndhmhh32.exe
                      C:\Windows\system32\Ndhmhh32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3368
                      • C:\Windows\SysWOW64\Nggjdc32.exe
                        C:\Windows\system32\Nggjdc32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:4496
                        • C:\Windows\SysWOW64\Njefqo32.exe
                          C:\Windows\system32\Njefqo32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:3212
                          • C:\Windows\SysWOW64\Oponmilc.exe
                            C:\Windows\system32\Oponmilc.exe
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2812
                            • C:\Windows\SysWOW64\Ogifjcdp.exe
                              C:\Windows\system32\Ogifjcdp.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4860
                              • C:\Windows\SysWOW64\Ojgbfocc.exe
                                C:\Windows\system32\Ojgbfocc.exe
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:4132
                                • C:\Windows\SysWOW64\Olfobjbg.exe
                                  C:\Windows\system32\Olfobjbg.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1084
                                  • C:\Windows\SysWOW64\Odmgcgbi.exe
                                    C:\Windows\system32\Odmgcgbi.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4244
                                    • C:\Windows\SysWOW64\Ofnckp32.exe
                                      C:\Windows\system32\Ofnckp32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:4896
                                      • C:\Windows\SysWOW64\Oneklm32.exe
                                        C:\Windows\system32\Oneklm32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:2892
                                        • C:\Windows\SysWOW64\Odocigqg.exe
                                          C:\Windows\system32\Odocigqg.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:1600
                                          • C:\Windows\SysWOW64\Ofqpqo32.exe
                                            C:\Windows\system32\Ofqpqo32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:3904
                                            • C:\Windows\SysWOW64\Onhhamgg.exe
                                              C:\Windows\system32\Onhhamgg.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:4128
                                              • C:\Windows\SysWOW64\Odapnf32.exe
                                                C:\Windows\system32\Odapnf32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                PID:2332
                                                • C:\Windows\SysWOW64\Ojoign32.exe
                                                  C:\Windows\system32\Ojoign32.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:912
                                                  • C:\Windows\SysWOW64\Oqhacgdh.exe
                                                    C:\Windows\system32\Oqhacgdh.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2140
                                                    • C:\Windows\SysWOW64\Ogbipa32.exe
                                                      C:\Windows\system32\Ogbipa32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Modifies registry class
                                                      PID:3416
                                                      • C:\Windows\SysWOW64\Ojaelm32.exe
                                                        C:\Windows\system32\Ojaelm32.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        PID:644
                                                        • C:\Windows\SysWOW64\Pmoahijl.exe
                                                          C:\Windows\system32\Pmoahijl.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Modifies registry class
                                                          PID:5076
                                                          • C:\Windows\SysWOW64\Pcijeb32.exe
                                                            C:\Windows\system32\Pcijeb32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4344
                                                            • C:\Windows\SysWOW64\Pgefeajb.exe
                                                              C:\Windows\system32\Pgefeajb.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4500
                                                              • C:\Windows\SysWOW64\Pnonbk32.exe
                                                                C:\Windows\system32\Pnonbk32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:1464
                                                                • C:\Windows\SysWOW64\Pdifoehl.exe
                                                                  C:\Windows\system32\Pdifoehl.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  PID:4960
                                                                  • C:\Windows\SysWOW64\Pggbkagp.exe
                                                                    C:\Windows\system32\Pggbkagp.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    PID:2340
                                                                    • C:\Windows\SysWOW64\Pjeoglgc.exe
                                                                      C:\Windows\system32\Pjeoglgc.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      PID:2556
                                                                      • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                                        C:\Windows\system32\Pqpgdfnp.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2016
                                                                        • C:\Windows\SysWOW64\Pgioqq32.exe
                                                                          C:\Windows\system32\Pgioqq32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          PID:1304
                                                                          • C:\Windows\SysWOW64\Pjhlml32.exe
                                                                            C:\Windows\system32\Pjhlml32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Modifies registry class
                                                                            PID:2528
                                                                            • C:\Windows\SysWOW64\Pncgmkmj.exe
                                                                              C:\Windows\system32\Pncgmkmj.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:3728
                                                                              • C:\Windows\SysWOW64\Pqbdjfln.exe
                                                                                C:\Windows\system32\Pqbdjfln.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Modifies registry class
                                                                                PID:872
                                                                                • C:\Windows\SysWOW64\Pcppfaka.exe
                                                                                  C:\Windows\system32\Pcppfaka.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  PID:4708
                                                                                  • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                                    C:\Windows\system32\Pfolbmje.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1364
                                                                                    • C:\Windows\SysWOW64\Pjjhbl32.exe
                                                                                      C:\Windows\system32\Pjjhbl32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3864
                                                                                      • C:\Windows\SysWOW64\Pmidog32.exe
                                                                                        C:\Windows\system32\Pmidog32.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:868
                                                                                        • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                                                                          C:\Windows\system32\Pdpmpdbd.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          PID:3456
                                                                                          • C:\Windows\SysWOW64\Pcbmka32.exe
                                                                                            C:\Windows\system32\Pcbmka32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:2236
                                                                                            • C:\Windows\SysWOW64\Pfaigm32.exe
                                                                                              C:\Windows\system32\Pfaigm32.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3668
                                                                                              • C:\Windows\SysWOW64\Pjmehkqk.exe
                                                                                                C:\Windows\system32\Pjmehkqk.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                PID:1244
                                                                                                • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                                                                  C:\Windows\system32\Qmkadgpo.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  PID:4972
                                                                                                  • C:\Windows\SysWOW64\Qdbiedpa.exe
                                                                                                    C:\Windows\system32\Qdbiedpa.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    PID:3872
                                                                                                    • C:\Windows\SysWOW64\Qceiaa32.exe
                                                                                                      C:\Windows\system32\Qceiaa32.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2820
                                                                                                      • C:\Windows\SysWOW64\Qfcfml32.exe
                                                                                                        C:\Windows\system32\Qfcfml32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:1980
                                                                                                        • C:\Windows\SysWOW64\Qjoankoi.exe
                                                                                                          C:\Windows\system32\Qjoankoi.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:404
                                                                                                          • C:\Windows\SysWOW64\Qmmnjfnl.exe
                                                                                                            C:\Windows\system32\Qmmnjfnl.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2648
                                                                                                            • C:\Windows\SysWOW64\Qddfkd32.exe
                                                                                                              C:\Windows\system32\Qddfkd32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:3468
                                                                                                              • C:\Windows\SysWOW64\Qgcbgo32.exe
                                                                                                                C:\Windows\system32\Qgcbgo32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4136
                                                                                                                • C:\Windows\SysWOW64\Ajanck32.exe
                                                                                                                  C:\Windows\system32\Ajanck32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:4736
                                                                                                                  • C:\Windows\SysWOW64\Ampkof32.exe
                                                                                                                    C:\Windows\system32\Ampkof32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Modifies registry class
                                                                                                                    PID:2416
                                                                                                                    • C:\Windows\SysWOW64\Adgbpc32.exe
                                                                                                                      C:\Windows\system32\Adgbpc32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:3464
                                                                                                                      • C:\Windows\SysWOW64\Ageolo32.exe
                                                                                                                        C:\Windows\system32\Ageolo32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:2264
                                                                                                                        • C:\Windows\SysWOW64\Ajckij32.exe
                                                                                                                          C:\Windows\system32\Ajckij32.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:4052
                                                                                                                          • C:\Windows\SysWOW64\Ambgef32.exe
                                                                                                                            C:\Windows\system32\Ambgef32.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:4876
                                                                                                                            • C:\Windows\SysWOW64\Aeiofcji.exe
                                                                                                                              C:\Windows\system32\Aeiofcji.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Modifies registry class
                                                                                                                              PID:5104
                                                                                                                              • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                                C:\Windows\system32\Agglboim.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:2144
                                                                                                                                • C:\Windows\SysWOW64\Afjlnk32.exe
                                                                                                                                  C:\Windows\system32\Afjlnk32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:4476
                                                                                                                                  • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                                    C:\Windows\system32\Amddjegd.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:784
                                                                                                                                    • C:\Windows\SysWOW64\Aqppkd32.exe
                                                                                                                                      C:\Windows\system32\Aqppkd32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:1072
                                                                                                                                      • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                                        C:\Windows\system32\Acnlgp32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:2120
                                                                                                                                        • C:\Windows\SysWOW64\Ajhddjfn.exe
                                                                                                                                          C:\Windows\system32\Ajhddjfn.exe
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:4912
                                                                                                                                          • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                            C:\Windows\system32\Amgapeea.exe
                                                                                                                                            69⤵
                                                                                                                                              PID:2796
                                                                                                                                              • C:\Windows\SysWOW64\Aabmqd32.exe
                                                                                                                                                C:\Windows\system32\Aabmqd32.exe
                                                                                                                                                70⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:2324
                                                                                                                                                • C:\Windows\SysWOW64\Acqimo32.exe
                                                                                                                                                  C:\Windows\system32\Acqimo32.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:2808
                                                                                                                                                  • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                                                                                                    C:\Windows\system32\Afoeiklb.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4192
                                                                                                                                                    • C:\Windows\SysWOW64\Aminee32.exe
                                                                                                                                                      C:\Windows\system32\Aminee32.exe
                                                                                                                                                      73⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:1088
                                                                                                                                                      • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                                        C:\Windows\system32\Accfbokl.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:4308
                                                                                                                                                        • C:\Windows\SysWOW64\Agoabn32.exe
                                                                                                                                                          C:\Windows\system32\Agoabn32.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          PID:4760
                                                                                                                                                          • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                                                                                                            C:\Windows\system32\Bmkjkd32.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:1392
                                                                                                                                                            • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                                                                                              C:\Windows\system32\Bebblb32.exe
                                                                                                                                                              77⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:4044
                                                                                                                                                              • C:\Windows\SysWOW64\Bcebhoii.exe
                                                                                                                                                                C:\Windows\system32\Bcebhoii.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                PID:4332
                                                                                                                                                                • C:\Windows\SysWOW64\Bjokdipf.exe
                                                                                                                                                                  C:\Windows\system32\Bjokdipf.exe
                                                                                                                                                                  79⤵
                                                                                                                                                                    PID:4268
                                                                                                                                                                    • C:\Windows\SysWOW64\Bmngqdpj.exe
                                                                                                                                                                      C:\Windows\system32\Bmngqdpj.exe
                                                                                                                                                                      80⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:3620
                                                                                                                                                                      • C:\Windows\SysWOW64\Baicac32.exe
                                                                                                                                                                        C:\Windows\system32\Baicac32.exe
                                                                                                                                                                        81⤵
                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:2900
                                                                                                                                                                        • C:\Windows\SysWOW64\Bchomn32.exe
                                                                                                                                                                          C:\Windows\system32\Bchomn32.exe
                                                                                                                                                                          82⤵
                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:1268
                                                                                                                                                                          • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                                                                            C:\Windows\system32\Bgcknmop.exe
                                                                                                                                                                            83⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:3356
                                                                                                                                                                            • C:\Windows\SysWOW64\Bnmcjg32.exe
                                                                                                                                                                              C:\Windows\system32\Bnmcjg32.exe
                                                                                                                                                                              84⤵
                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:5128
                                                                                                                                                                              • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                                                                                C:\Windows\system32\Beglgani.exe
                                                                                                                                                                                85⤵
                                                                                                                                                                                  PID:5172
                                                                                                                                                                                  • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                                                                                                                    C:\Windows\system32\Bgehcmmm.exe
                                                                                                                                                                                    86⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:5216
                                                                                                                                                                                    • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                                                                                                                                      C:\Windows\system32\Bnpppgdj.exe
                                                                                                                                                                                      87⤵
                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:5260
                                                                                                                                                                                      • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                                                                                                                        C:\Windows\system32\Banllbdn.exe
                                                                                                                                                                                        88⤵
                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                        PID:5304
                                                                                                                                                                                        • C:\Windows\SysWOW64\Bclhhnca.exe
                                                                                                                                                                                          C:\Windows\system32\Bclhhnca.exe
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                          PID:5348
                                                                                                                                                                                          • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                                                                            C:\Windows\system32\Bhhdil32.exe
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:5384
                                                                                                                                                                                            • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                                                                                                                              C:\Windows\system32\Bjfaeh32.exe
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                              PID:5436
                                                                                                                                                                                              • C:\Windows\SysWOW64\Bmemac32.exe
                                                                                                                                                                                                C:\Windows\system32\Bmemac32.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:5480
                                                                                                                                                                                                • C:\Windows\SysWOW64\Bcoenmao.exe
                                                                                                                                                                                                  C:\Windows\system32\Bcoenmao.exe
                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                  PID:5524
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                                    C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                      PID:5580
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                                                                                                                        C:\Windows\system32\Cndikf32.exe
                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                        PID:5632
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cabfga32.exe
                                                                                                                                                                                                          C:\Windows\system32\Cabfga32.exe
                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5676
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                                                                                                                            C:\Windows\system32\Cenahpha.exe
                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:5720
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                                                                                                                                              C:\Windows\system32\Cdabcm32.exe
                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:5764
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                                                                                                                                C:\Windows\system32\Cmiflbel.exe
                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                PID:5816
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                                                                                                  C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                                                                                                  100⤵
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:5880
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Cfbkeh32.exe
                                                                                                                                                                                                                    101⤵
                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:5940
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                                                                                                                                      C:\Windows\system32\Cjmgfgdf.exe
                                                                                                                                                                                                                      102⤵
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:5988
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                                                                                                                                        C:\Windows\system32\Cmlcbbcj.exe
                                                                                                                                                                                                                        103⤵
                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:6032
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                                                          C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                                                          104⤵
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:6076
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                                                                                                                                            C:\Windows\system32\Cdfkolkf.exe
                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:6120
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Chagok32.exe
                                                                                                                                                                                                                              106⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:1020
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                                                                                                                                C:\Windows\system32\Cjpckf32.exe
                                                                                                                                                                                                                                107⤵
                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:5212
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Cnkplejl.exe
                                                                                                                                                                                                                                  108⤵
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:5268
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Cajlhqjp.exe
                                                                                                                                                                                                                                    109⤵
                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                    PID:5336
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Ceehho32.exe
                                                                                                                                                                                                                                      110⤵
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                      PID:5316
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Chcddk32.exe
                                                                                                                                                                                                                                        111⤵
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                        PID:5468
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                                                                                                          112⤵
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:5536
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                            PID:5616
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Calhnpgn.exe
                                                                                                                                                                                                                                              114⤵
                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                              PID:5696
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                                                                115⤵
                                                                                                                                                                                                                                                  PID:5760
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Dejacond.exe
                                                                                                                                                                                                                                                    116⤵
                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:5872
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Dfknkg32.exe
                                                                                                                                                                                                                                                      117⤵
                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                      PID:6004
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Dobfld32.exe
                                                                                                                                                                                                                                                        118⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:6064
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\Daqbip32.exe
                                                                                                                                                                                                                                                          119⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                          PID:4596
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                                                                                                                            120⤵
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:5160
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Dhkjej32.exe
                                                                                                                                                                                                                                                              121⤵
                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                              PID:5328
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Dkifae32.exe
                                                                                                                                                                                                                                                                122⤵
                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                PID:5396
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Dodbbdbb.exe
                                                                                                                                                                                                                                                                  123⤵
                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                  PID:5532
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\Daconoae.exe
                                                                                                                                                                                                                                                                    124⤵
                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                    PID:5644
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Deokon32.exe
                                                                                                                                                                                                                                                                      125⤵
                                                                                                                                                                                                                                                                        PID:5752
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                                                                                                                                          126⤵
                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                          PID:5984
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                            PID:6048
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                                                                              128⤵
                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:5164
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                                                                                                                                129⤵
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:5296
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                                                                                                                                  130⤵
                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                  PID:5508
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                                                                                                                                    131⤵
                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                    PID:5660
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                                                                                                                                                      132⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                      PID:5864
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                        133⤵
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:6136
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 396
                                                                                                                                                                                                                                                                                          134⤵
                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                          PID:6128
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6136 -ip 6136
                1⤵
                  PID:5492

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\SysWOW64\Cdfkolkf.exe

                  Filesize

                  59KB

                  MD5

                  1a3a7002423109fa7833f2dfe2b104d5

                  SHA1

                  1da1293efa261796c798924b694274246582db7c

                  SHA256

                  73111940f7edfd68dd0e6ece94b1ae6b044b591e04d25e364807d8de2180ef08

                  SHA512

                  368131cdafdc62fa9fa96f58152657feb26934125994f148b1dae7f47e79c0b55ea0ed480ac62fd939a85fb87bb0da446bdc30dc45b5fabc2c503c096d06f1ad

                • C:\Windows\SysWOW64\Cjbpaf32.exe

                  Filesize

                  59KB

                  MD5

                  fc258de1d172a63d56ce2f358bc0c8a1

                  SHA1

                  db7393dc00ba48752318445cee38756f85d782f6

                  SHA256

                  94e9ac09e5a20152ff4632a51782d81d378a155f1361e5a5174ac823e06d4e06

                  SHA512

                  e1f99aff86c0da73fcd958cf3d51badb7cdde653aca44b7249cecdefc0827ec888dc49815adedd45ac0d58a7310c89641656577a156615cf75e9c5d9bb7f2e0b

                • C:\Windows\SysWOW64\Cmiflbel.exe

                  Filesize

                  59KB

                  MD5

                  edeaebe4f044144285f1f16128ffe2a0

                  SHA1

                  5d80b94f8701d1aa367169e03cadd39bd490101c

                  SHA256

                  eeacfb1effe71bf5b5ac4be52c1a1c897155ba0cf2bce0107410ccc3fce56767

                  SHA512

                  4ac64d86626da446792e767e4461a6e8e57adedd5a59a4562ea59315ae16552f73ee752579583af753d9331e32998f6f0e2aa0871d77f16c655092718a2ce501

                • C:\Windows\SysWOW64\Cndikf32.exe

                  Filesize

                  59KB

                  MD5

                  139da3b20d4889c9696847b03a411ca3

                  SHA1

                  b1fc35382ff56bb301154f9ae61a8a63eeed899f

                  SHA256

                  cdff21a4faafad9accfe22cf5c4c233e483b29af5590e6e6aae473c49e0f49ae

                  SHA512

                  10bbc157749409d7d1e3dbe6681afa6d1d0b6586e35193c30a5db47ec0b08fbdefba00842a59ca87abe79c32e8d5f49d20e7bb3bffbac2397a89ff48ad6449e3

                • C:\Windows\SysWOW64\Dejacond.exe

                  Filesize

                  59KB

                  MD5

                  35882f4796482eaa7d7cc24f39506e4c

                  SHA1

                  93b2ab09d137478853c169d9509544f9db049d64

                  SHA256

                  7a1fbc4daafe85070ec707620cb9efe25a624c3bc7c053db035b59688c2d3e2a

                  SHA512

                  b4975e78908579ba2e79f2e733b8e35598f227637671137ca7a5b579c429a5d71135a809e54e6bc28183242fe36709aca2ed0a0145627fba6a4eb251b7e1c8b0

                • C:\Windows\SysWOW64\Ndcdmikd.exe

                  Filesize

                  59KB

                  MD5

                  176e5ea3abb4f75dc1f4839201d08487

                  SHA1

                  a536c2c0b25b61e8e49e049a464dad52292dcdab

                  SHA256

                  e847f89794bc7b241bc0123e63e6f39c156fec9bf47fdf4144625f841a102168

                  SHA512

                  c3eb1145c15fba604d6425e514193ec16bfef7304029ec62213236a659ef75533b3604f27037c246d4a584d5bc043219f9d010141b48469f5ae0580b9e4fe2a5

                • C:\Windows\SysWOW64\Ndfqbhia.exe

                  Filesize

                  59KB

                  MD5

                  1ed18a9ab33b54e331055fc2ff882f00

                  SHA1

                  dbe86f992eacd52018df2c08235ce593f15109f3

                  SHA256

                  f46cfb9c598abbb1da7dcf240c3f509a8c190202c4c4cc9e944587f4d554a063

                  SHA512

                  82ab3f03a3255c63ba2e587de6eb143770fd1c21b22283d4b320ae7649243cf5c5cab633130f906167a4161211bb6f1320550f3ff44f7d1d523551ab962b1bf0

                • C:\Windows\SysWOW64\Ndhmhh32.exe

                  Filesize

                  59KB

                  MD5

                  4e5722f20df201e3bb3e69e3c0591e0a

                  SHA1

                  aa84c5dcb770010802bd96eba70a9b6fe7b42bc7

                  SHA256

                  0f200db592dbd85d440ea9ce048f7c928b8341ac855dbba9ee6a0c89c8ccb4d1

                  SHA512

                  cedf65b9d91f657e1cb68f3f0dbf44b451bf34f15251818d57f098e32c593a1acc936d45eeb79046d705ac0da90ce3128b8880185754332246391b3980d72455

                • C:\Windows\SysWOW64\Ngbpidjh.exe

                  Filesize

                  59KB

                  MD5

                  d80f96b7bb87049eb856ed2f91988639

                  SHA1

                  230a1dcaeec771d86e864af4789f686ae19af652

                  SHA256

                  bb7ee236e3369ea0ff86ffc88c2a0e5f83044978c5b8f4ac48f522e11369d886

                  SHA512

                  506f3e21848beba1b218a812b7160e4b1e8fc59951246686f09ef787f3aed0472164665a44c717aadd3529dd5e51d71db9760416a095b54fc7a2a22bac3cde3c

                • C:\Windows\SysWOW64\Ngdmod32.exe

                  Filesize

                  59KB

                  MD5

                  459cd5c1ccc5a6416ca86eeb8212be4b

                  SHA1

                  3b070ca89c3d8b5bc1932333272601c80856d1ba

                  SHA256

                  a0eae50c491fa85322e89f7621fd84fbff7aa8cb3a6e7116af15d31208d9e536

                  SHA512

                  3582656b1f0a86b681b2033d54f0fa3656fe6314312002051480958deffecc3953dd9a66c11620feade25ebdf498b4aa07ded4130851d78448fba0efccb07fd8

                • C:\Windows\SysWOW64\Nggjdc32.exe

                  Filesize

                  59KB

                  MD5

                  32bc059ecabd5fb9b3b9ee38c171ea61

                  SHA1

                  fb52e291dc727754f9e1efd626368aba63764406

                  SHA256

                  dc500c7c1160745049b5460f9bc723e1e9f47e054b75f88b11951bcf96fa4ff8

                  SHA512

                  2825d4c3785c6b6a3e88f792b8b79933ae6faa4eb04d76cc6e41a31d1f6d50643f9bd89b36de9dc1d83f189351c56ebf41ba31fb15b194a29cad22bebea7aa22

                • C:\Windows\SysWOW64\Njciko32.exe

                  Filesize

                  59KB

                  MD5

                  2fdcc0eeeddd0a72df0c273f6e1105f1

                  SHA1

                  c3c960ab4db1fe57ee2699860ec68a8f07b47464

                  SHA256

                  6de7aef8e3b50e00445d82aa2fae04e2be5a4a971d35d93049d4bb5fd83da6c3

                  SHA512

                  03e67814bc5dd474fea08472a7ee5c8d0e614a395156e5738e4e87311ea39f55da5067752cf13b820ebe5dabe6e0f7259653e68023bd4bcc5a4e07f2a2c6ee04

                • C:\Windows\SysWOW64\Njefqo32.exe

                  Filesize

                  59KB

                  MD5

                  aaf76df081d17965f27f27b9bebe31c8

                  SHA1

                  0637aa5d3660f9c2fa13f7efe0c492795cdad4ed

                  SHA256

                  534ddf3c9cb59c4a4939dffce84fdde512d82abef3c1896e92d6cd3b5dc7a887

                  SHA512

                  de4847ba1263cd5b7e6c33b174570dd2ed5ca4d237a5ce61a923533294d999f54f8cf2bfdd432a38325d00ff6f5c800b8bafea07e754f46799418fbdef9e0221

                • C:\Windows\SysWOW64\Njqmepik.exe

                  Filesize

                  59KB

                  MD5

                  fbf12e96984538e96170a5da9c434dcf

                  SHA1

                  8020b79bbe5bb80dfe114e92a3b4d69505c2551e

                  SHA256

                  2a4e86b737248427e77715ad4a67a3b6632553ea7ad425b4ccacafa8e512cd4e

                  SHA512

                  66b8126ee84aefc070aec7495f667e2e5ddd6eac4505903e904782fe91d1e8ce695ac71e3e044279ca7c028b55b61588cf2a686e4a13bda85bc4ac852ca86c52

                • C:\Windows\SysWOW64\Nnlhfn32.exe

                  Filesize

                  59KB

                  MD5

                  ee1c6266fc04dcc1df3dd7d2e1477c73

                  SHA1

                  b03b04c3ecbf6fb90f1a60e047e291c45283b410

                  SHA256

                  1e8f8fb0893f7cfad33fd20fb2f5b7551485f9ec869bc26b49e4b2e6256c9596

                  SHA512

                  7b65d3e2a3f2e00e2bb0ed1ff94422a49cfe455496879c90cedb48b3a591b1facb65a1e04fd06549f6017012ae2d75ad4cc1a0fcc7e2210a23afd9a9eb4e54a0

                • C:\Windows\SysWOW64\Npmagine.exe

                  Filesize

                  59KB

                  MD5

                  c5d8c45a92b10f12265a207c8f220505

                  SHA1

                  ff2f17d3432b85d1eb49804abb09622ca3da1587

                  SHA256

                  0037a02e2fe27332aa61053a3651f68686c5bd8f7774aa886d98fc9d53d04531

                  SHA512

                  28c4cd1230c38ae93c71a5fd7b517a76b8245864490cd2e72010df4fe36c9e9b3b0c7fd68d4d0df5265757086cad962ebcf93a79c159785fcd7f90f1f27b44a1

                • C:\Windows\SysWOW64\Odapnf32.exe

                  Filesize

                  59KB

                  MD5

                  e8039febc03c1dd8e8683110b8fd6212

                  SHA1

                  d2fb59b612f5bb613af0dafa8c7b6de3e32f5141

                  SHA256

                  1c1435e7b4c782329d11577e8c097aafe287b8fe26718dfcd88efe8184952df5

                  SHA512

                  eb307b36108e3f8fbddba5e5a69b644f68d28f5c073019572c944450bec7c9dfc94008eb45ef7c61355bfaa7c4854996499993fae31956652760a4424df96b44

                • C:\Windows\SysWOW64\Odmgcgbi.exe

                  Filesize

                  59KB

                  MD5

                  8109d5c75494706ca8d7f38b57c0c96f

                  SHA1

                  1ad764df444232a6a769bded142c114e1854623f

                  SHA256

                  8b55eb1ea742b00a00e92d1677b43a537aac8cab74786fe44d1dab13c5cf3307

                  SHA512

                  39b2d5610b725b165e26e6421bd5c52f092f09a7760d2c08523d766f111bb44c193ad1851e27998e60b7403f662fd224d6f71a11d955901dd1164026ecd20521

                • C:\Windows\SysWOW64\Odocigqg.exe

                  Filesize

                  59KB

                  MD5

                  abdecf89dccaa6dca9c487af2d65c4f9

                  SHA1

                  b16bcd7eee199b4459a117ae8d89571655c5ee80

                  SHA256

                  7c926cf13ef8db2d50e57376af9393ee8e1e13365cb6b92fbcf1720099b4b52d

                  SHA512

                  d171aa418a9566aeb9b04013c72887db63c84c438c6cc373eed19a4a47bbc6311f4043f09b0198f85cf8b41a295eaef57bf2fd78c9242651f39771d38f399a2f

                • C:\Windows\SysWOW64\Ofnckp32.exe

                  Filesize

                  59KB

                  MD5

                  90e97a9dac5c0c45e0d525b73bb78913

                  SHA1

                  99954423ded942008a84f64c01a57f163fd74ea9

                  SHA256

                  663579eb3f3020f306ab0890658ea062e7bb1a27d95138e6b3630aefa50cd919

                  SHA512

                  d42376c8271b120c10adc8731417b536f87ef254bb29a84f7a28282e38def2fa77242cf42cb022c04b02bd811edd8d2365d411d945fa4511c5c95d3deeecd3e3

                • C:\Windows\SysWOW64\Ofqpqo32.exe

                  Filesize

                  59KB

                  MD5

                  00d9b9659568d5b237a79ef28c7d0822

                  SHA1

                  4ecb42f93e7b05d5a625fb112beebc31a7b0383b

                  SHA256

                  a322eb1fed7306d7f434f5cd8d512dce512cc5804c737c4f38343f3c81f669dc

                  SHA512

                  399b5f191f0d99aac90cee8966a377f84de06a6fd8eb0a3c0ffa54f54932bdaba7ca10e6d0c2ba1d54443528246d41647ce3b56485c022d5b53d241090731b41

                • C:\Windows\SysWOW64\Ogbipa32.exe

                  Filesize

                  59KB

                  MD5

                  22630abead5f19de9d713350ac0f3b51

                  SHA1

                  24bb7c2f67e95143b012378d614dbd42f3d79a00

                  SHA256

                  1ea1df57b9b87fc39307411afce46b3b947fa75bc18293705db228c9e07447b9

                  SHA512

                  ad4317f2e8b99dbcbe8cb35136c5ace5501c2f434fbd9eed0b4a3cb17172c6add3960f6ec3489cc66bb59cc4a239e84f043aaf521f4fe42e60862b7fb225324b

                • C:\Windows\SysWOW64\Ogifjcdp.exe

                  Filesize

                  59KB

                  MD5

                  123feec33a353fd30339deca141ecdb3

                  SHA1

                  f552292794e5428316b2d7a8d7a47af308b3af4f

                  SHA256

                  9738405d219c31a6da1c543f541d9f287856c33dcad62a12ab038e1fab0f6ced

                  SHA512

                  a7a9a2365a85fd8bca78c3fb216b2af9749f894e5fb41ac38f28503faba52d73ea28399787b0f55b7fae844bcec14bb55091e95d776333808eea20425dc4363b

                • C:\Windows\SysWOW64\Ojaelm32.exe

                  Filesize

                  59KB

                  MD5

                  5b5d6d1227028508911e647dd4418ca1

                  SHA1

                  17da2f68125dd9d2aa13acb2c6335bc441540724

                  SHA256

                  5a14d0c4ca246b6d22935a7786efaa0714a3daf86da65c3e66b0879c36c3eab5

                  SHA512

                  81a667b402a2a12ab1ae0d48934f6116faa66ff6b45d81255af1ffd4c1616b7d36664c28fa5abc9aec16ffad7097627be22646f4d96313462a37a660b4e7b3aa

                • C:\Windows\SysWOW64\Ojgbfocc.exe

                  Filesize

                  59KB

                  MD5

                  ed7858e2bc6ec80c27122b49092dd66d

                  SHA1

                  c0f2fa859d3435b95d47d23fc89933c5b2069baf

                  SHA256

                  d25c99730c8ba23162791ee4d4a98dc7c49abd67b616502f15a5b2d0c70da3d9

                  SHA512

                  b76503e5fbc833654c032b54e365fbc7210b68bb92801085771d29aee7537bdadc4305faf06cfe8d8d32ff41359140c51c212155e90a1cb8629bed0c1c2da814

                • C:\Windows\SysWOW64\Ojoign32.exe

                  Filesize

                  59KB

                  MD5

                  1067f566691276010fae0bd65ccc856e

                  SHA1

                  f65cb1508569f8120d8f3f47e57641b92eb8a888

                  SHA256

                  511acc837cdf10c1d4957761118a0c999a98744d429299bb28abe1e549c3283c

                  SHA512

                  6847b8efc18f62830e634f8a8b25a3e2340a5c06005b1321c54882a5fc68a95c5f5f1249ba1452aec65a21c17602ac67adc1700a25bd2f12a1d33c3791555135

                • C:\Windows\SysWOW64\Olfobjbg.exe

                  Filesize

                  59KB

                  MD5

                  63ddd315433b901c9e76a18c13736a1c

                  SHA1

                  4b9017a12e2a2c0e6d8dbade09a72c6f0fdb95ff

                  SHA256

                  7ff84237b4cb7cc08ce129a55fcbb257264adab33616d409c2cdda18f1cc5217

                  SHA512

                  ca9b3f316b16f4e2b644ab01717a0542b791aaf60041f1723c91a58046401cc6d2589c4d3fafaa9c922254d0bbe629e13cca71c34bf5e86321e94fed83bf9fdd

                • C:\Windows\SysWOW64\Oneklm32.exe

                  Filesize

                  59KB

                  MD5

                  4c9019639380880e3c80adf810250f3b

                  SHA1

                  2d4ef029b90f38d91d7e143770a99b74689167d8

                  SHA256

                  be765d6cac8de562582b31286c23d645acb081a4016cd1131b350735c04b462f

                  SHA512

                  76504ecc66845e92e553fca5a323a041039d1142fd588e7a347a1fa1243e6aaaadbcbc06a3002e35f4621e8fab3969301f6235284ce8fbcde6dc4c2e3fd2ceee

                • C:\Windows\SysWOW64\Onhhamgg.exe

                  Filesize

                  59KB

                  MD5

                  88b3b253deaada84ec8742cc5b9a3f27

                  SHA1

                  bb9e3336c7e59bd968f8d39d80c41732c643d199

                  SHA256

                  519fcee3589df32afe52242523c7e9e8c3573583c4250a11becb7583707f7902

                  SHA512

                  e36b2760f463a01b7cb0cffe447b1a2fb31f7dce8be1adc79045675654d402f6dfea828f90955b40a66e7941b43e4c6550449c148bfccbe7e0d0377346f90193

                • C:\Windows\SysWOW64\Oponmilc.exe

                  Filesize

                  59KB

                  MD5

                  b07b90d0b5becaba78be160c8c9f1a4e

                  SHA1

                  8a0ec9878c75951dbb614753cc637a48648b42e2

                  SHA256

                  9c9de4f811beff8e41fdd374d0cf027f6c7fab60f6342052fa2671e622c4ec2d

                  SHA512

                  603c9440e7222be7f7c074fea0210948bc17fb7f8f68f12f809b47e5181d199cc119d8b77b4b94413e7372bfeaded29dcd92224c08fd12aef1abff73776e1101

                • C:\Windows\SysWOW64\Oqhacgdh.exe

                  Filesize

                  59KB

                  MD5

                  4affc2972a39cee0bd1781dc6c4ab4cf

                  SHA1

                  c85dceb6b8c44a4c23247497f8c8b2eb6df746ee

                  SHA256

                  7d5265185c3713b776e65db87200676496133008eab1246f77087e680717e448

                  SHA512

                  fb4b71a92aef7184d450817bea2426ab0dcb1e9c6876c17ff18cf8c40e609ab29eaaadc9d6dfe0e797cce01eba8cfca1bc333cc42dff7a1c8f3d6060133a4723

                • C:\Windows\SysWOW64\Pcijeb32.exe

                  Filesize

                  59KB

                  MD5

                  502ca66dca994439f408d1213a6af6c8

                  SHA1

                  25d6a59c94c17866cabf411aa6d86eac1f5ec594

                  SHA256

                  c2f6d01f6d5cfebc2106ed4dd3077284d93e02acc386dec81acbd22a3cbc8b2a

                  SHA512

                  bb09422c346ec832f8c6f8586ecbd044f4ffb57b1b854deaa97edf46316260413042901e40fcbeac2bde2044751fbfe7b7daed2fc29e64629e4ddee6a822cc54

                • C:\Windows\SysWOW64\Pdifoehl.exe

                  Filesize

                  59KB

                  MD5

                  9ac45ca234674b9119f52e878e1bd35a

                  SHA1

                  06294202365af608cc27d05618636ae1ebc8a6e1

                  SHA256

                  d982c6e6043b243059b4cd990d29770d6fc86c44b1152648f6d571703adaeb2c

                  SHA512

                  1a827a30622591841c8ec7448556324f507d772f72bdea918879ae84afeb56867b6688d9fbbd786be4d7793aa80aca1265922c3f7c44ae3f3baf081324f593ec

                • C:\Windows\SysWOW64\Pgefeajb.exe

                  Filesize

                  59KB

                  MD5

                  ab465a9d47170f186e39fe29b460a9fa

                  SHA1

                  dbe12945a490f696cf8655c5fe7ec2c9e85d455e

                  SHA256

                  d3ea28946e349d18807303cd5533e242ef92cc83eb7d2262293731aba6d6b8a6

                  SHA512

                  fc1e68dde2630e6bd1a68752764716d8477a7b382061750bf590415825a0f99bde2465a2da9024af85aff9069009626a2aac960ba9560db934d99a4fc83cc92b

                • C:\Windows\SysWOW64\Pggbkagp.exe

                  Filesize

                  59KB

                  MD5

                  eeda26b22db2f4ca1a4792e3173cbf12

                  SHA1

                  de9760280ca5e0fe0411fb9130505dd35a6d511f

                  SHA256

                  3e3e5d2338e9e652a336bc9f5d199233d56a331ef439665aa87c6a336d8f98e3

                  SHA512

                  1a8108c6a0fd1d631092e1982279863e2a453a446d260f70efde951d232c4c04cff8a295ec15b13dedb55076c428d317d674c3ce8d68fb70b6b1a65860ef5f80

                • C:\Windows\SysWOW64\Pmoahijl.exe

                  Filesize

                  59KB

                  MD5

                  e2145f574453cf823500b0715d02b344

                  SHA1

                  78c1b8133ca6cfc0e3f2bc5e34ff34677f167fff

                  SHA256

                  6411e55d012e3e5d13c4e603fe2564f96ed820f648925bfa1459ff1a7cc9152c

                  SHA512

                  796aa589a0f1bcbb7f2422ac422e1c6221fe4a07465cdbced27a09a46da0bb62d87baf183e2a46dc9db0d50b68cc59adf299a6f5c74489e706425604924b4b36

                • C:\Windows\SysWOW64\Pnonbk32.exe

                  Filesize

                  59KB

                  MD5

                  f0eeeaef462775240e8ee43e4cc8fa3f

                  SHA1

                  0ee058b247b20b9e9f658f938a9f09cba3782498

                  SHA256

                  580de8088b862935a4fa01035681433ac279b615867d92478f8fc76a59f4f604

                  SHA512

                  40c1e120d552235d9ff15f042f5cc0cd4a427b67fe065b723b90c83264bd363ba52ecf17e0b3ad4d4530afe03d60c616fa007d8af942dc6387afc4e18ce3a5f1

                • memory/404-371-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/644-208-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/784-449-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/868-317-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/872-293-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/912-184-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1072-455-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1084-120-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1088-497-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1244-341-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1268-553-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1304-275-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1332-49-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1332-587-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1364-305-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1392-515-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1464-240-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1492-57-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1492-594-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1600-152-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1972-10-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1972-552-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/1980-369-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2016-269-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2120-461-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2140-192-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2144-442-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2236-329-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2264-417-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2324-479-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2332-176-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2340-256-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2416-401-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2528-281-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2556-263-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2648-377-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2796-473-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2808-485-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2812-97-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2820-359-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2892-145-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/2900-546-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3152-539-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3152-0-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3152-1-0x0000000000431000-0x0000000000432000-memory.dmp

                  Filesize

                  4KB

                • memory/3212-88-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3356-560-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3368-73-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3416-200-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3456-323-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3464-411-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3468-383-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3620-540-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3668-335-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3728-287-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3864-311-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3872-353-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/3904-160-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4044-521-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4052-419-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4104-580-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4104-40-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4128-168-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4132-112-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4136-389-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4192-491-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4204-559-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4204-16-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4244-129-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4268-533-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4308-505-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4332-527-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4344-230-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4476-443-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4496-80-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4500-233-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4588-24-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4588-566-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4708-299-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4736-395-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4760-509-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4860-104-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4876-425-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4896-136-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4912-467-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4960-253-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/4972-347-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5036-573-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5036-32-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5040-64-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5076-217-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5104-431-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5128-567-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5172-574-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5216-581-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                • memory/5260-588-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB