Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 10:35

General

  • Target

    Backdoor.Win32.Berbew.AA.exe

  • Size

    64KB

  • MD5

    597bec7c04fdbec6808fccd082bd2b90

  • SHA1

    a1fedf4cf452bde886aa6533105bcc8517d0daee

  • SHA256

    4bc64c8af938f5fd093f9a1d9e8ad6fcfdaef698c51079f1e209d456d7510bd5

  • SHA512

    64a8b8a9c5f3a69516e2f6f2c7267ffd38ac2d1fef810c98059100a2406df24d97bb35284f7531c035682dedd750038262a43ca9505aceb5f9fc8c5170f5f790

  • SSDEEP

    1536:C0s4qNCCIcDc+Px5GI9XLTywtOYkqqPq2y9bTdlA2LprDWBi:W1IkcA5PXLTx8PaTdPp2Bi

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\SysWOW64\Mfqlfb32.exe
      C:\Windows\system32\Mfqlfb32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SysWOW64\Mmkdcm32.exe
        C:\Windows\system32\Mmkdcm32.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Windows\SysWOW64\Moipoh32.exe
          C:\Windows\system32\Moipoh32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2084
          • C:\Windows\SysWOW64\Mgphpe32.exe
            C:\Windows\system32\Mgphpe32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4056
            • C:\Windows\SysWOW64\Mnjqmpgg.exe
              C:\Windows\system32\Mnjqmpgg.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1424
              • C:\Windows\SysWOW64\Mqimikfj.exe
                C:\Windows\system32\Mqimikfj.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4396
                • C:\Windows\SysWOW64\Mgbefe32.exe
                  C:\Windows\system32\Mgbefe32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:556
                  • C:\Windows\SysWOW64\Mjaabq32.exe
                    C:\Windows\system32\Mjaabq32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:524
                    • C:\Windows\SysWOW64\Mmpmnl32.exe
                      C:\Windows\system32\Mmpmnl32.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2412
                      • C:\Windows\SysWOW64\Monjjgkb.exe
                        C:\Windows\system32\Monjjgkb.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4668
                        • C:\Windows\SysWOW64\Mfhbga32.exe
                          C:\Windows\system32\Mfhbga32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2364
                          • C:\Windows\SysWOW64\Mjcngpjh.exe
                            C:\Windows\system32\Mjcngpjh.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4460
                            • C:\Windows\SysWOW64\Nqmfdj32.exe
                              C:\Windows\system32\Nqmfdj32.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4300
                              • C:\Windows\SysWOW64\Nfjola32.exe
                                C:\Windows\system32\Nfjola32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2320
                                • C:\Windows\SysWOW64\Nmdgikhi.exe
                                  C:\Windows\system32\Nmdgikhi.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:508
                                  • C:\Windows\SysWOW64\Ngjkfd32.exe
                                    C:\Windows\system32\Ngjkfd32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4504
                                    • C:\Windows\SysWOW64\Nflkbanj.exe
                                      C:\Windows\system32\Nflkbanj.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:1064
                                      • C:\Windows\SysWOW64\Nmfcok32.exe
                                        C:\Windows\system32\Nmfcok32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:4888
                                        • C:\Windows\SysWOW64\Nglhld32.exe
                                          C:\Windows\system32\Nglhld32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:3212
                                          • C:\Windows\SysWOW64\Nnfpinmi.exe
                                            C:\Windows\system32\Nnfpinmi.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:2684
                                            • C:\Windows\SysWOW64\Npgmpf32.exe
                                              C:\Windows\system32\Npgmpf32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of WriteProcessMemory
                                              PID:4220
                                              • C:\Windows\SysWOW64\Ngndaccj.exe
                                                C:\Windows\system32\Ngndaccj.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:4468
                                                • C:\Windows\SysWOW64\Nnhmnn32.exe
                                                  C:\Windows\system32\Nnhmnn32.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Modifies registry class
                                                  PID:3916
                                                  • C:\Windows\SysWOW64\Nagiji32.exe
                                                    C:\Windows\system32\Nagiji32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:2536
                                                    • C:\Windows\SysWOW64\Npiiffqe.exe
                                                      C:\Windows\system32\Npiiffqe.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:436
                                                      • C:\Windows\SysWOW64\Ngqagcag.exe
                                                        C:\Windows\system32\Ngqagcag.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        PID:2080
                                                        • C:\Windows\SysWOW64\Nfcabp32.exe
                                                          C:\Windows\system32\Nfcabp32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:644
                                                          • C:\Windows\SysWOW64\Onkidm32.exe
                                                            C:\Windows\system32\Onkidm32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:2500
                                                            • C:\Windows\SysWOW64\Oplfkeob.exe
                                                              C:\Windows\system32\Oplfkeob.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1468
                                                              • C:\Windows\SysWOW64\Ogcnmc32.exe
                                                                C:\Windows\system32\Ogcnmc32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:4348
                                                                • C:\Windows\SysWOW64\Opnbae32.exe
                                                                  C:\Windows\system32\Opnbae32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3588
                                                                  • C:\Windows\SysWOW64\Ogekbb32.exe
                                                                    C:\Windows\system32\Ogekbb32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:924
                                                                    • C:\Windows\SysWOW64\Ofhknodl.exe
                                                                      C:\Windows\system32\Ofhknodl.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      PID:2044
                                                                      • C:\Windows\SysWOW64\Oanokhdb.exe
                                                                        C:\Windows\system32\Oanokhdb.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:4916
                                                                        • C:\Windows\SysWOW64\Ojfcdnjc.exe
                                                                          C:\Windows\system32\Ojfcdnjc.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:4404
                                                                          • C:\Windows\SysWOW64\Opclldhj.exe
                                                                            C:\Windows\system32\Opclldhj.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:4092
                                                                            • C:\Windows\SysWOW64\Ogjdmbil.exe
                                                                              C:\Windows\system32\Ogjdmbil.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • Modifies registry class
                                                                              PID:3292
                                                                              • C:\Windows\SysWOW64\Ondljl32.exe
                                                                                C:\Windows\system32\Ondljl32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5056
                                                                                • C:\Windows\SysWOW64\Oabhfg32.exe
                                                                                  C:\Windows\system32\Oabhfg32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5052
                                                                                  • C:\Windows\SysWOW64\Ohlqcagj.exe
                                                                                    C:\Windows\system32\Ohlqcagj.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    PID:4544
                                                                                    • C:\Windows\SysWOW64\Pjkmomfn.exe
                                                                                      C:\Windows\system32\Pjkmomfn.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      PID:3256
                                                                                      • C:\Windows\SysWOW64\Paeelgnj.exe
                                                                                        C:\Windows\system32\Paeelgnj.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4488
                                                                                        • C:\Windows\SysWOW64\Phonha32.exe
                                                                                          C:\Windows\system32\Phonha32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          PID:4308
                                                                                          • C:\Windows\SysWOW64\Pjmjdm32.exe
                                                                                            C:\Windows\system32\Pjmjdm32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:3344
                                                                                            • C:\Windows\SysWOW64\Pmlfqh32.exe
                                                                                              C:\Windows\system32\Pmlfqh32.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1640
                                                                                              • C:\Windows\SysWOW64\Pdenmbkk.exe
                                                                                                C:\Windows\system32\Pdenmbkk.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:1052
                                                                                                • C:\Windows\SysWOW64\Pfdjinjo.exe
                                                                                                  C:\Windows\system32\Pfdjinjo.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4184
                                                                                                  • C:\Windows\SysWOW64\Pmnbfhal.exe
                                                                                                    C:\Windows\system32\Pmnbfhal.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3268
                                                                                                    • C:\Windows\SysWOW64\Phcgcqab.exe
                                                                                                      C:\Windows\system32\Phcgcqab.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1464
                                                                                                      • C:\Windows\SysWOW64\Palklf32.exe
                                                                                                        C:\Windows\system32\Palklf32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:4016
                                                                                                        • C:\Windows\SysWOW64\Phfcipoo.exe
                                                                                                          C:\Windows\system32\Phfcipoo.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:3576
                                                                                                          • C:\Windows\SysWOW64\Pmblagmf.exe
                                                                                                            C:\Windows\system32\Pmblagmf.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:4924
                                                                                                            • C:\Windows\SysWOW64\Qhhpop32.exe
                                                                                                              C:\Windows\system32\Qhhpop32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:1800
                                                                                                              • C:\Windows\SysWOW64\Qmeigg32.exe
                                                                                                                C:\Windows\system32\Qmeigg32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:100
                                                                                                                • C:\Windows\SysWOW64\Qpcecb32.exe
                                                                                                                  C:\Windows\system32\Qpcecb32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2216
                                                                                                                  • C:\Windows\SysWOW64\Qhjmdp32.exe
                                                                                                                    C:\Windows\system32\Qhjmdp32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:1516
                                                                                                                    • C:\Windows\SysWOW64\Qodeajbg.exe
                                                                                                                      C:\Windows\system32\Qodeajbg.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:4836
                                                                                                                      • C:\Windows\SysWOW64\Qdaniq32.exe
                                                                                                                        C:\Windows\system32\Qdaniq32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2484
                                                                                                                        • C:\Windows\SysWOW64\Akkffkhk.exe
                                                                                                                          C:\Windows\system32\Akkffkhk.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1252
                                                                                                                          • C:\Windows\SysWOW64\Aaenbd32.exe
                                                                                                                            C:\Windows\system32\Aaenbd32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Modifies registry class
                                                                                                                            PID:456
                                                                                                                            • C:\Windows\SysWOW64\Adcjop32.exe
                                                                                                                              C:\Windows\system32\Adcjop32.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:404
                                                                                                                              • C:\Windows\SysWOW64\Aknbkjfh.exe
                                                                                                                                C:\Windows\system32\Aknbkjfh.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • Modifies registry class
                                                                                                                                PID:5044
                                                                                                                                • C:\Windows\SysWOW64\Aagkhd32.exe
                                                                                                                                  C:\Windows\system32\Aagkhd32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:1672
                                                                                                                                  • C:\Windows\SysWOW64\Ahaceo32.exe
                                                                                                                                    C:\Windows\system32\Ahaceo32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4400
                                                                                                                                    • C:\Windows\SysWOW64\Aokkahlo.exe
                                                                                                                                      C:\Windows\system32\Aokkahlo.exe
                                                                                                                                      66⤵
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:2916
                                                                                                                                      • C:\Windows\SysWOW64\Apmhiq32.exe
                                                                                                                                        C:\Windows\system32\Apmhiq32.exe
                                                                                                                                        67⤵
                                                                                                                                          PID:216
                                                                                                                                          • C:\Windows\SysWOW64\Aggpfkjj.exe
                                                                                                                                            C:\Windows\system32\Aggpfkjj.exe
                                                                                                                                            68⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:4340
                                                                                                                                            • C:\Windows\SysWOW64\Amqhbe32.exe
                                                                                                                                              C:\Windows\system32\Amqhbe32.exe
                                                                                                                                              69⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:1600
                                                                                                                                              • C:\Windows\SysWOW64\Aaldccip.exe
                                                                                                                                                C:\Windows\system32\Aaldccip.exe
                                                                                                                                                70⤵
                                                                                                                                                  PID:4412
                                                                                                                                                  • C:\Windows\SysWOW64\Adkqoohc.exe
                                                                                                                                                    C:\Windows\system32\Adkqoohc.exe
                                                                                                                                                    71⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:1916
                                                                                                                                                    • C:\Windows\SysWOW64\Agimkk32.exe
                                                                                                                                                      C:\Windows\system32\Agimkk32.exe
                                                                                                                                                      72⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:1040
                                                                                                                                                      • C:\Windows\SysWOW64\Amcehdod.exe
                                                                                                                                                        C:\Windows\system32\Amcehdod.exe
                                                                                                                                                        73⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:1224
                                                                                                                                                        • C:\Windows\SysWOW64\Bdmmeo32.exe
                                                                                                                                                          C:\Windows\system32\Bdmmeo32.exe
                                                                                                                                                          74⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:312
                                                                                                                                                          • C:\Windows\SysWOW64\Bkgeainn.exe
                                                                                                                                                            C:\Windows\system32\Bkgeainn.exe
                                                                                                                                                            75⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:1048
                                                                                                                                                            • C:\Windows\SysWOW64\Baannc32.exe
                                                                                                                                                              C:\Windows\system32\Baannc32.exe
                                                                                                                                                              76⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:5108
                                                                                                                                                              • C:\Windows\SysWOW64\Bdojjo32.exe
                                                                                                                                                                C:\Windows\system32\Bdojjo32.exe
                                                                                                                                                                77⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:4136
                                                                                                                                                                • C:\Windows\SysWOW64\Bhkfkmmg.exe
                                                                                                                                                                  C:\Windows\system32\Bhkfkmmg.exe
                                                                                                                                                                  78⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:4188
                                                                                                                                                                  • C:\Windows\SysWOW64\Bmhocd32.exe
                                                                                                                                                                    C:\Windows\system32\Bmhocd32.exe
                                                                                                                                                                    79⤵
                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:4268
                                                                                                                                                                    • C:\Windows\SysWOW64\Bhmbqm32.exe
                                                                                                                                                                      C:\Windows\system32\Bhmbqm32.exe
                                                                                                                                                                      80⤵
                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:660
                                                                                                                                                                      • C:\Windows\SysWOW64\Bmjkic32.exe
                                                                                                                                                                        C:\Windows\system32\Bmjkic32.exe
                                                                                                                                                                        81⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:32
                                                                                                                                                                        • C:\Windows\SysWOW64\Bphgeo32.exe
                                                                                                                                                                          C:\Windows\system32\Bphgeo32.exe
                                                                                                                                                                          82⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:3608
                                                                                                                                                                          • C:\Windows\SysWOW64\Boihcf32.exe
                                                                                                                                                                            C:\Windows\system32\Boihcf32.exe
                                                                                                                                                                            83⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:1180
                                                                                                                                                                            • C:\Windows\SysWOW64\Bpkdjofm.exe
                                                                                                                                                                              C:\Windows\system32\Bpkdjofm.exe
                                                                                                                                                                              84⤵
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              PID:4648
                                                                                                                                                                              • C:\Windows\SysWOW64\Bhblllfo.exe
                                                                                                                                                                                C:\Windows\system32\Bhblllfo.exe
                                                                                                                                                                                85⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:212
                                                                                                                                                                                • C:\Windows\SysWOW64\Bkphhgfc.exe
                                                                                                                                                                                  C:\Windows\system32\Bkphhgfc.exe
                                                                                                                                                                                  86⤵
                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                  PID:4352
                                                                                                                                                                                  • C:\Windows\SysWOW64\Bajqda32.exe
                                                                                                                                                                                    C:\Windows\system32\Bajqda32.exe
                                                                                                                                                                                    87⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:4452
                                                                                                                                                                                    • C:\Windows\SysWOW64\Cggimh32.exe
                                                                                                                                                                                      C:\Windows\system32\Cggimh32.exe
                                                                                                                                                                                      88⤵
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:1984
                                                                                                                                                                                      • C:\Windows\SysWOW64\Cnaaib32.exe
                                                                                                                                                                                        C:\Windows\system32\Cnaaib32.exe
                                                                                                                                                                                        89⤵
                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:5064
                                                                                                                                                                                        • C:\Windows\SysWOW64\Chfegk32.exe
                                                                                                                                                                                          C:\Windows\system32\Chfegk32.exe
                                                                                                                                                                                          90⤵
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:4044
                                                                                                                                                                                          • C:\Windows\SysWOW64\Cncnob32.exe
                                                                                                                                                                                            C:\Windows\system32\Cncnob32.exe
                                                                                                                                                                                            91⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:3660
                                                                                                                                                                                            • C:\Windows\SysWOW64\Chiblk32.exe
                                                                                                                                                                                              C:\Windows\system32\Chiblk32.exe
                                                                                                                                                                                              92⤵
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:3288
                                                                                                                                                                                              • C:\Windows\SysWOW64\Cnfkdb32.exe
                                                                                                                                                                                                C:\Windows\system32\Cnfkdb32.exe
                                                                                                                                                                                                93⤵
                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:1716
                                                                                                                                                                                                • C:\Windows\SysWOW64\Cpdgqmnb.exe
                                                                                                                                                                                                  C:\Windows\system32\Cpdgqmnb.exe
                                                                                                                                                                                                  94⤵
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  PID:1364
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chkobkod.exe
                                                                                                                                                                                                    C:\Windows\system32\Chkobkod.exe
                                                                                                                                                                                                    95⤵
                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:3468
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ckjknfnh.exe
                                                                                                                                                                                                      C:\Windows\system32\Ckjknfnh.exe
                                                                                                                                                                                                      96⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:1448
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cacckp32.exe
                                                                                                                                                                                                        C:\Windows\system32\Cacckp32.exe
                                                                                                                                                                                                        97⤵
                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:1352
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cdbpgl32.exe
                                                                                                                                                                                                          C:\Windows\system32\Cdbpgl32.exe
                                                                                                                                                                                                          98⤵
                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:4160
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Chnlgjlb.exe
                                                                                                                                                                                                            C:\Windows\system32\Chnlgjlb.exe
                                                                                                                                                                                                            99⤵
                                                                                                                                                                                                              PID:1536
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cnjdpaki.exe
                                                                                                                                                                                                                C:\Windows\system32\Cnjdpaki.exe
                                                                                                                                                                                                                100⤵
                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                PID:1836
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dpiplm32.exe
                                                                                                                                                                                                                  C:\Windows\system32\Dpiplm32.exe
                                                                                                                                                                                                                  101⤵
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:2088
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dhphmj32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Dhphmj32.exe
                                                                                                                                                                                                                    102⤵
                                                                                                                                                                                                                      PID:1220
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dkndie32.exe
                                                                                                                                                                                                                        C:\Windows\system32\Dkndie32.exe
                                                                                                                                                                                                                        103⤵
                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:372
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dnmaea32.exe
                                                                                                                                                                                                                          C:\Windows\system32\Dnmaea32.exe
                                                                                                                                                                                                                          104⤵
                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:4932
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dpkmal32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Dpkmal32.exe
                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                            PID:3368
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ddgibkpc.exe
                                                                                                                                                                                                                              C:\Windows\system32\Ddgibkpc.exe
                                                                                                                                                                                                                              106⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                              PID:540
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dkqaoe32.exe
                                                                                                                                                                                                                                C:\Windows\system32\Dkqaoe32.exe
                                                                                                                                                                                                                                107⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:5048
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 400
                                                                                                                                                                                                                                  108⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:2532
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5048 -ip 5048
            1⤵
              PID:3712

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\Aagkhd32.exe

              Filesize

              64KB

              MD5

              05e1fa1ec5fdd777a0451c0a0e36def4

              SHA1

              5c672fbc72b78bf4ab33e78bcf8eec40ab91442b

              SHA256

              93c361c72203937dad1f714a6a2798ddb0559f6398fa420f69d531957f1b85a5

              SHA512

              b88612f849fecb0dc46b45b96318eb19f1a706d2ca2cfd534ec511da410e85b5c1fcd871d40f75510c9ded85c2c00a289e4399f4f33c7769eb69ce8f9fa31bfc

            • C:\Windows\SysWOW64\Baannc32.exe

              Filesize

              64KB

              MD5

              f4690918122c9eec229976fc4efb5298

              SHA1

              73fc5f9897b021fae3176169b7bfadadbd7c924e

              SHA256

              53d39f16f7ac277b1e088726737f49b7d965b730f29c69a46de3a34ad01c617e

              SHA512

              277c1d0e350e4869ae06362f6a163b21e255891ceb4bd20b3ca536e3eef33a6d7aa832a7e5d534f949dd5c910e7bd64fc8e6eb0d21a617a2b1b05b65744cce5e

            • C:\Windows\SysWOW64\Bdmmeo32.exe

              Filesize

              64KB

              MD5

              2c1924099fa7db0f426051f0037a9241

              SHA1

              b4d0d7d572c3453f0b66b8a67a73d017b921a29f

              SHA256

              e5aca89fff4fd1988a0502eb912a4d2fcc54450599b86d311b80e5293ca9cd64

              SHA512

              0a1b71dea95770964842aadd2ac4616ba7c08c71500bef96a2f23965027c6533730471007f111176028e7a8f4156328e824ceb411e8c0ab9a760ac286bf9828f

            • C:\Windows\SysWOW64\Bkphhgfc.exe

              Filesize

              64KB

              MD5

              b596485fffa0bd5aebc69d8d82daa517

              SHA1

              07e85dd8afb7af4b70dc497c590bb737363470e9

              SHA256

              a164f1e25b6538a49cb5de497f9ade0289ee3f684b5721470604832fc3ed477f

              SHA512

              2510f6abfe06f5c1328233c161e1d87186fbe86bb345214aca6e50b7ff75c0c09c9e2889a955bedd5f27a33a7e468564b9faca269af02089bf4c9e42a1445488

            • C:\Windows\SysWOW64\Cacckp32.exe

              Filesize

              64KB

              MD5

              65fc58d06ac27294149ded0b6820f7ba

              SHA1

              1e517f724395bb63d8e1850cf5ce2924663fc97d

              SHA256

              9061e42cb9b0b7f68a46d29e9fbca20c189e06c45fc52038c5ccebb8c98bad94

              SHA512

              73e90ee6e5ddfc506504baffc6db6686ac00011eb20f889799b7b258e793c10189829f52825ab23c184c2dd1188d3aab6fbab54560728f352a627a910c9c5a07

            • C:\Windows\SysWOW64\Cncnob32.exe

              Filesize

              64KB

              MD5

              bbe8e2aa62cc1d8c5b100e341c46dfc0

              SHA1

              beea5467685cff9969ffaae775b6f47441fe2939

              SHA256

              f1bc7ba58d65ba59c589aac02fe268eb5f6ac92ac0144de47c5e21fdb036c69a

              SHA512

              cfaff6561849c770f9743a71217249232f8694a12368f34bd08f636139692036f994040cf435bc8dc7cc6a65082523f0ad0d7b32827f5d4c0a5d370218103940

            • C:\Windows\SysWOW64\Cpdgqmnb.exe

              Filesize

              64KB

              MD5

              bb09a725b018ef05c37ddc16c9d43150

              SHA1

              5ddf99ad42c313b8efb89c2eb452f21c3a643560

              SHA256

              52bc285f7401081803d56cf88d2811c8c2bb5b99292873f17a29ef91458ea0f6

              SHA512

              8337ec536ff00796ed6ac5864e23262419cbec773bb88a60e5e66a18eb19862f6bf8a584a1ed46c88365bc7d4bad84aa63b0237d5290ed600cb4aefc23eefa20

            • C:\Windows\SysWOW64\Dkndie32.exe

              Filesize

              64KB

              MD5

              9eab8e780675827180254373335145eb

              SHA1

              ecc291c6bf704e6fb8c0111ff15c84af635d5020

              SHA256

              c38ece1eea4ff4da11fbd07408c29505485f5233f32ed17c2dc5ecc573f66242

              SHA512

              469a7565bb3c9ebdadc785f851ab842f60bc3763130f69317ea4818a657e2f716a85e4727fef18b6e1c0d0ab73083d91b361fbeab64da58c58f5ca2d958d772f

            • C:\Windows\SysWOW64\Dkqaoe32.exe

              Filesize

              64KB

              MD5

              8ce4fcddbda1a922677ccfa9adb6f430

              SHA1

              f6024c23b00e1d9bd66bfe8f80c23fe251446618

              SHA256

              9bcc0d82335acd1d865153fc388f4e8df1c61648921cad22df3a7fab1a4524c2

              SHA512

              0fcbd9482a49fd105a0f3dec998495178b720c2e74566fc00e3a9fb2651f278e5901b010269639779119eafea203afc033181fb812bc2a6b36ec2ddd65e82420

            • C:\Windows\SysWOW64\Dpiplm32.exe

              Filesize

              64KB

              MD5

              88fd11254c8f1da24ee98d102e5b7380

              SHA1

              549948d381596bb3e2b5575c26218459a3683934

              SHA256

              19d26632d639b9a58afccf89e5d576cccdc18e20e2ca1c49ced9964469608130

              SHA512

              fc9d3c6c51d460e95f984aa468cdd54a191e22132dd1fb3c50ffe5a119c4506cbeff0854e423b0a6b2de45606fdd8214d6b3bc86a09e2c30e8c60645a2d6f5a8

            • C:\Windows\SysWOW64\Mfhbga32.exe

              Filesize

              64KB

              MD5

              480d14a5c7fd4880a964c1b09b909168

              SHA1

              6775b247bf8f91e6289edfc358bf85d297190664

              SHA256

              6ce592deb03716c19d0a1d18338f49c8de1c0e2704f32469af646500520ed25b

              SHA512

              27fc1cc731d4a3e1a8711c6b69559b2612715a1cc48bd48e62ec068612c5fec2877d75f4f671fd1e213326316000a04d56af552aca22942e2043805168e59c5e

            • C:\Windows\SysWOW64\Mfqlfb32.exe

              Filesize

              64KB

              MD5

              229edd169b919b23f397a19d29a3391d

              SHA1

              16ece694b05f56ad224bae338a5cc7d1cc0554af

              SHA256

              3bdcf46d483b0a17da04965693dae2ab0e3c94a170511125b69b06521dc8ca6d

              SHA512

              04102b29e5425a4e6b5f7a5179ed44cce901c9c51b253b10bc92d8131f3b69560b70aad1b7bdec266942ebb499d166fac9219b387611c55f9ec7a140851daa52

            • C:\Windows\SysWOW64\Mgbefe32.exe

              Filesize

              64KB

              MD5

              a7aa42bfbb5bfbe4b67ea58b480dd433

              SHA1

              17da3523c393a3202bc2866b274766b1e7502f8f

              SHA256

              6ee8f276ce6c8b0878f2c7ce4e5e7d092e5044d0eadb71e2dcdc29add3348340

              SHA512

              a2ed96c6e644ec6ed4e50dc5173b8437ccf6df8f94729ad97d21ec9a2f97b3394848b201e7869a6ac35eb51c3372e797c7874082d40541ed2e768a70b8fa4d0b

            • C:\Windows\SysWOW64\Mgphpe32.exe

              Filesize

              64KB

              MD5

              c58d765656e22ca8d49ebe255ef1be89

              SHA1

              4b2dead3b5056445b4f5ce0542989aa9a2bd1391

              SHA256

              091be874e053fba8dc86b2920ebfac6e432bdef689d6b7da649b05e8a596941f

              SHA512

              ced0c393f343e4d06eb596b5f26117e93cd7908e2b405b7622199ecb70d4e61d2b69718139333ccda6180e67a65f222aecfb2471ba5ea57ad80449ce73784b25

            • C:\Windows\SysWOW64\Mjaabq32.exe

              Filesize

              64KB

              MD5

              f489b63baf2514fc3f6e2309ef1a77ab

              SHA1

              96c9bf629a6e361af947562775583b5900980f05

              SHA256

              e6130baadb00d5aeb4a840d7ea9727dd68927893de4ab7319f03a818fbc54852

              SHA512

              6b85754d091d5073ce707982e08ba0c2a9f43170b9be914b1193acb6b0c320b3f29625d829b3c6d62a38ee95b0b3fdb92d75b5c2e42f5e772f1e22e7ce09e5ec

            • C:\Windows\SysWOW64\Mjcngpjh.exe

              Filesize

              64KB

              MD5

              d2a42f229a0e9f70a4a14a3ef6e810e5

              SHA1

              9cdb8889bf8f39cca552ee987f20b307b58d613f

              SHA256

              28db83d9e99a1d829b9044f09968a73621f8ac5b7035e9507d41a1c94c14fe39

              SHA512

              f7612b84a59058a9634b8ead5efd210314de6f3054d3f6854db3cfd249c2014ad734a77c54de869dd9568711a0286e686e5c1f93d9ddfbcc13e8020db4ac7a78

            • C:\Windows\SysWOW64\Mmkdcm32.exe

              Filesize

              64KB

              MD5

              7fbcffa3e850d38e92f8ab06c9d445b5

              SHA1

              e568e6b95803d4813585bb20cd531dcdc04352a1

              SHA256

              bdff187bfb4c24305b4a6b09de8ebe45b158b54445675a577fd240a5a5debb6f

              SHA512

              60ab2adf8632b9ff210b57988857e539ff00ad482a7433d097b30766c8c48e9f2c6d5d158a1f77bf4b6e955efc364184a8999c4a7bd1bef6a6db1a1ee7b0a43a

            • C:\Windows\SysWOW64\Mmpmnl32.exe

              Filesize

              64KB

              MD5

              781040f42badc49340f8529da0137c34

              SHA1

              6cf3191610f31d0cc132eaef0a601bbbe880b9d0

              SHA256

              f5ecea153e4773dfe5c799a21639e5ec943f5a6af43c331d91ead760a4a6ae38

              SHA512

              78641e8bd4f3eb0caebe72a2a913d938bd3e1d0b11c1b7a910dcdaeda0d73cf2fb2f13d1f910be7027f61cf8bfacd0b9eb246e1f41f122fd9038742a2308764b

            • C:\Windows\SysWOW64\Mnjqmpgg.exe

              Filesize

              64KB

              MD5

              6550fff7b029834c52835de3f0c2e031

              SHA1

              0adaca9b420698fa6de88fcdf2d3ec3b638a4231

              SHA256

              15f8895c6ad496575ab37e60b07719b9846d6790da3cb029b6c2d9cf9f19037b

              SHA512

              6074d72b508262c76fb966b77037e72b669635ea348c736f0a32ca142ec48121680abcc2231ceee244fc2b906b33ace65da56a9c9675150ab0ea54747bd95fa6

            • C:\Windows\SysWOW64\Moipoh32.exe

              Filesize

              64KB

              MD5

              f11765b4263f62ee8e850431b8593fd1

              SHA1

              73fb68ea4d053d0a300080bfc1e5263f59cab6a7

              SHA256

              8cb36bc8eee04b7095e321af3a323b621adc6e0c240470da88b3c7df3deca6ce

              SHA512

              34b83bb00ba26275b68c5e4a2324d3b353e66a86e298a519db373236ad4993383c256838bc88343138bd77635b405c3b4b6a3c92f7025f60926428b779d432eb

            • C:\Windows\SysWOW64\Monjjgkb.exe

              Filesize

              64KB

              MD5

              a90a513252510b62d05377d9479747a3

              SHA1

              83c6afec9ef03fca1fce249bc9a64b635b602d0a

              SHA256

              55c80ec4fc873205da336f38353dac5496e491339ebfc6adc9d8d2b51d04ff77

              SHA512

              b595fd8650829dc57970fb6edbe77387ae66b191d8f0dbedf38bae794865271bd3946057ffe5961898f28d54352692dd620988f68d77fa5786ee9e4410e14dca

            • C:\Windows\SysWOW64\Mqimikfj.exe

              Filesize

              64KB

              MD5

              d675c30c7da37ed41bfc61da607d4c95

              SHA1

              d09e90161f919c3867f7dfa121ab4bbc9360e5ec

              SHA256

              039ef23cf0828b35abc523cf7a04fedbbfc0c1a85a8ecf97858f5d263959475f

              SHA512

              6f82015fabcbfef6346d98d8536100a16ff0be8ea487cc501923b01bd15946e0381aa618d7944221b8fe2fe02941b2229b645eda4542a44a7f24e62e3cbf3add

            • C:\Windows\SysWOW64\Nagiji32.exe

              Filesize

              64KB

              MD5

              49950be260cc69ce06060fb510fa7146

              SHA1

              0e2fa33194a8e8587ad29fc7ce8aa89d49f1edaf

              SHA256

              e145413540cff3b1dda27a50d91ed2ff5e01733d512bf6d3498c11fcba36fc19

              SHA512

              ee8937a70357a9707fe13c8f138a28f7f3097f37bfa005b67cc8829498cab6b83176ea92aa160b5f17d778a0d8cf51f11c05cd80863243eb575a3d3f049dcc01

            • C:\Windows\SysWOW64\Nfcabp32.exe

              Filesize

              64KB

              MD5

              d78217f44d8ac2366c9263e48319cdbe

              SHA1

              a7527a78957b0b2e18ce6ea3dfde34ff152893b4

              SHA256

              d7692120437c9c61713ebffaca8ae91584d24af10c4b3c7bdab06b3b1a7facde

              SHA512

              7839c701705a1388730eda83ccb7a5f89863c73a2a99330b2f1bbbca87d766ed0ca6835098bd334a4f083c3296e79a3d13ac0a7ec008f5a81b82a749f6edda84

            • C:\Windows\SysWOW64\Nfjola32.exe

              Filesize

              64KB

              MD5

              bac3b6a9e428cae843c26769fcfc8a42

              SHA1

              34468bfd7e98944a6d13e29f71cc340bf75f65fb

              SHA256

              e95b18802d7929c7233e9a300af7ca34bdadf657ff01e9b0d217d35f770140a7

              SHA512

              e04ae2c58e3400a298c63042e75baa563758cad3511d7ae110171128c8612b0f0532129f4e7ac601414c4579df8738188965d81202a3ee9b95023c4c3a6ad54e

            • C:\Windows\SysWOW64\Nflkbanj.exe

              Filesize

              64KB

              MD5

              4e43ba9b74dd802bfb6f6f46b49d78bf

              SHA1

              4b77f9d86ffc603346888992b78f4592e4eee28c

              SHA256

              d38ed5161622ba479bbd58899331b321f5e1131ea8e87174ffd3c81e648b68b8

              SHA512

              936ab73153f27c6f0c0439adbd794a4edec68f0a96446e4ce752db471126ab1ae4c03381c0e87baab43cdcee949ca0bbe4a308a491170c96a5247ebb2538e191

            • C:\Windows\SysWOW64\Ngjkfd32.exe

              Filesize

              64KB

              MD5

              310e7298bdf274a8ee21df1270644ce3

              SHA1

              97b1d22aba9c163caca08124cbd49f606417994a

              SHA256

              8e664dea700f7439a9b6312cee7a978decff3081e697db170c8747d9ecc2bd51

              SHA512

              b90f8cc22ba0d45df67d0534f08f7b47f4f3d09766cedac0af221fd2579dfe0b909cc0a59eec1d73626d8d1ad4dda06fa60147daee6b69df5f4bd0e156011f69

            • C:\Windows\SysWOW64\Nglhld32.exe

              Filesize

              64KB

              MD5

              785b48ed64ca021e06609a6bbe64a27f

              SHA1

              c49fa704cd92e7c1f75da8d3e955aeaefa92dd7e

              SHA256

              d27624b6c98de016a332bc7464234063bc7a60bd5e896cc83b68748c49755a1a

              SHA512

              b95cdd81c73373557dbfea05959d18b6e179dad2fb169b8520fb6bb411de59b963bed19ecd08ac78359c40749cd5de613b8913b708d23bce4620582b6e93902c

            • C:\Windows\SysWOW64\Ngndaccj.exe

              Filesize

              64KB

              MD5

              2f8ea7e145ab7255988c0663805cc593

              SHA1

              d218bbafd691f97667fab6ef06a68cc65ec75c61

              SHA256

              61bdf63424cf88495a998e520e3aa84025a8693d91533ecd8621823242539c20

              SHA512

              93b79010a3e82f47a2406be319f62eff780d32ec6a4ceb11fa480f27d5e5a7b4635a13061f1a518602a41db3eac07ebf5e60fe5f042629f8242f1b8c3dfb4dc1

            • C:\Windows\SysWOW64\Ngqagcag.exe

              Filesize

              64KB

              MD5

              bbb47ca81e035d8ad3300ba55c33291c

              SHA1

              712ba9e4a311482f85ce5e6b06362b375b6022a6

              SHA256

              3b5abb428b848f06d39f8a787ad934e7dec8a86a21fe63d933497f6d6c88e636

              SHA512

              d8773b7f12d6f4f886ce332ebc65e56f8cf944dd64190b1ae934003383c53fa2a43ff75f916960ae96335e09b8a19cd72ffc6355ca4fa05866d147bf611be97f

            • C:\Windows\SysWOW64\Nmdgikhi.exe

              Filesize

              64KB

              MD5

              dfed74d9f3779aed7a870567eec98e29

              SHA1

              05600070ea0a58277ba1760f0e485770076f5a3c

              SHA256

              bb9e1e8d9cb6465eb8192bb0ff68bdfa429232bbf51dc173f21c0aac650b686c

              SHA512

              32a33dc4ad88494be715ae5e1c3c70103577b8a4edf2f55a0de72d3af9001ecd7a92d1398484625361cb5402356e81ed74663317b9ced4741d6f100879fd91ca

            • C:\Windows\SysWOW64\Nmfcok32.exe

              Filesize

              64KB

              MD5

              6125ce76658a2a4674b8d27a183ef374

              SHA1

              7eb690a5191bf2409cafd4037d89e4a3fb1c33e6

              SHA256

              28ce0d001f3921a41991d1a2cff31688138a38a9240935950d7461b8cda1858b

              SHA512

              a726df45108753ec9ce5ab32f85a852c74b4289d5c292f3cc6d1fed884e9fbf5ceb1dc31187dc0bb54163fc58ed8224a797d3d4338de511c7284f4eb5ba8a375

            • C:\Windows\SysWOW64\Nnfpinmi.exe

              Filesize

              64KB

              MD5

              c1f0e467f7fbcd1d141f491bd1fab41f

              SHA1

              9ab6683094e21213bdc79c2ebe48a3ceba41f93b

              SHA256

              4c807e5f373f448b1ac10b2dbf48fd24a10cb3dfebcb0389dea2e61e9c6b30e7

              SHA512

              dbbd44c5311200f3cc31d91ea22814df107d57a900b1af1b03a96845f6df8282d60a5cbd140272c9fd8e69651f370e106d370232053919f6926455f925cb6e3c

            • C:\Windows\SysWOW64\Nnhmnn32.exe

              Filesize

              64KB

              MD5

              a702057abd62a65e4b407c99364f0328

              SHA1

              ea2de05319772b459fb1ed46184f980f112a621e

              SHA256

              13a35bf4fae44f4e47db58364b3a6592891974082d9e67e5511f0fdd5d472557

              SHA512

              0e88f7dcd0c99e16603de65cabd464d7f0ac59cc344e873e2d9d53574c8d06db60e2931dd7b0d61a9091fcabf4299791e226812f264cd90d707154288418b5db

            • C:\Windows\SysWOW64\Npgmpf32.exe

              Filesize

              64KB

              MD5

              e35952e6095a555d0ec0b620b4a0d2a0

              SHA1

              b3b872f4066ab162ef1d8e277f29c9fb90d57a93

              SHA256

              81ec12c009d7576817757ca688fa5692549bae1e7d39f13f1feb9f82719f33a0

              SHA512

              52db4bcfb19ac1d25417f4c0b4a39aaa9c3072b323855cd24db65e9958a731d93f876c49727a6904ba375ed43df5349ede3fea66e177b7a8a8c693f12477f8ea

            • C:\Windows\SysWOW64\Npiiffqe.exe

              Filesize

              64KB

              MD5

              7fb2320488e34b40072c9a9cfd0616aa

              SHA1

              bd64978851bb3c6d9e453fff8c8606654dfc9410

              SHA256

              59b1e6b3931543db596e3a407f49b0657f9b2fca4123fa1c386710b37ce17ab5

              SHA512

              3d731a93997e1b7856357491cce7388644a4e0c9a992f43be78a8b95cd582418612cecce6fc00dfce513d989b1d49ab5fb34f44e5da66d68ff241c1281553540

            • C:\Windows\SysWOW64\Nqmfdj32.exe

              Filesize

              64KB

              MD5

              1d6046cb5bb4d26ab8f319cdb8d76f51

              SHA1

              f20bf9a0b8e02a7803eaf745d53734fee11ef3fd

              SHA256

              81c787101ea13540b6e30bf6b12d69f643ba12ba7dc8cc2cc7b7aa3ef2139498

              SHA512

              9ceac13792688fac35d70db3290952d099b825d22738f2ce219e806d6d5cf54a2f0079b09f94568694f11e5bd793ac6001eed624b6f7fe667e4086ef084a59dd

            • C:\Windows\SysWOW64\Oanokhdb.exe

              Filesize

              64KB

              MD5

              b54a75ef278d4865dfed871d1214546e

              SHA1

              c8665edad48aa02829efcf95721993ae84a6b9bd

              SHA256

              da1c1f9b78195260810fb2c7ce631ac4c1ae052b954942947a79ce496859d22c

              SHA512

              46d380216f19c2f96f27c21eef432fc90d8b2d4915ae79be3205a8a0780f4a92039130dbd6b8e2d440c83d50eb3086e2f9f749e7270990b2ed32e5d2a4949c0d

            • C:\Windows\SysWOW64\Ogcnmc32.exe

              Filesize

              64KB

              MD5

              21e5cd3ce841aa1387a24af9be682fce

              SHA1

              f037a39971d530702164160e718be11b2b91d484

              SHA256

              b9b6d1fcebf47a827e46deb33db0cf4a07ced29a5c1605b73c16b846cc2d96e6

              SHA512

              425183a49482a37b090ac409dbbad04b42d4c6110435f955a040c4a37cb614c8100a192f6e216482254b62a107dfbf4383597f80580c7ead3b5f8c79a8239dc3

            • C:\Windows\SysWOW64\Ogekbb32.exe

              Filesize

              64KB

              MD5

              4f19c7f0bf9235e6c070197c2bb31e55

              SHA1

              1d87abcc51a802a87d0c903b3ce9b19eb08380bd

              SHA256

              0e92179400d68b8e5b67f9f98b8669ad6141a6d985e17e7e7daf0f4bb73763d2

              SHA512

              36612f0a129510f8fb93158a3600a18cb323d7cbb55e0c0c9786ee2d673a7c4e0b5d31fc83f4abb80b080c559b8a6eb349ef5d9193bf902cd8f05614a7275dc1

            • C:\Windows\SysWOW64\Onkidm32.exe

              Filesize

              64KB

              MD5

              fb5930ca6843a6576b248899ae66169d

              SHA1

              aa6bd278bcc5313d936ab266617a1874d0cb983d

              SHA256

              a69eb582fbefd2a5d3c5a7de6d88f40966ef7be0c5a2226398c92b78d3ccc933

              SHA512

              170f69ef2621b704b9fe06b5fdee65d16c206fa40cbdf4a3c4cdfed737d757df33488037dc5727b31ad19eb2c75c8a60d2a0b54d4fef4c817cda483bde5400b4

            • C:\Windows\SysWOW64\Oplfkeob.exe

              Filesize

              64KB

              MD5

              2945238e61220a2a459ad14ec3f13ea0

              SHA1

              65c0dfed4cbfcc2cde3c62779e168804a6e49949

              SHA256

              07773e0c1c98097b43f5698570d0b00e6dbb12cc981ba33ce284d8bb25c1d2c4

              SHA512

              b69b9473efbc5190de789543f7c436e6aaea90ee1afceba4acb4adfedcd7f424a7d4301bc00e61b0787f82ac449c98c88d29cb42c85e30f73aaa947850657a1a

            • C:\Windows\SysWOW64\Opnbae32.exe

              Filesize

              64KB

              MD5

              75120e17f6bdc19393013935b19ee10e

              SHA1

              48732d12213cb6015410d6c9a601389d47d8c6a7

              SHA256

              98ac666476d518aaba501c650868ad0595aca3310d2e384b15df765cc9ae3e1d

              SHA512

              030284775ba7f5d21531c2e3cf05b04691dc7aab014bdf74a68c3534a67abc143525798cc9c37f6e369742e60bc7ac819920ae5c43d3b4e955dfc96b559bb61e

            • C:\Windows\SysWOW64\Phcgcqab.exe

              Filesize

              64KB

              MD5

              5afc5a2e39e173e503dab2a51bca4415

              SHA1

              fc9f6c3011c1b1fa366fbe072ad22c45054bb3e8

              SHA256

              1d295f5af2e165acea3ef00bf36a571ef776d017a7d7ff641fbd755515bd56f6

              SHA512

              d882ad43d3d6671e3b0dd8dd76a3ddfd7dbccd02de6d8ba35e0b089ed0d002b11934bee745158ba60e79e0495ca729d91c9d026f137e1298692ca555e43a93d8

            • C:\Windows\SysWOW64\Qdaniq32.exe

              Filesize

              64KB

              MD5

              2aaa89921b336b8222da88d1dde4b3cd

              SHA1

              8f6c7c624c1286dc273bb8e4d404349d410edc0e

              SHA256

              79409ce14b7612f3e67f85254b845286bf7053eaddf923cc8048e16b5730743d

              SHA512

              605fbe1db1d7e2852a5b5d410615ecc1c47bfb784fead944d2dc9a98a2ff31c624a514251dcb9e0843285963542b379f39de6773c831bd25f97a6fc2b8220368

            • memory/436-298-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/436-216-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/508-215-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/508-127-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/524-64-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/524-152-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/556-143-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/556-56-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/644-234-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/644-311-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/924-346-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/924-279-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1052-375-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1064-233-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1064-144-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1424-40-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1424-125-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1464-396-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1468-325-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1468-251-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1640-368-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/1800-424-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2044-286-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2044-353-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2080-229-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2084-107-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2084-24-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2320-118-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2320-211-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2364-94-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2364-179-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2412-73-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2412-161-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2500-243-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2500-318-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2536-212-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2684-171-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/2684-259-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3212-250-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3212-162-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3256-340-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3256-409-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3268-389-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3284-90-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3284-8-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3292-381-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3292-312-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3344-361-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3576-410-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3588-339-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3588-269-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3916-285-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/3916-198-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4016-403-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4056-32-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4056-116-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4092-305-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4092-374-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4116-1-0x0000000000431000-0x0000000000432000-memory.dmp

              Filesize

              4KB

            • memory/4116-72-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4116-0-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4184-382-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4220-180-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4220-268-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4300-197-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4300-109-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4308-423-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4308-354-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4348-260-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4348-332-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4396-139-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4396-48-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4404-367-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4404-299-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4460-99-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4460-188-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4468-189-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4468-278-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4488-416-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4488-347-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4504-140-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4540-16-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4540-98-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4544-402-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4544-333-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4668-170-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4668-81-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4888-242-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4888-153-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4916-292-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4916-360-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/4924-417-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/5048-796-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/5052-395-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/5052-326-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/5056-319-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

            • memory/5056-388-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB