Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 03:37

General

  • Target

    4879eb16f8e03637cec09df8d874df798abcee662cd8e581d7e44923bbc8b2eaN.exe

  • Size

    96KB

  • MD5

    e2e4593d766bd12aab46776b202b8c40

  • SHA1

    0c437ffef58ff0e8fb9e727b2191606297f00364

  • SHA256

    4879eb16f8e03637cec09df8d874df798abcee662cd8e581d7e44923bbc8b2ea

  • SHA512

    cffbc5d97c4631db3aa30f1f3f07ff54534c144beeedd059971658aa9c1e108db91eec7fa8ccd30e2668609a0812a7f2026e9595ae7316d94377ca861d7017d0

  • SSDEEP

    1536:36+69QiBZOaQ/aRPfMcp+nXe4DpPI5rGzrfAnV2tLm74S7V+5pUMv84WMRw8Dkqq:3R69Eel415kYEVi64Sp+7H7wWkqq

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4879eb16f8e03637cec09df8d874df798abcee662cd8e581d7e44923bbc8b2eaN.exe
    "C:\Users\Admin\AppData\Local\Temp\4879eb16f8e03637cec09df8d874df798abcee662cd8e581d7e44923bbc8b2eaN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\Ndaggimg.exe
      C:\Windows\system32\Ndaggimg.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\SysWOW64\Ngpccdlj.exe
        C:\Windows\system32\Ngpccdlj.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3248
        • C:\Windows\SysWOW64\Nebdoa32.exe
          C:\Windows\system32\Nebdoa32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3244
          • C:\Windows\SysWOW64\Nnjlpo32.exe
            C:\Windows\system32\Nnjlpo32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\SysWOW64\Nphhmj32.exe
              C:\Windows\system32\Nphhmj32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1060
              • C:\Windows\SysWOW64\Ndcdmikd.exe
                C:\Windows\system32\Ndcdmikd.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2176
                • C:\Windows\SysWOW64\Ngbpidjh.exe
                  C:\Windows\system32\Ngbpidjh.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3316
                  • C:\Windows\SysWOW64\Njqmepik.exe
                    C:\Windows\system32\Njqmepik.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1456
                    • C:\Windows\SysWOW64\Nloiakho.exe
                      C:\Windows\system32\Nloiakho.exe
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1664
                      • C:\Windows\SysWOW64\Npjebj32.exe
                        C:\Windows\system32\Npjebj32.exe
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3716
                        • C:\Windows\SysWOW64\Ngdmod32.exe
                          C:\Windows\system32\Ngdmod32.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2508
                          • C:\Windows\SysWOW64\Njciko32.exe
                            C:\Windows\system32\Njciko32.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3448
                            • C:\Windows\SysWOW64\Nlaegk32.exe
                              C:\Windows\system32\Nlaegk32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3116
                              • C:\Windows\SysWOW64\Ndhmhh32.exe
                                C:\Windows\system32\Ndhmhh32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of WriteProcessMemory
                                PID:2928
                                • C:\Windows\SysWOW64\Nggjdc32.exe
                                  C:\Windows\system32\Nggjdc32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:2080
                                  • C:\Windows\SysWOW64\Nnqbanmo.exe
                                    C:\Windows\system32\Nnqbanmo.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:2308
                                    • C:\Windows\SysWOW64\Oponmilc.exe
                                      C:\Windows\system32\Oponmilc.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:3968
                                      • C:\Windows\SysWOW64\Ocnjidkf.exe
                                        C:\Windows\system32\Ocnjidkf.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:1624
                                        • C:\Windows\SysWOW64\Oflgep32.exe
                                          C:\Windows\system32\Oflgep32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:1808
                                          • C:\Windows\SysWOW64\Oncofm32.exe
                                            C:\Windows\system32\Oncofm32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:1652
                                            • C:\Windows\SysWOW64\Opakbi32.exe
                                              C:\Windows\system32\Opakbi32.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:2452
                                              • C:\Windows\SysWOW64\Ocpgod32.exe
                                                C:\Windows\system32\Ocpgod32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                PID:2692
                                                • C:\Windows\SysWOW64\Ogkcpbam.exe
                                                  C:\Windows\system32\Ogkcpbam.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:5044
                                                  • C:\Windows\SysWOW64\Oneklm32.exe
                                                    C:\Windows\system32\Oneklm32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:3732
                                                    • C:\Windows\SysWOW64\Olhlhjpd.exe
                                                      C:\Windows\system32\Olhlhjpd.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1520
                                                      • C:\Windows\SysWOW64\Ocbddc32.exe
                                                        C:\Windows\system32\Ocbddc32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4252
                                                        • C:\Windows\SysWOW64\Ofqpqo32.exe
                                                          C:\Windows\system32\Ofqpqo32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3164
                                                          • C:\Windows\SysWOW64\Ojllan32.exe
                                                            C:\Windows\system32\Ojllan32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4132
                                                            • C:\Windows\SysWOW64\Olkhmi32.exe
                                                              C:\Windows\system32\Olkhmi32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:4128
                                                              • C:\Windows\SysWOW64\Odapnf32.exe
                                                                C:\Windows\system32\Odapnf32.exe
                                                                31⤵
                                                                • Modifies registry class
                                                                PID:3720
                                                                • C:\Windows\SysWOW64\Ogpmjb32.exe
                                                                  C:\Windows\system32\Ogpmjb32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:3472
                                                                  • C:\Windows\SysWOW64\Ojoign32.exe
                                                                    C:\Windows\system32\Ojoign32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Modifies registry class
                                                                    PID:3060
                                                                    • C:\Windows\SysWOW64\Olmeci32.exe
                                                                      C:\Windows\system32\Olmeci32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:4940
                                                                      • C:\Windows\SysWOW64\Ocgmpccl.exe
                                                                        C:\Windows\system32\Ocgmpccl.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2208
                                                                        • C:\Windows\SysWOW64\Ojaelm32.exe
                                                                          C:\Windows\system32\Ojaelm32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:4848
                                                                          • C:\Windows\SysWOW64\Pmoahijl.exe
                                                                            C:\Windows\system32\Pmoahijl.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Modifies registry class
                                                                            PID:4532
                                                                            • C:\Windows\SysWOW64\Pcijeb32.exe
                                                                              C:\Windows\system32\Pcijeb32.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4216
                                                                              • C:\Windows\SysWOW64\Pnonbk32.exe
                                                                                C:\Windows\system32\Pnonbk32.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2952
                                                                                • C:\Windows\SysWOW64\Pdifoehl.exe
                                                                                  C:\Windows\system32\Pdifoehl.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:3516
                                                                                  • C:\Windows\SysWOW64\Pfjcgn32.exe
                                                                                    C:\Windows\system32\Pfjcgn32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:3728
                                                                                    • C:\Windows\SysWOW64\Pnakhkol.exe
                                                                                      C:\Windows\system32\Pnakhkol.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:4200
                                                                                      • C:\Windows\SysWOW64\Pcncpbmd.exe
                                                                                        C:\Windows\system32\Pcncpbmd.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        PID:5064
                                                                                        • C:\Windows\SysWOW64\Pjhlml32.exe
                                                                                          C:\Windows\system32\Pjhlml32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:1532
                                                                                          • C:\Windows\SysWOW64\Pmfhig32.exe
                                                                                            C:\Windows\system32\Pmfhig32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:1860
                                                                                            • C:\Windows\SysWOW64\Pqbdjfln.exe
                                                                                              C:\Windows\system32\Pqbdjfln.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:5008
                                                                                              • C:\Windows\SysWOW64\Pcppfaka.exe
                                                                                                C:\Windows\system32\Pcppfaka.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4560
                                                                                                • C:\Windows\SysWOW64\Pjjhbl32.exe
                                                                                                  C:\Windows\system32\Pjjhbl32.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:768
                                                                                                  • C:\Windows\SysWOW64\Pmidog32.exe
                                                                                                    C:\Windows\system32\Pmidog32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:1936
                                                                                                    • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                                                                                      C:\Windows\system32\Pdpmpdbd.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3528
                                                                                                      • C:\Windows\SysWOW64\Pgnilpah.exe
                                                                                                        C:\Windows\system32\Pgnilpah.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:2988
                                                                                                        • C:\Windows\SysWOW64\Pfaigm32.exe
                                                                                                          C:\Windows\system32\Pfaigm32.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Modifies registry class
                                                                                                          PID:2088
                                                                                                          • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                                                                            C:\Windows\system32\Qmkadgpo.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:4688
                                                                                                            • C:\Windows\SysWOW64\Qqfmde32.exe
                                                                                                              C:\Windows\system32\Qqfmde32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              PID:1224
                                                                                                              • C:\Windows\SysWOW64\Qgqeappe.exe
                                                                                                                C:\Windows\system32\Qgqeappe.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1208
                                                                                                                • C:\Windows\SysWOW64\Qjoankoi.exe
                                                                                                                  C:\Windows\system32\Qjoankoi.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2972
                                                                                                                  • C:\Windows\SysWOW64\Qnjnnj32.exe
                                                                                                                    C:\Windows\system32\Qnjnnj32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    PID:2628
                                                                                                                    • C:\Windows\SysWOW64\Qddfkd32.exe
                                                                                                                      C:\Windows\system32\Qddfkd32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Modifies registry class
                                                                                                                      PID:4964
                                                                                                                      • C:\Windows\SysWOW64\Qgcbgo32.exe
                                                                                                                        C:\Windows\system32\Qgcbgo32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3204
                                                                                                                        • C:\Windows\SysWOW64\Anmjcieo.exe
                                                                                                                          C:\Windows\system32\Anmjcieo.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1384
                                                                                                                          • C:\Windows\SysWOW64\Adgbpc32.exe
                                                                                                                            C:\Windows\system32\Adgbpc32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies registry class
                                                                                                                            PID:1084
                                                                                                                            • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                                                                              C:\Windows\system32\Afhohlbj.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2644
                                                                                                                              • C:\Windows\SysWOW64\Ajckij32.exe
                                                                                                                                C:\Windows\system32\Ajckij32.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:4896
                                                                                                                                • C:\Windows\SysWOW64\Ambgef32.exe
                                                                                                                                  C:\Windows\system32\Ambgef32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:2852
                                                                                                                                  • C:\Windows\SysWOW64\Aqncedbp.exe
                                                                                                                                    C:\Windows\system32\Aqncedbp.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:3016
                                                                                                                                    • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                                      C:\Windows\system32\Agglboim.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:4836
                                                                                                                                      • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                                                                                                        C:\Windows\system32\Ajfhnjhq.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:4304
                                                                                                                                        • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                                          C:\Windows\system32\Amddjegd.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:3112
                                                                                                                                          • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                                            C:\Windows\system32\Acnlgp32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:3324
                                                                                                                                            • C:\Windows\SysWOW64\Afmhck32.exe
                                                                                                                                              C:\Windows\system32\Afmhck32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:4756
                                                                                                                                              • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                                C:\Windows\system32\Amgapeea.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:1564
                                                                                                                                                • C:\Windows\SysWOW64\Ajkaii32.exe
                                                                                                                                                  C:\Windows\system32\Ajkaii32.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:5036
                                                                                                                                                  • C:\Windows\SysWOW64\Aminee32.exe
                                                                                                                                                    C:\Windows\system32\Aminee32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:2024
                                                                                                                                                    • C:\Windows\SysWOW64\Aepefb32.exe
                                                                                                                                                      C:\Windows\system32\Aepefb32.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:1960
                                                                                                                                                      • C:\Windows\SysWOW64\Bfabnjjp.exe
                                                                                                                                                        C:\Windows\system32\Bfabnjjp.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1984
                                                                                                                                                        • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                                                                                                          C:\Windows\system32\Bmkjkd32.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:1708
                                                                                                                                                          • C:\Windows\SysWOW64\Bcebhoii.exe
                                                                                                                                                            C:\Windows\system32\Bcebhoii.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            PID:1948
                                                                                                                                                            • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                                                                                              C:\Windows\system32\Bfdodjhm.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:1064
                                                                                                                                                              • C:\Windows\SysWOW64\Bmngqdpj.exe
                                                                                                                                                                C:\Windows\system32\Bmngqdpj.exe
                                                                                                                                                                79⤵
                                                                                                                                                                  PID:2148
                                                                                                                                                                  • C:\Windows\SysWOW64\Bchomn32.exe
                                                                                                                                                                    C:\Windows\system32\Bchomn32.exe
                                                                                                                                                                    80⤵
                                                                                                                                                                      PID:116
                                                                                                                                                                      • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                                                                        C:\Windows\system32\Bgcknmop.exe
                                                                                                                                                                        81⤵
                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:764
                                                                                                                                                                        • C:\Windows\SysWOW64\Bnmcjg32.exe
                                                                                                                                                                          C:\Windows\system32\Bnmcjg32.exe
                                                                                                                                                                          82⤵
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:1452
                                                                                                                                                                          • C:\Windows\SysWOW64\Balpgb32.exe
                                                                                                                                                                            C:\Windows\system32\Balpgb32.exe
                                                                                                                                                                            83⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:4584
                                                                                                                                                                            • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                                                                              C:\Windows\system32\Beglgani.exe
                                                                                                                                                                              84⤵
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:2964
                                                                                                                                                                              • C:\Windows\SysWOW64\Bfhhoi32.exe
                                                                                                                                                                                C:\Windows\system32\Bfhhoi32.exe
                                                                                                                                                                                85⤵
                                                                                                                                                                                  PID:1280
                                                                                                                                                                                  • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                                                                                                                                    C:\Windows\system32\Bnpppgdj.exe
                                                                                                                                                                                    86⤵
                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:4420
                                                                                                                                                                                    • C:\Windows\SysWOW64\Bclhhnca.exe
                                                                                                                                                                                      C:\Windows\system32\Bclhhnca.exe
                                                                                                                                                                                      87⤵
                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:3140
                                                                                                                                                                                      • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                                                                                                                        C:\Windows\system32\Bjfaeh32.exe
                                                                                                                                                                                        88⤵
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:5148
                                                                                                                                                                                        • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                                                                                                          C:\Windows\system32\Bnbmefbg.exe
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          PID:5196
                                                                                                                                                                                          • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                                                                                                                            C:\Windows\system32\Bapiabak.exe
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                            PID:5240
                                                                                                                                                                                            • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                              C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5284
                                                                                                                                                                                              • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                                                                                                                                                C:\Windows\system32\Cmgjgcgo.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:5336
                                                                                                                                                                                                • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                                                                                                                  C:\Windows\system32\Cenahpha.exe
                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                  PID:5408
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                                                                                                                    C:\Windows\system32\Chmndlge.exe
                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:5472
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                                      C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                        PID:5516
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                                                                                                                          C:\Windows\system32\Cmiflbel.exe
                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5560
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Caebma32.exe
                                                                                                                                                                                                            C:\Windows\system32\Caebma32.exe
                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:5604
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                                                                                              C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              PID:5648
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                                                                                                                                C:\Windows\system32\Chokikeb.exe
                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                PID:5692
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                                                                                                                  C:\Windows\system32\Cfbkeh32.exe
                                                                                                                                                                                                                  100⤵
                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                  PID:5736
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                                    101⤵
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:5780
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                                                                                                                                      C:\Windows\system32\Cmlcbbcj.exe
                                                                                                                                                                                                                      102⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:5824
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                                                        C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                                                        103⤵
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:5868
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                                                                                                                                          C:\Windows\system32\Cdfkolkf.exe
                                                                                                                                                                                                                          104⤵
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:5912
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Chagok32.exe
                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:5956
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Cjpckf32.exe
                                                                                                                                                                                                                              106⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:6000
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                                                                                                                                C:\Windows\system32\Cnkplejl.exe
                                                                                                                                                                                                                                107⤵
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:6044
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Cajlhqjp.exe
                                                                                                                                                                                                                                  108⤵
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  PID:6088
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Ceehho32.exe
                                                                                                                                                                                                                                    109⤵
                                                                                                                                                                                                                                      PID:6132
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Cffdpghg.exe
                                                                                                                                                                                                                                        110⤵
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        PID:4392
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Dhfajjoj.exe
                                                                                                                                                                                                                                          111⤵
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:5224
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Djdmffnn.exe
                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                            PID:5292
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Dejacond.exe
                                                                                                                                                                                                                                              113⤵
                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:5396
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Dfknkg32.exe
                                                                                                                                                                                                                                                114⤵
                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:5464
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                                                                                                                  115⤵
                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  PID:5532
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Dmefhako.exe
                                                                                                                                                                                                                                                    116⤵
                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:5600
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Daqbip32.exe
                                                                                                                                                                                                                                                      117⤵
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                      PID:5676
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Dhkjej32.exe
                                                                                                                                                                                                                                                        118⤵
                                                                                                                                                                                                                                                          PID:5744
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                                                                                                                            119⤵
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                            PID:5812
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Daconoae.exe
                                                                                                                                                                                                                                                              120⤵
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              PID:5896
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                                                                                                                                121⤵
                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:5940
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                                                                                                                  122⤵
                                                                                                                                                                                                                                                                    PID:6012
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                                                                                                                                      123⤵
                                                                                                                                                                                                                                                                        PID:6080
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:3108
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                                              PID:5268
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                                                                                                                                126⤵
                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                PID:5380
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                  PID:5548
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                    128⤵
                                                                                                                                                                                                                                                                                      PID:5700
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 224
                                                                                                                                                                                                                                                                                        129⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:5156
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5700 -ip 5700
                        1⤵
                          PID:5888

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\SysWOW64\Acnlgp32.exe

                                Filesize

                                96KB

                                MD5

                                1032b8dc8d7c2f1ce323680805779cbb

                                SHA1

                                e98f2b1a66297ff918fe0c6356a4012039d33923

                                SHA256

                                77afac1ab427e8851a3293b7d3427470fc5870c3b2f75a8465642d83d13ee170

                                SHA512

                                bbd380f74150c8c39e596cf65cab01dcc52733987b033e6b904872f2f51b07e22ef966cf2495c9198d8cf308549431e33ee0dfd6a01a91d957658b7b2d88ae8d

                              • C:\Windows\SysWOW64\Amgapeea.exe

                                Filesize

                                96KB

                                MD5

                                28e5172f8b563c3d421c312a753d571b

                                SHA1

                                3ba2b36864c13dc8955be3d0dd6b512d3385b37f

                                SHA256

                                d49ca829c867a0d9ca024c316b04b1875ca7d022538914f51ebd175cad7b2ede

                                SHA512

                                222d9b09d85d73d2f3c3d3f3791e5322edf33f1ab2c7bb21144ae6e5ef490a9ab2de285247cad880c0df404e281efcb30bd3899d6e2aeba4f53e39953b008dbd

                              • C:\Windows\SysWOW64\Cffdpghg.exe

                                Filesize

                                96KB

                                MD5

                                61feac6de3d788d87ed92d56efcd4661

                                SHA1

                                154f42ae2bd9d1ebe95bfd431d942bb0728b4fd8

                                SHA256

                                76b28b5ee78f5986b9c2ff285e09f0e2a6280cfe1b68a03f39dccc2efefddb27

                                SHA512

                                494fed5596b9ff87600e3a8a001da2ad96f12fda1df7114923916cd03b0245a970d9bfc4f04b4602343fd03bb419775de58809a2b0e281cf422139c3f1b245c1

                              • C:\Windows\SysWOW64\Dejacond.exe

                                Filesize

                                96KB

                                MD5

                                d15e2627a8d72ddc34910879256e60f5

                                SHA1

                                31f0d64b36260b940ca53043b0b5641124a45628

                                SHA256

                                4f49f9318ab34b9958072ef00f6a26e24b108058d0852effe1184a4d18e425af

                                SHA512

                                21bcdc8c872da3485ca7101e279ce49e9750c02d35499ac24be6d4409e88818c0d48a7602f84adba4a467f40b3c9249ce3f0462b54bd3896e3eb048c77269dce

                              • C:\Windows\SysWOW64\Ndaggimg.exe

                                Filesize

                                96KB

                                MD5

                                5ade736325fdb4b497a19eaacf4675b4

                                SHA1

                                a2827bdb3a9dc3c45d7c85e9e8ceb118f9cced24

                                SHA256

                                892a01f5ba78ba81a92d9c92d0e689fadd729358dfbee823c4e924472616fcdb

                                SHA512

                                fbea394f3c45be2d472ab0ca77511fcdbd2283b3adb63610965cf1d75c7d5323c652125dda01671752dca93cb0b4d6f3e8f5762e21b3803fa9c70ecc869fde3f

                              • C:\Windows\SysWOW64\Ndcdmikd.exe

                                Filesize

                                96KB

                                MD5

                                674bc9d8a1bcc4631e615449fda400af

                                SHA1

                                fde1a830cb304793bf4dc847fb0af0ef08233520

                                SHA256

                                9e4302c5f698d0f736735767520744224098b3f8745471cbceaa6e298faa0618

                                SHA512

                                2d68591efadeb34f2047734b928af4bad559e593bc9994e958c3630a98ffed06ff38aa782b986e8019c65ea0fba65cee55916ab23faffef21f9ea5d89a4abbb2

                              • C:\Windows\SysWOW64\Ndhmhh32.exe

                                Filesize

                                96KB

                                MD5

                                30e84c63ff2c895f7b825fb496b258bd

                                SHA1

                                e27b63480f795cdbbb9119dd7415ceed9e001756

                                SHA256

                                8b169810b3bb97a01d695c1cb04e287d9ce96b3e0f0acd185441e45bc460966e

                                SHA512

                                3ec4a365813d392f12b48366d13dc53d4e0da1a388227bd4978bed5ba20fe89dd2fc771d97f512a513c6c77e2d79b38743725393ab78e32f2684edec4e6771ff

                              • C:\Windows\SysWOW64\Nebdoa32.exe

                                Filesize

                                96KB

                                MD5

                                c423775ef7b32a6d3d4a923177392f3e

                                SHA1

                                2348b123accd330a68e2d519b869b5175a309cbc

                                SHA256

                                c0c61942e8d26c4194963a84915236a5fb2365fa64b7370ada684b1109ef66e6

                                SHA512

                                5a725ab4b0fa0ccc362fe75f9a6e295a6f071c429b89be45f005057c2ba2452fe11d8f9886bae21ddc39aaaef7c47f6820402e987bd658c5fb15c3b89eef7eac

                              • C:\Windows\SysWOW64\Ngbpidjh.exe

                                Filesize

                                96KB

                                MD5

                                6234cbafe0f7f94b1bc6a1bd8906af11

                                SHA1

                                d98b4972a092f37cde8dd3a44211726c92463eea

                                SHA256

                                230075c47848dbb9b93d411712938f9b2145a7d0af68e03e6ca420c9f862ee28

                                SHA512

                                96dac20f41cca21b69fab6d27b23e5ff778a6334e26791e51cc89d8e99ab356370dd40911869e289e6b3e0e5ea5bbe209aa2e723051af077547b5c7a368b49b0

                              • C:\Windows\SysWOW64\Ngdmod32.exe

                                Filesize

                                96KB

                                MD5

                                793f549068fc15d794a4da5acbcb42f8

                                SHA1

                                1a7f9c0e7659a3da94568849eba05e09b630d736

                                SHA256

                                5cd3c6b68a9732ea233d1e44d47fb843b7c9c05843d32371886d58978d63928f

                                SHA512

                                31dcb0981a4e5b062726776513b222b0401a7abb609bc6cd90b4c2fef4a615c679480e0b97c8ad8eee7e14635e32fe1fd440a97d04b0a82a0b2278b943d7b9d4

                              • C:\Windows\SysWOW64\Nggjdc32.exe

                                Filesize

                                96KB

                                MD5

                                a5807deb04d892c8c095ab5bf48a80c2

                                SHA1

                                259b4f7794ef968ae7482ad0d8cc00c32ee04d61

                                SHA256

                                5895d840c284ecab756af0bd46db812e322495b6b7d17e69299979db250de17a

                                SHA512

                                bb6f2928466ee434212bd940900aae46ea028649154bdaaa95a537dcb39a9f67f1169a5f1a8ae75e3c310362a117b1ba80c434563a6d34b72850ada0a1b85652

                              • C:\Windows\SysWOW64\Ngpccdlj.exe

                                Filesize

                                96KB

                                MD5

                                7a5b07ca5a20380d38043d889c93e335

                                SHA1

                                d8b184e497f3d015674d4ec2aeb6c979b07043af

                                SHA256

                                1960f41d587ec99590699d0e8c4cb011bb73f25e5a274ef1bd2d43773e2907ec

                                SHA512

                                fd7d25aa7844f3a572139322c48baf779570bf043ef0204790f792629ade9baefe8364792a235ec6d215580be727eddc242e77a5dc8616acd700165af8a7c2ac

                              • C:\Windows\SysWOW64\Njciko32.exe

                                Filesize

                                96KB

                                MD5

                                6a9b28800006dd786bef9733c762c98f

                                SHA1

                                ddabd96ef885eb4b497ad25eaeb5725a482b073b

                                SHA256

                                02d44c406998ce0c09c064f345a94ad8796b28f0c81f5b21a3fb27d9cc969674

                                SHA512

                                24dd0d2bfb5c6e5bbe32d21b530de2131237c68f0ac43841c4ca69c74a4eb657ff652ec59925cb30a523ea55f30bcdb63f3b5271921af55d03cd66dfe74e3b25

                              • C:\Windows\SysWOW64\Njqmepik.exe

                                Filesize

                                96KB

                                MD5

                                64805c1ca2ecee3d75fcd00887c4cfaa

                                SHA1

                                468c18feeec98db3fae9c92d4ba273798f1d0f4a

                                SHA256

                                d59063fbf115329b45f0e8eeaa65ca80e171d2f04d9e2a00bd69d56f70924f38

                                SHA512

                                871cce6dece7f9896c915de5afad08045156d940586ff743ac9496a247c5b925aa44c75879966e68711c73004ba3ab17929fbd70d64cb5dd63509b0b22fdc485

                              • C:\Windows\SysWOW64\Njqmepik.exe

                                Filesize

                                96KB

                                MD5

                                95ea302cf5d91623c8548ef0c999267c

                                SHA1

                                59342caf1ea2d636096cc40136ff836ff86a94d8

                                SHA256

                                ace37d23a03017765ab234aa7c68621b249d92f814776c41de7c074a41aa30d3

                                SHA512

                                8417cadc31d1d5493aafb787452f0c809508fc50c99ed23349ace050b32bada6916f19003f913ad8f840f18bb86ca10ec7cba7320f0fee66ff17d92eee902535

                              • C:\Windows\SysWOW64\Nlaegk32.exe

                                Filesize

                                96KB

                                MD5

                                b9b4106cfcc10b0f282636b4bf726420

                                SHA1

                                0a25448cf16ad7ec47101f8ffe8c40ddd3de9af6

                                SHA256

                                81bcdccb7fce3c271819a6b96cad85cdb8d680ca577acd0b4dada72007baa460

                                SHA512

                                626b06495c64ef61c3ce3102107950ed1ae70a1dd3ba285db17bcbf06d491ba03468d784e5df305cdce0bc8aba2ce96b251831376da11c6cb9cb8447cbccc3fc

                              • C:\Windows\SysWOW64\Nloiakho.exe

                                Filesize

                                96KB

                                MD5

                                0a8d6098b6a9688c32f8b2062530a6ee

                                SHA1

                                003cbc39558937ae119b0424937b8a65b9332fd4

                                SHA256

                                46df5a8deea371c2c6c5f6bc5cb546d6f579f1971ce433e4401042e9377abacc

                                SHA512

                                2bf21f26fe6d965b82b141122a081aad555dd9780c23faaedb1952eb02d925fc4ebe5f8ecc231e7c1e6d4afac9b0d0b68ae388e7acbf67c23aefd5d9d1f6905e

                              • C:\Windows\SysWOW64\Nnjlpo32.exe

                                Filesize

                                96KB

                                MD5

                                73189c9e320622be3e7e5719362704ca

                                SHA1

                                9b46d1b897e14654e7cde63adb10fa67bbb72ada

                                SHA256

                                67ed579aaa9243114e22a2842520cb0785563e8ad85e5b598e86a0f27ad90833

                                SHA512

                                1af12d4b8211945a4a5f4539e19a983f7c14cb325c2651173a6be713d61b9cb3487ed76e4e467eb385295500009850e5e9fad5f71eb0b5649308ed4923ff498c

                              • C:\Windows\SysWOW64\Nnqbanmo.exe

                                Filesize

                                96KB

                                MD5

                                58dfe37d4beeb13798b7c580d84752eb

                                SHA1

                                3bfc78eefba7e176e6dbe4e765466f8e4df9b5ee

                                SHA256

                                c1e0dc4b8ff35187ccdf33b721e5d61f8fcaeab967a8195dca6b8b8541f9a7b7

                                SHA512

                                ad8e9d019f60f722a41b8c686351b2e2c3d929c0148d97c7c8c5a493bb922fb50be2f6f9e1fda1552577f8ba3f34b34e326078d7dac576399da148a8b2e8d866

                              • C:\Windows\SysWOW64\Nphhmj32.exe

                                Filesize

                                96KB

                                MD5

                                79ff013e105812ab755e75cf0353d9e0

                                SHA1

                                4cae549dec2a731c3a2862940f266dfae2a5eb59

                                SHA256

                                8b9617189622c4e29714850ae686cc3e72fff356b99b4e1de2a8249eba91ee6c

                                SHA512

                                d8bdeae0c1b76f936b0d452a22048352b372d1516e0483495d8625c4289e968944fdbf6b08b2bc1db0995c9eeeaadb28b40fc858b30b5b6198fe6f530b67ad62

                              • C:\Windows\SysWOW64\Npjebj32.exe

                                Filesize

                                96KB

                                MD5

                                01b82ad82a02cf6f5ad2605c61c1ba51

                                SHA1

                                9fd743dbfe7eaf931238396f1e1c4cf7784afa38

                                SHA256

                                8fa9625b708b47c0303d7d35a21d3f00db48e75c6b6322f25edcfab39176869a

                                SHA512

                                81f4a11fce0773ac05b055d7ed83e1f6b05fa4a04d1cdb7f84ddc388500409fe51697ce80976367bfd66162d79ef87360817504aa1dca74619b28fdcac6f220b

                              • C:\Windows\SysWOW64\Npjebj32.exe

                                Filesize

                                96KB

                                MD5

                                95cc3a6354b5b70975e4456d3be29dd9

                                SHA1

                                655d97c844df68d71017379ec1b41933b658013b

                                SHA256

                                e7aa0a6b4beeaec0277fc4b13699bc7025873c2e3f79184719b3c9a206fc8aa7

                                SHA512

                                b429c0c69ba81e2057c0d2991f69763765473aeb3255a5b72ceffebf63e6ca68fc5e6c663886e3e5376ce76eb5dcde9fcff6c7cf8d590f6fa810b30e1b6cd846

                              • C:\Windows\SysWOW64\Ocbddc32.exe

                                Filesize

                                96KB

                                MD5

                                6aef8f0e8e67a4abf31f35008dcc07fe

                                SHA1

                                2c91b0c625db8c3240a7c5b8deae71c7bce65e62

                                SHA256

                                73a8a8a486e9bceeb3c5c6d2cef09b5b7b22b98bf460ebe05a15edaf86df172a

                                SHA512

                                d824f10582c20f032ae43d5c92b4f889d79e7b56f3dabc2a0521957f723180a1ad13a629d1e58af314d59cf5733392d5d5436135db651286977298286a4eaba3

                              • C:\Windows\SysWOW64\Ocgmpccl.exe

                                Filesize

                                96KB

                                MD5

                                3eda1c8c8be8d8dc026e2e63940a10f1

                                SHA1

                                7ec2b7e83a7d73205a425870d7e9a4e8a5901c6e

                                SHA256

                                5152753ce09db5669b73877d46958d6758e53703b2d6a5eb7f6d3e8903aead0f

                                SHA512

                                9e15347b68c8cac41b79fba718b786e17f19711709414c3794f25641b8dcd48141cfa35f7569be5b309718b86e2ca26db3a1360cfddd290c1234106bde6b7ece

                              • C:\Windows\SysWOW64\Ocnjidkf.exe

                                Filesize

                                96KB

                                MD5

                                ff8eedad99bbdd1ad01f4549e7a8f9b3

                                SHA1

                                0f58d48592ef3f56da38433fcb5698ecf4f92d7d

                                SHA256

                                aa9623b2b0c8f80af3daf4e9c25963ccffc6af5062b4cf9b2bbe4f2b87a4b416

                                SHA512

                                d6bb56744940cfdf92ab48278bdde78fcc78c267b7069e7bf47221480542a7c345aa6b9903041f6f66da080841ba0680b45ea29f22dd385c91f3017f63ae377c

                              • C:\Windows\SysWOW64\Ocpgod32.exe

                                Filesize

                                96KB

                                MD5

                                f8f66dd38d83eda28db166153b119789

                                SHA1

                                f8ca672221983c493217db97843504c6488865fb

                                SHA256

                                10361e63d5ec14fc533eda9a66c7704db1e2c5253ff0dc74ef942434c3a895f3

                                SHA512

                                b3574be7c44a27de7ba1a68fe6049feb48def4ea99c6579e4022b6386b13832b5cc537bac23ad9ccd9710e91de81d85ab39b57f041fc8756b3d7be79238d575a

                              • C:\Windows\SysWOW64\Oflgep32.exe

                                Filesize

                                96KB

                                MD5

                                dd5ccdd60bcf067ea471a8d68a6a297e

                                SHA1

                                df55e24165c09615bee1dce66febc3e45af47c9e

                                SHA256

                                460dc79dfbebea403ed75c9b05ff0092550cdd097753a59bc2273b66a79a3ee9

                                SHA512

                                5210a855f9639daeaf5a51fce7ff3f970ddf12235fb12bee9ed351552fd503f672c68af41c18d60d9ad68911cddbcb48a61d81122031ffb8c3fa0ec8214140a6

                              • C:\Windows\SysWOW64\Ofqpqo32.exe

                                Filesize

                                96KB

                                MD5

                                68ddb6a4f3d21b041c8a3f9d80863f5e

                                SHA1

                                568d9931d4a3570138aadeae2172651e7e5c1d8a

                                SHA256

                                76e2c7de24f4ae31f1db2c30c634b900d79b7d41099655dbab20d7c87a3a7150

                                SHA512

                                9c2b210a0cfe52201ed8f2a96564d964e89c55ac7f9a98ea98e669ed636d114ff24080aa513b1a4231f7d75c2128916a9c3281c1aa3fef1342ec0a45597a42b0

                              • C:\Windows\SysWOW64\Ogkcpbam.exe

                                Filesize

                                96KB

                                MD5

                                6404557db69e711681838c34895e5a36

                                SHA1

                                a412fe20cc5843eafe5e7a5ca839cd39cdf53c44

                                SHA256

                                69395fe0984cdb3ee35dbdc74f03425984c7e815562856b16304ae63323fa0fe

                                SHA512

                                86245399b8f3e04ccacef608b6ca7cbad47fcfdb54e0fed429fd3c38466f7e545515a8c7575431e81102062e0a5cc7647827d7abaea9a1907b5c5e544a1414e4

                              • C:\Windows\SysWOW64\Ogpmjb32.exe

                                Filesize

                                96KB

                                MD5

                                3dc4f5fec484d8c9f70f605638123711

                                SHA1

                                91d8f3749cd12fd3e3245975ac67d42bc768b631

                                SHA256

                                52eeb50e844bd0eab49e8bed1b6e794a252316fc7d5a2f2d1e64248b41e1e915

                                SHA512

                                fe06d48f561b449e275e274c56e66604b998a72b529c8a86e0915325791b39c990705263bfc296cab3391964ca418067578ad909eddf39aa762d0f3dcb1d3ca2

                              • C:\Windows\SysWOW64\Ojllan32.exe

                                Filesize

                                96KB

                                MD5

                                03b82201f1bb27fba435d5b6ae87caf2

                                SHA1

                                872f93f84e54d1ee39ca3ba18a2c197f38a39fa5

                                SHA256

                                2e10634218e7831a8768de2e9e8e8270a44174b8feb97196bc24c60def38d3fa

                                SHA512

                                d0b4504702d07a7080cbc90984cc410c3154216061a2ba289b848aa5198841025b132d59dc4a152f02a95a40f4acdf5369131486e246b9067b1200501cefaa0d

                              • C:\Windows\SysWOW64\Ojoign32.exe

                                Filesize

                                96KB

                                MD5

                                56fb5d1e709715f4877ad13ce2229e0e

                                SHA1

                                9eea2e9397cf9013a3319364f7e0d1ccdf0aa35b

                                SHA256

                                81e7c6c0ec21cd4bbadf8a418c1afcb52ab656e540c41b16312aa60d29881b16

                                SHA512

                                80a95317051847e3cffa03c071196b321cfdf9c14fba320eabf2d1f6c19a536b690487624db0558860d87a76e2168b38be2dc8e46369ac9e7da9bd20b1bc81c4

                              • C:\Windows\SysWOW64\Olhlhjpd.exe

                                Filesize

                                96KB

                                MD5

                                03bef54b53cb4b70079a71d9ac0710da

                                SHA1

                                8ad3c87a0efd8bfe1f371b39d93aca5913bd9368

                                SHA256

                                b4ea7daa2a5b24f455c2f8b4fe212b8df9f814679448d777eb56f0933b43e08a

                                SHA512

                                c7e236d41a2c00aedd9e22bcaa69b3c9d129a57a16f81cf109d0965173dcb8bcc5ced1be750e63d3c0e7971753f19c37622ba0597bc2b89babdf635f64beb643

                              • C:\Windows\SysWOW64\Olkhmi32.exe

                                Filesize

                                96KB

                                MD5

                                78d17609d29a92819cbba3de3bb6e9b2

                                SHA1

                                9e23bbdda207b567834bee27ccb893eadf7d235c

                                SHA256

                                26e38bd511c86d8859fa5f744e3246c6a8ffc5841389ab838b41b315317d9a6b

                                SHA512

                                a12dc562a9556b810cbb48d570d0b37f9a569466ead2478eb6cd0880dcd4e60bfa608ce8bca761d011690eab96cdc9f6328a6130a0bdd809c2f7be47d7f26cec

                              • C:\Windows\SysWOW64\Olmeci32.exe

                                Filesize

                                96KB

                                MD5

                                6863a7900f4c1d95af8fcc328c341fbd

                                SHA1

                                10b260878ef162db4a3fc93b83e28d41a20458fa

                                SHA256

                                f2b4f509e17850b6225b04f672756d631c42c09d7082c4310c58ce84467b6ea5

                                SHA512

                                3d594fab191a18004e8ace1107bfeb38bfeb5ea6fe12093330a109490f76bdb3b74d5894e8bac2182046208a8fd04e58a43df944f3ac4dfa8b10436d527433a6

                              • C:\Windows\SysWOW64\Oncofm32.exe

                                Filesize

                                96KB

                                MD5

                                c3ac5fcc63e8ef83ecdafb49b30f853b

                                SHA1

                                76aa8a59839fa2527534437f09631c3f5f1217ab

                                SHA256

                                de95478937d2be2421ebb33de0d6cc3a7da29ecf9aabf64afd133e4c0339d241

                                SHA512

                                e1096805e7394dbddd4d06c69210789c71e9eef8fdd18a9da34af6ecdad60eb37ceef3f8d68a83c4bb3fbac09ae1e987b2b98d6df1ed687396cd2bdf7f49aa44

                              • C:\Windows\SysWOW64\Oneklm32.exe

                                Filesize

                                96KB

                                MD5

                                448913611ba9d8950b8466cdcd650554

                                SHA1

                                c282d0f815f4e6e17803e5090905607ced76f5d8

                                SHA256

                                6c0c8121a165c4b6140d2fbc78f120445801ea254c70eae909e2f18b10444777

                                SHA512

                                8db2287767a40654979bc081f9ca8a829d3cacab419e5a9286bab0856f04ca38242524cd272a16762906c8266db430433ecee24c5b1f3617abe1e3a7514064b5

                              • C:\Windows\SysWOW64\Oneklm32.exe

                                Filesize

                                96KB

                                MD5

                                c0a743ca4f5f329811d323f0a967c4cf

                                SHA1

                                236f37fe396682a15c5c8f5d40ba126295aec696

                                SHA256

                                4a2521ef516d99d76fb0b0c404899a98d287a1af21d097f8d9c2bf8c87eb5d75

                                SHA512

                                f6c9e5df3d388ba6168f8155afc7489209afa17076aeed29b00bb4c0151b3e970ddb5be18008ae056ecfe0ac5bfa233d77cead0a3d1d6f2853ad499fc456d809

                              • C:\Windows\SysWOW64\Opakbi32.exe

                                Filesize

                                96KB

                                MD5

                                c2d072903880fad22eaad7393a9dfa5e

                                SHA1

                                59bcd2b87b89f817ceb5d73deabfd14861287708

                                SHA256

                                fbf952fdfd4fadd398e91ccf93a7becef1fbe9f94e9a6126ec664d3a0d6786e7

                                SHA512

                                a3472e72928cdf5907c8bda0b11b3e5981e61330e29dcfa0af6c51af96ca4e2172007a8303eecdea7c97edcfb142ccecb93ef29df62910e29b49f0d968f57e1c

                              • C:\Windows\SysWOW64\Oponmilc.exe

                                Filesize

                                96KB

                                MD5

                                91f33e7a3ed238cce566e280cd2229c7

                                SHA1

                                03b7aa011ef3d2f6a1b16b6405aa5a9ee62c4465

                                SHA256

                                048e4e152c4dacc9416d161c3b044f1854424449cdb18dcadb44cf450a8f617e

                                SHA512

                                de97e8841ff92a7cda1ca1a1b408d0b9a604d334f8032e8fd35d442e93f6657d10c643c9c8130c16f59f526697becd3ee7ea835a6eeee8bd9b5528fb4b31d80b

                              • C:\Windows\SysWOW64\Pemfincl.dll

                                Filesize

                                7KB

                                MD5

                                b1f5c530ae54b955d65b15baca1a09b0

                                SHA1

                                f378e2b148b3eb6cf183341e7bbc291c3631d1d2

                                SHA256

                                67fd9f4a2765b0efe7fbd4ed0fad9b4792d2a9a611e4fe8bb474555e3432e12e

                                SHA512

                                175f6d357c706614aee07bf876ad2d1dbfa0286e36ab5559eb56fd97e3dc32109c2710fe57bdf5da85a69d586619a11787e14f08bfe81cf73112394990b691d8

                              • memory/116-535-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/764-540-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/768-341-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1060-39-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1060-574-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1064-521-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1084-419-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1208-387-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1224-377-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1280-573-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1384-413-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1452-547-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1456-63-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1520-199-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1532-317-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1564-479-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1624-143-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1652-159-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1664-71-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1708-509-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1808-151-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1860-323-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1936-347-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1948-515-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1960-497-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/1984-503-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2024-491-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2080-119-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2088-365-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2148-527-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2176-581-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2176-48-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2208-263-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2308-127-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2452-168-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2500-571-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2500-32-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2508-88-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2628-395-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2644-425-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2692-175-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2852-437-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2928-112-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2952-287-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2964-561-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2972-393-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/2988-359-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3016-443-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3060-247-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3112-461-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3116-103-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3140-582-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3164-216-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3204-407-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3244-560-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3244-23-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3248-15-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3248-553-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3316-588-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3316-55-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3324-472-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3448-95-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3472-239-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3516-293-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3528-353-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3716-80-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3720-232-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3728-304-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3732-192-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/3968-135-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4128-231-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4132-223-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4200-305-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4216-281-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4252-208-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4304-455-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4420-575-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4532-275-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4560-335-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4584-558-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4688-371-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4716-7-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4716-546-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4756-473-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4836-449-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4848-269-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4896-431-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4940-255-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/4964-401-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5008-333-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5036-485-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5044-183-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5064-311-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5104-539-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5104-0-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB

                              • memory/5148-589-0x0000000000400000-0x000000000043F000-memory.dmp

                                Filesize

                                252KB