Analysis

  • max time kernel
    94s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 04:10

General

  • Target

    c5c405683c54e2fd4a456ee444021ef38fc4ab10d489bda9e3360bf2364bcad8.exe

  • Size

    384KB

  • MD5

    9c84d8c9899ac78e7197e0764b3f2691

  • SHA1

    55461692252bb14945d263ac517a343930055f49

  • SHA256

    c5c405683c54e2fd4a456ee444021ef38fc4ab10d489bda9e3360bf2364bcad8

  • SHA512

    8bac3907ff3ae527bb2eb2258a132a5042fc2fef8cfbb670314d9ad3ed62d90560c87a2549340d998b0e639512df7c11ecf95101cf239d2e7d4c881906957c0b

  • SSDEEP

    6144:sf0oSPLuIR8SeNpgdyuH1lZfRo0V8JcgE+ezpg12:g0omSQ87g7/VycgE82

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 54 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5c405683c54e2fd4a456ee444021ef38fc4ab10d489bda9e3360bf2364bcad8.exe
    "C:\Users\Admin\AppData\Local\Temp\c5c405683c54e2fd4a456ee444021ef38fc4ab10d489bda9e3360bf2364bcad8.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\Aadifclh.exe
      C:\Windows\system32\Aadifclh.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\Bnhjohkb.exe
        C:\Windows\system32\Bnhjohkb.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\SysWOW64\Bagflcje.exe
          C:\Windows\system32\Bagflcje.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\SysWOW64\Bnkgeg32.exe
            C:\Windows\system32\Bnkgeg32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\SysWOW64\Beeoaapl.exe
              C:\Windows\system32\Beeoaapl.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3476
              • C:\Windows\SysWOW64\Bnmcjg32.exe
                C:\Windows\system32\Bnmcjg32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:456
                • C:\Windows\SysWOW64\Beglgani.exe
                  C:\Windows\system32\Beglgani.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4588
                  • C:\Windows\SysWOW64\Bgehcmmm.exe
                    C:\Windows\system32\Bgehcmmm.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1968
                    • C:\Windows\SysWOW64\Bmbplc32.exe
                      C:\Windows\system32\Bmbplc32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2436
                      • C:\Windows\SysWOW64\Bhhdil32.exe
                        C:\Windows\system32\Bhhdil32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3152
                        • C:\Windows\SysWOW64\Bapiabak.exe
                          C:\Windows\system32\Bapiabak.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4028
                          • C:\Windows\SysWOW64\Bcoenmao.exe
                            C:\Windows\system32\Bcoenmao.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1668
                            • C:\Windows\SysWOW64\Cfmajipb.exe
                              C:\Windows\system32\Cfmajipb.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4752
                              • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                C:\Windows\system32\Cmgjgcgo.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2884
                                • C:\Windows\SysWOW64\Cenahpha.exe
                                  C:\Windows\system32\Cenahpha.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1300
                                  • C:\Windows\SysWOW64\Cdabcm32.exe
                                    C:\Windows\system32\Cdabcm32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:4692
                                    • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                      C:\Windows\system32\Cjkjpgfi.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:1196
                                      • C:\Windows\SysWOW64\Cdfkolkf.exe
                                        C:\Windows\system32\Cdfkolkf.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4600
                                        • C:\Windows\SysWOW64\Cjpckf32.exe
                                          C:\Windows\system32\Cjpckf32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:2516
                                          • C:\Windows\SysWOW64\Cajlhqjp.exe
                                            C:\Windows\system32\Cajlhqjp.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:2668
                                            • C:\Windows\SysWOW64\Ceehho32.exe
                                              C:\Windows\system32\Ceehho32.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:4980
                                              • C:\Windows\SysWOW64\Chcddk32.exe
                                                C:\Windows\system32\Chcddk32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:3896
                                                • C:\Windows\SysWOW64\Cffdpghg.exe
                                                  C:\Windows\system32\Cffdpghg.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:1532
                                                  • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                    C:\Windows\system32\Cnnlaehj.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:4564
                                                    • C:\Windows\SysWOW64\Cmqmma32.exe
                                                      C:\Windows\system32\Cmqmma32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:5036
                                                      • C:\Windows\SysWOW64\Cegdnopg.exe
                                                        C:\Windows\system32\Cegdnopg.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:232
                                                        • C:\Windows\SysWOW64\Ddjejl32.exe
                                                          C:\Windows\system32\Ddjejl32.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:3464
                                                          • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                            C:\Windows\system32\Dhfajjoj.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:3488
                                                            • C:\Windows\SysWOW64\Dfiafg32.exe
                                                              C:\Windows\system32\Dfiafg32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:536
                                                              • C:\Windows\SysWOW64\Dopigd32.exe
                                                                C:\Windows\system32\Dopigd32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:4988
                                                                • C:\Windows\SysWOW64\Dmcibama.exe
                                                                  C:\Windows\system32\Dmcibama.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:3672
                                                                  • C:\Windows\SysWOW64\Danecp32.exe
                                                                    C:\Windows\system32\Danecp32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2704
                                                                    • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                      C:\Windows\system32\Ddmaok32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3324
                                                                      • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                        C:\Windows\system32\Dhhnpjmh.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:2376
                                                                        • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                          C:\Windows\system32\Djgjlelk.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:2308
                                                                          • C:\Windows\SysWOW64\Dobfld32.exe
                                                                            C:\Windows\system32\Dobfld32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:3156
                                                                            • C:\Windows\SysWOW64\Dmefhako.exe
                                                                              C:\Windows\system32\Dmefhako.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4168
                                                                              • C:\Windows\SysWOW64\Delnin32.exe
                                                                                C:\Windows\system32\Delnin32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:2416
                                                                                • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                  C:\Windows\system32\Ddonekbl.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:2544
                                                                                  • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                    C:\Windows\system32\Dhkjej32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:3000
                                                                                    • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                      C:\Windows\system32\Dfnjafap.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:2608
                                                                                      • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                        C:\Windows\system32\Dodbbdbb.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2688
                                                                                        • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                          C:\Windows\system32\Dmgbnq32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:1492
                                                                                          • C:\Windows\SysWOW64\Daconoae.exe
                                                                                            C:\Windows\system32\Daconoae.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:2032
                                                                                            • C:\Windows\SysWOW64\Deokon32.exe
                                                                                              C:\Windows\system32\Deokon32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:4868
                                                                                              • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                C:\Windows\system32\Dhmgki32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:1200
                                                                                                • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                  C:\Windows\system32\Dfpgffpm.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:4384
                                                                                                  • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                    C:\Windows\system32\Dkkcge32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:936
                                                                                                    • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                      C:\Windows\system32\Dmjocp32.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:3448
                                                                                                      • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                        C:\Windows\system32\Daekdooc.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:4496
                                                                                                        • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                          C:\Windows\system32\Dddhpjof.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:4968
                                                                                                          • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                            C:\Windows\system32\Dhocqigp.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:892
                                                                                                            • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                              C:\Windows\system32\Dknpmdfc.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:1888
                                                                                                              • C:\Windows\SysWOW64\Doilmc32.exe
                                                                                                                C:\Windows\system32\Doilmc32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:3452
                                                                                                                • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                  C:\Windows\system32\Dmllipeg.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:1580
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 408
                                                                                                                    57⤵
                                                                                                                    • Program crash
                                                                                                                    PID:1340
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1580 -ip 1580
    1⤵
      PID:1868

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Aadifclh.exe

            Filesize

            384KB

            MD5

            55b125c0e63502b2a911b2447efabb69

            SHA1

            2a05008a6067717b8d65270274cc6e03f9a2ec43

            SHA256

            6f836bc7b48d78d6b52854e2baeb6f47749fc8c12984fec702fb310b5e0c8a3e

            SHA512

            e3114e77370f8e4bdd89e301d0a77ea7bebc193a21c0c7674fbed2b74a444a9c5a46b9193317f9af9b2a394d256cba15f5b8a5cac14c4db7d874d087843a2d51

          • C:\Windows\SysWOW64\Bagflcje.exe

            Filesize

            384KB

            MD5

            d08b26839870a1d06b738c82db67dd17

            SHA1

            d7a151ec1b6903aa06a4b8e17364a07cc8de9cb4

            SHA256

            ae0ccb9ee3975deb4d614aa067948920b708c09da1ecbbf00cd7711f53fc07bb

            SHA512

            3d10933bf51ebe1fdd870a98c2f921fff25f29b95e0731ec3a84db20f67bf7b83ce42797e2e578015d25873cba80d7d2c098144871cd8b04a099b300514035eb

          • C:\Windows\SysWOW64\Bapiabak.exe

            Filesize

            384KB

            MD5

            74523efec7bc2efa55f52e946697355d

            SHA1

            0c9bee5331dfa1559548b06714458d217245a2d9

            SHA256

            b8bc25542d9c7d2c9dafe158f860ef0e0b01f2ba5768d8a56835b57633c37019

            SHA512

            a813d3cafca3366730a71571bfe8b52f4880735dd7578d006ad488227045e2acc348522ba54f5153dc308da1e482f96877931ef74c171f9032f0d80707bad8b3

          • C:\Windows\SysWOW64\Bcoenmao.exe

            Filesize

            384KB

            MD5

            8aa7f0bbbbd677c8fbf5abfacd4dd01c

            SHA1

            c339c5bacf029b5c3d7528046f8d4a939a1b247b

            SHA256

            9d450a2f921e3dce7c9e518e3ebaeb44faf446f36b02cb7ef6811ad0ba57bf01

            SHA512

            d7746df62d05b038e09f46d0a882081abb51d033dc78de4c186efab4d5f3dc24168f873e6d7bdfe6edf0e6242fb33dbacfcdd2cf0f719c053380b23c01ed5714

          • C:\Windows\SysWOW64\Beeoaapl.exe

            Filesize

            384KB

            MD5

            fe8d8fad0cc32e69731d5caa784e197c

            SHA1

            a225e40e4653142fac1000d9aea75646c83e5975

            SHA256

            2d8f2124bbe6d2b65a6732f9e2e3ccc9b77f52e3b2a76fd2c754fd082055ebb7

            SHA512

            4c7949006dfe79e89ee8b759cf5693062888c23f32f6f94161f120543874a86adcac314aeed4b6caadb7d527542801b948141351797f46b23d5a4a8b133d711a

          • C:\Windows\SysWOW64\Beglgani.exe

            Filesize

            384KB

            MD5

            91df0094d60bb5aaf6aadb99d23da868

            SHA1

            cd0a4b77cba7dd52348506753848bd5636d41c30

            SHA256

            0b1a1623d210de3c895aa1751bc7c408ff4e7aed16e96aad51a5b85980ac6d99

            SHA512

            796c58a334dc2e82abed7c6035e4c52df85807ae59c24449a6d939507518dce1be1872ec08717274f32653d1472f48d2d4c2c64a5019d3f0952e96b56826bfac

          • C:\Windows\SysWOW64\Bgehcmmm.exe

            Filesize

            384KB

            MD5

            2179086796f9bb8db742f27eb4cc1b3b

            SHA1

            7d4c6274f1edb46429fdbaee32cb16024310714a

            SHA256

            6a685896012bdea96c1484bd0e645346693193245cdd1e38185d7d8d26626319

            SHA512

            1e97fa593f076202dedbe952fa43f45f828af27728ff98ce06e5c9c8ef937ddd1d19fec6659c2a37f4db6cef1de31c75965d8a783f441f737ff6b8aadbef3239

          • C:\Windows\SysWOW64\Bhhdil32.exe

            Filesize

            384KB

            MD5

            55c2c784591f711862368eb2bcd55247

            SHA1

            38f79f36399ca7bb9a3ced25955f7f21720e8f31

            SHA256

            1da64096d748018eb5a553ff7513a8a59f8064483756d795f98fb48df461838b

            SHA512

            3e484e3a04b1d807301f95f188cfe45764496eeda3302f15963267fec766820e810aecb1f0a68ce14f7141db883ef71c57a1617c8859e79b8124b4ab5d6b9251

          • C:\Windows\SysWOW64\Bmbplc32.exe

            Filesize

            384KB

            MD5

            0e35639803bfd9643f7f25232d1d3b50

            SHA1

            d8c03c907d7a2cb8bd877f08ba448fe0cdfefe41

            SHA256

            02664810d0d69ffb85962c590b1114d1d254bfad0b2b7daa0fc440deb8558830

            SHA512

            ad5dbc8161f001f54e12c0d36b83ea5c01927ce2e60dd2b9462bac42d450185d8add734bace06d2fd7253e973bd6cdd862df5c198bfec4267e708b86408ac7d9

          • C:\Windows\SysWOW64\Bnhjohkb.exe

            Filesize

            384KB

            MD5

            5e423dd3bec5f6579a1688034fa13e42

            SHA1

            6b4590ad9ae0c5a027f62d2b322cbc2101960973

            SHA256

            f0677a4c4c8b99752b05c419f9d6310d52a38a986c698fc5a7ab597225175432

            SHA512

            abdc2c634087ddea475c0526d85a499da7f67b65789d2c7171e795379e6e6f4bc96e86b37f27b0c1102cac6f5d7d16e5115a84efe19e086e053761dc2ee0e96f

          • C:\Windows\SysWOW64\Bnkgeg32.exe

            Filesize

            384KB

            MD5

            00e3918576a1aeebf97da867b248379c

            SHA1

            1709cb478b430576064442515d71fb703681bdf8

            SHA256

            fad12f486dd975b566ec1fdd6da3a0fc4618d4d89b7f6a0d25003f59ddc2340a

            SHA512

            6c7e00182706dd630c7b8e83c53a0f8db93ab3c48335cf434aff1dc4032a4c2251b6b2d674fb60a5ce77afa7b6327c4eec35b95783fc64acb278b90f008749e1

          • C:\Windows\SysWOW64\Bnmcjg32.exe

            Filesize

            384KB

            MD5

            0ae159163e8566c045f7c58b1f0406ba

            SHA1

            7f286abe9b947677ddd578831ddb5c8b3f0a915d

            SHA256

            a348ab21a063970932400b1fdc3fff7beecddc9c5bd97fc99c50a784f374e86d

            SHA512

            71e01c394b850122cfccbb32ffabcd78d0cfcbcde6e218c97380f312c3f9757c69d62ed7396e7fc0e0e1fe79781bfa8f1927284c10e0c9dfc5a01ca1098bc742

          • C:\Windows\SysWOW64\Cajlhqjp.exe

            Filesize

            384KB

            MD5

            a6e4f93c2700edf5bc526fae77bf2253

            SHA1

            8769cd796b5e49b7cf5b644796ecda4a56cfc4a3

            SHA256

            a8d44e58a6c18d20cc68219c2dcf51231fd8c44df528f3cc793e9384d5f8e457

            SHA512

            2c1e8b8881e9d7e5697864a0a5641ce3a352d915e2d95d41694a57bfa899121995187ee64ffca32b5ced47397ab5a5cf0e6c7a983068ff0a77654112d558e720

          • C:\Windows\SysWOW64\Cdabcm32.exe

            Filesize

            384KB

            MD5

            c065e8222bbfb14814bb24e24977a98a

            SHA1

            8ba85aa20587feff9f4bb4035acae85ca0918867

            SHA256

            b7b81f1ec366333f9254eca925df3b7b50f0c13fcc603305b4b50b8a09bd0bfb

            SHA512

            5daa602ade0607bdffdf960e1604f7b36d06f607c10a4a1787da1f44a01dbcac9c69c64c4b6de4773c21ba3d8a7f71a725574c308dde2a133f362a6df6a856e4

          • C:\Windows\SysWOW64\Cdfkolkf.exe

            Filesize

            384KB

            MD5

            f12e565b9384220543c7b4bb3984500b

            SHA1

            8b051c80e9331d986db293358c855a9c58557fce

            SHA256

            9002fee12f0518ac4bde39a47ccb6419b411f6e07ce95415c96baf5be367ba44

            SHA512

            046cd3ad6666c81aac87eab667b265e8361b786f62caa0ed674f1ddeb53bc11e9d72bd5707fe9aac363c67844290f22c20436fbd34a447275e8b69a20b26cb6b

          • C:\Windows\SysWOW64\Ceehho32.exe

            Filesize

            384KB

            MD5

            8cb2b3276e1e00b87e571c8f563958ee

            SHA1

            4500bc538c1fa2d19e0b4c8a163fa710c1caac91

            SHA256

            b9d4d525236617c9b5da01f8a04c8b89ed98150c0735f3b9a1867a71b6fd99c5

            SHA512

            1db47b6a724badd6a40e4c2820d3141817f07402a0456e1630962bb3b5e8b421799dd7fdc1e34c9513cbc04bd72a47328c2a73f13eb3daaa6706891121263cce

          • C:\Windows\SysWOW64\Cegdnopg.exe

            Filesize

            384KB

            MD5

            e004ee88a9e30639e706886a83de48cb

            SHA1

            7bf424b46f013e97edb840fab440b06fa67fdeb7

            SHA256

            d9ceb1c4fa3074cf86b5dd9105be484f5446ee89f8abab46ad60729e3fe29beb

            SHA512

            b963b509698b8e91c79e9eaa81dd4cc55b02a7748045af0cace938fb6ee8ca134fced67f16417598c5dae23eb60f86f0fc257b6ccb8d0feecede5b795cb24a82

          • C:\Windows\SysWOW64\Cenahpha.exe

            Filesize

            384KB

            MD5

            1a220cee20e986bd7a67b447bf4bb30c

            SHA1

            bc0d2486223d85e1d3e0fb48249605ff7da9d685

            SHA256

            c4ed63b3768f9de2d96db854c221894f07aebce6bc2fa70af12a03ef4566cf7f

            SHA512

            ed5fb90e069f72c5e8ae8fbd4849de986131502b13304376c03e804ab3a34ebd349528ed8d7109e8d60f38da50643aba51159411a0b8d0ccc41c8fc990b2211e

          • C:\Windows\SysWOW64\Cffdpghg.exe

            Filesize

            384KB

            MD5

            ea4aeb0be6aaf583a4247c71861fb640

            SHA1

            b761f8cb99029c90afc3ed0112b5b47e3e316455

            SHA256

            e550054f3204cc43d44ab2e25e17650cec22f8aa96d9940c7dcdc1f694424724

            SHA512

            3b5a3787737ef948a9ee8eec32591e8b791c8681ab18d3395a9e3b4b06e896bc8339d809edbee9c95b4d1e62d4ecda98c41499e4dbfef4f949743b6b120eaca1

          • C:\Windows\SysWOW64\Cfmajipb.exe

            Filesize

            384KB

            MD5

            0b328afe142f5052faf9260c89ab55d5

            SHA1

            209dc7f9c65a261b151152df2c61a230644350f5

            SHA256

            1bfb06bdad85d3f840fdbf85b4c24d1534568b9f3b6c3fc0042ef7eb5c432670

            SHA512

            17957341f6fbedceff44315b8141b3bfd71621f945be4b648fd2ed821cb797340a0bf18980a197de7db61554c39d6ff559aed0ecbcff7f895ee4b459869c9864

          • C:\Windows\SysWOW64\Chcddk32.exe

            Filesize

            384KB

            MD5

            3d09d38e81f809ec59d2900e01bda662

            SHA1

            8357051ce3ac7258852e6eb83f572dec056f365b

            SHA256

            3a96c0173d99512496b1c5d252fd489cbb35b8ec6c9e68d5e0f950c44f4d2592

            SHA512

            61b399aaea659d5639637393671111ca50e551a4e2cfa6d2f773c87a06bbfbf2f002ca28f5790bddc020bf205c820d175d92e91d7776c69dd8b1076df6b8c35b

          • C:\Windows\SysWOW64\Cjkjpgfi.exe

            Filesize

            384KB

            MD5

            ac2aa4f18ec87abb563455d75a1aeea7

            SHA1

            23a340dac0b966297c6c4eb0eb36c21d30571509

            SHA256

            42bd3d1ba6e73aebf91ce1850c850c1c1883a7048c16b9b3a68618bfa4d6c342

            SHA512

            25f5c7996ecbd1c06b67072f66500f3144d94d632f043dd13563a806e199468964512de253f8088c3d072fd3c44ec499de1448ed479a9a793f082c75eb1b8081

          • C:\Windows\SysWOW64\Cjpckf32.exe

            Filesize

            384KB

            MD5

            2c7347385586146bf666d3f1ab136bee

            SHA1

            87f5222d9a2d40b6b192e5d50ffdd21c6cb95241

            SHA256

            a33b2f1e3389bc3715f21cf0c8263d2ecbc296221afc1094a30e0613561ef87b

            SHA512

            b4e9b2e0bd460ed736e59be3d1f5549a7aaf7b3460f746c7ec1f71b4fa550b3dca15fc061a4280b3294381f69fc2ff954b5ef0d99af72d1509d21f6ebb537171

          • C:\Windows\SysWOW64\Cmgjgcgo.exe

            Filesize

            384KB

            MD5

            03fecb21b1390bc2049136d0a83da312

            SHA1

            fa95b048017970436db299899c2c095932289177

            SHA256

            68e5d2079e19c1bcf765b2a3950bf1b7bd0422ef42f160f77453902fba0fd53d

            SHA512

            933431ca8dd535f64ff0c83fc30d7a5217928f8e9146efc8b92910f60eff646f1f1fb4cf36dd32355ae56bcffa4ce96df45dd5fa00b3fd9637b4c35c2c3d0928

          • C:\Windows\SysWOW64\Cmqmma32.exe

            Filesize

            384KB

            MD5

            d29f4bc94a38e2b7472686cb0ee6eae1

            SHA1

            02ca36a92c06f48d8dc7532a12b9a6b0776fc323

            SHA256

            e31344b3b15226a8a7f0bf8f771ae46f47f57d1ed1084e51251c47192b5723ce

            SHA512

            ad42104807d49be370b53b28f210b98a8d95d6b92749e7204f3f5781eecf826a348cde3b433863a1c6a673e3e0a23daa489f62db317b014aafe9809308a4c7d4

          • C:\Windows\SysWOW64\Cnnlaehj.exe

            Filesize

            384KB

            MD5

            c38dfa7047fc6196d9d31d8112a5c423

            SHA1

            f09789e072a140ad9802caafdf8cf511c1317835

            SHA256

            ecb63f1003baa22824d0b7e55bba250dd386f6cbfb69d2d82e6584ae3a9c7911

            SHA512

            4bb18e088aa40054c4d83b447bf7f558c87dbe42df389389999031719f31412c46e36e6d98e19f4b1112ff3a7a7695f503ee0092af342a5a9b2f1826b4d7e5a9

          • C:\Windows\SysWOW64\Danecp32.exe

            Filesize

            384KB

            MD5

            949a09485be19461eb980cd8b0ea34cc

            SHA1

            af03fd0f4953f208dcd353ca3754ab03a82a3497

            SHA256

            f2651cf1c40e8ae6cd3679bb7d85a6cd0ee6de736bdd559169517c660412aeb2

            SHA512

            2aa142395d9406e035b0b9bf88c2ba3f2b0821035ac0e3e9e43e0962977e68d1e8c3da2abd79166946158b7a3d99f2f63a767d6b88798d341bb40972695749a2

          • C:\Windows\SysWOW64\Ddjejl32.exe

            Filesize

            384KB

            MD5

            38dc8876f59a3ae69ccc67978864372d

            SHA1

            a9de94e12b91e0de0a76a2a71a1869d306819190

            SHA256

            f5c82a9b112bf20cd7060f67198648b9f03cb3518ff35726aace2d8608ec9477

            SHA512

            e21574ab13ca25b00472e39046b481947b4cc071c08122eebf425ea4275cac5f24d504b36d2301cb18d4459fc8e5f8cde0e7d9c029aeb9d782d88944f44a9e73

          • C:\Windows\SysWOW64\Dfiafg32.exe

            Filesize

            384KB

            MD5

            e51bf1ba47909ff2b496f6941c117527

            SHA1

            510f20fe32594d8209c11bbf6c7358d6e7c1dcfb

            SHA256

            259e4508fabed893b1950346e88a78b50945d870d950ce608916ad39b1760eea

            SHA512

            2928f98930419f8f7a704070f12819e8e0461cd1e85b9420ffa2c7597ecd1e751b7fc77fbc7d56d7d684e165f77b190de141383840d593d7008630c74adff1c2

          • C:\Windows\SysWOW64\Dhfajjoj.exe

            Filesize

            384KB

            MD5

            00af8bcf4c10cb289252b87e092f8981

            SHA1

            ebceedc6ecb599fe5611bd22234d080875bdbee5

            SHA256

            55ac1a50497b97f752f572d0bf9123d91a97e2a53874e57051c74882a764de05

            SHA512

            f389a9e06408e59b81a49623bd475c64c1de58a14d20c82227c45f98ec6cde11a00c28b5291614a6fbe0c4a9c07a83806ef0210797ecdf77014e11b72ab93c87

          • C:\Windows\SysWOW64\Dmcibama.exe

            Filesize

            384KB

            MD5

            36bb708e34db427a51b232c850f31846

            SHA1

            0737208eea71e15ac76c6e71b1a99d42193b0d69

            SHA256

            fde68e1b78b54dc29c5c7da1a7ea324984a384b1caddc5f2e3f6f694649e4125

            SHA512

            8222ea352bed2124aba971025c37a2593e82a793a47771cafcd690279c1ce2a3f35ab4ab4cfbae8b25a0be48f845276693ddf093b5fe156d6c605c7f38337c62

          • C:\Windows\SysWOW64\Dopigd32.exe

            Filesize

            384KB

            MD5

            96780b418f48e35bc2fb32bc77170f18

            SHA1

            71e235b8b295e93d481d71c1dbc815654f3b0641

            SHA256

            43687e9adb2a43107ad9024dae221b245bc38be4577648c8d1d8917ec8eddbe3

            SHA512

            824deed86c3b24819281bc2fa40fb775c73c69bca9f39d72e0d4cb36920a86d9e66458e8bda187d3ac3b155ad7d77b5fe1057d4f7fb461b2838bdd0366e06bf3

          • C:\Windows\SysWOW64\Ihidlk32.dll

            Filesize

            7KB

            MD5

            bd755a8f98fccb730d69532d08338d32

            SHA1

            478b9c7d0f592964f8713af8a791384853996870

            SHA256

            123d73363030dfebc34aa5a440c6a71a6e456fb063efc0191a8ef35890b90ea2

            SHA512

            aa4aaee09ed0f20b0fbe458915da99499bea12c0dd00d5fc08ba56ced239edc3aa7d76c3d88a9e565a54e73d4401aac5d2a33db15e488a44dc1aa69afdd7d18c

          • memory/232-213-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/456-453-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/456-47-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/536-237-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/844-8-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/844-463-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/892-381-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/936-357-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1196-136-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1196-432-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1200-345-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1300-436-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1300-120-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1492-326-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1532-189-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1580-389-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1668-101-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1888-382-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1968-64-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1968-449-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2032-332-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2036-457-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2036-31-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2308-278-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2376-273-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2416-297-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2436-447-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2436-71-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2516-428-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2516-152-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2544-302-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2608-315-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2668-165-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2688-321-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2704-260-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2884-112-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2884-438-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2984-16-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2984-461-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3000-309-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3152-445-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3152-79-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3156-285-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3324-267-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3448-363-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3452-388-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3464-221-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3476-39-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3476-455-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3488-229-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3672-253-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3772-24-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3772-459-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3896-424-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3896-176-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4028-443-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4028-87-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4168-291-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4384-350-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4496-369-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4564-197-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4588-55-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4588-451-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4600-143-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4600-430-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4692-434-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4692-128-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4748-0-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4748-465-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4752-440-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4752-104-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4868-339-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4968-374-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4980-172-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4988-245-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5036-204-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB