Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 05:59

General

  • Target

    44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe

  • Size

    128KB

  • MD5

    c5c83fbca254cbfc57cf48f2ae172de0

  • SHA1

    1782f1588b408fcb9e4654ef0bbc4a6fc7e0f8cb

  • SHA256

    44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5

  • SHA512

    98266b3ecfbd6f42b62ebb10f89fffe9a0f036d0be9f6935ca63ecdd34939c22af060f8001a7cd9a2f7efc3cb2517b9dafd2e1612c1da201adbd6ea8e85d08d2

  • SSDEEP

    3072:mZS/mgLVUYSQIrx0kWzdH13+EE+RaZ6r+GDZnr:mZS/mgLdSQKZWzd5IF6rfBr

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe
    "C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\SysWOW64\Npmagine.exe
      C:\Windows\system32\Npmagine.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\Nggjdc32.exe
        C:\Windows\system32\Nggjdc32.exe
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\Njefqo32.exe
          C:\Windows\system32\Njefqo32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Windows\SysWOW64\Olcbmj32.exe
            C:\Windows\system32\Olcbmj32.exe
            5⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4828
            • C:\Windows\SysWOW64\Ocnjidkf.exe
              C:\Windows\system32\Ocnjidkf.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1264
              • C:\Windows\SysWOW64\Oflgep32.exe
                C:\Windows\system32\Oflgep32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4984
                • C:\Windows\SysWOW64\Ojgbfocc.exe
                  C:\Windows\system32\Ojgbfocc.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:864
                  • C:\Windows\SysWOW64\Opakbi32.exe
                    C:\Windows\system32\Opakbi32.exe
                    9⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2552
                    • C:\Windows\SysWOW64\Ogkcpbam.exe
                      C:\Windows\system32\Ogkcpbam.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4776
                      • C:\Windows\SysWOW64\Ofnckp32.exe
                        C:\Windows\system32\Ofnckp32.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:3888
                        • C:\Windows\SysWOW64\Oneklm32.exe
                          C:\Windows\system32\Oneklm32.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4044
                          • C:\Windows\SysWOW64\Opdghh32.exe
                            C:\Windows\system32\Opdghh32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3356
                            • C:\Windows\SysWOW64\Ognpebpj.exe
                              C:\Windows\system32\Ognpebpj.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:400
                              • C:\Windows\SysWOW64\Onhhamgg.exe
                                C:\Windows\system32\Onhhamgg.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:412
                                • C:\Windows\SysWOW64\Odapnf32.exe
                                  C:\Windows\system32\Odapnf32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:876
                                  • C:\Windows\SysWOW64\Ogpmjb32.exe
                                    C:\Windows\system32\Ogpmjb32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:5028
                                    • C:\Windows\SysWOW64\Ojoign32.exe
                                      C:\Windows\system32\Ojoign32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:3280
                                      • C:\Windows\SysWOW64\Oqhacgdh.exe
                                        C:\Windows\system32\Oqhacgdh.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:1772
                                        • C:\Windows\SysWOW64\Ogbipa32.exe
                                          C:\Windows\system32\Ogbipa32.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:2548
                                          • C:\Windows\SysWOW64\Ojaelm32.exe
                                            C:\Windows\system32\Ojaelm32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:2956
                                            • C:\Windows\SysWOW64\Pnlaml32.exe
                                              C:\Windows\system32\Pnlaml32.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:1944
                                              • C:\Windows\SysWOW64\Pqknig32.exe
                                                C:\Windows\system32\Pqknig32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2128
                                                • C:\Windows\SysWOW64\Pfhfan32.exe
                                                  C:\Windows\system32\Pfhfan32.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3348
                                                  • C:\Windows\SysWOW64\Pjcbbmif.exe
                                                    C:\Windows\system32\Pjcbbmif.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Modifies registry class
                                                    PID:408
                                                    • C:\Windows\SysWOW64\Pmannhhj.exe
                                                      C:\Windows\system32\Pmannhhj.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:4328
                                                      • C:\Windows\SysWOW64\Pggbkagp.exe
                                                        C:\Windows\system32\Pggbkagp.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        PID:3036
                                                        • C:\Windows\SysWOW64\Pjeoglgc.exe
                                                          C:\Windows\system32\Pjeoglgc.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Modifies registry class
                                                          PID:2556
                                                          • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                            C:\Windows\system32\Pqpgdfnp.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            PID:2800
                                                            • C:\Windows\SysWOW64\Pcncpbmd.exe
                                                              C:\Windows\system32\Pcncpbmd.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:2516
                                                              • C:\Windows\SysWOW64\Pjhlml32.exe
                                                                C:\Windows\system32\Pjhlml32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3964
                                                                • C:\Windows\SysWOW64\Pqbdjfln.exe
                                                                  C:\Windows\system32\Pqbdjfln.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:676
                                                                  • C:\Windows\SysWOW64\Pdmpje32.exe
                                                                    C:\Windows\system32\Pdmpje32.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4860
                                                                    • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                      C:\Windows\system32\Pfolbmje.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:4988
                                                                      • C:\Windows\SysWOW64\Pjjhbl32.exe
                                                                        C:\Windows\system32\Pjjhbl32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        PID:2264
                                                                        • C:\Windows\SysWOW64\Pmidog32.exe
                                                                          C:\Windows\system32\Pmidog32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:5008
                                                                          • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                                                            C:\Windows\system32\Pdpmpdbd.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1784
                                                                            • C:\Windows\SysWOW64\Pgnilpah.exe
                                                                              C:\Windows\system32\Pgnilpah.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3164
                                                                              • C:\Windows\SysWOW64\Pfaigm32.exe
                                                                                C:\Windows\system32\Pfaigm32.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:4224
                                                                                • C:\Windows\SysWOW64\Qmkadgpo.exe
                                                                                  C:\Windows\system32\Qmkadgpo.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:1812
                                                                                  • C:\Windows\SysWOW64\Qqfmde32.exe
                                                                                    C:\Windows\system32\Qqfmde32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    PID:1012
                                                                                    • C:\Windows\SysWOW64\Qceiaa32.exe
                                                                                      C:\Windows\system32\Qceiaa32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:2520
                                                                                      • C:\Windows\SysWOW64\Qgqeappe.exe
                                                                                        C:\Windows\system32\Qgqeappe.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:3996
                                                                                        • C:\Windows\SysWOW64\Qjoankoi.exe
                                                                                          C:\Windows\system32\Qjoankoi.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          PID:2072
                                                                                          • C:\Windows\SysWOW64\Qnjnnj32.exe
                                                                                            C:\Windows\system32\Qnjnnj32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:1192
                                                                                            • C:\Windows\SysWOW64\Qqijje32.exe
                                                                                              C:\Windows\system32\Qqijje32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2660
                                                                                              • C:\Windows\SysWOW64\Qcgffqei.exe
                                                                                                C:\Windows\system32\Qcgffqei.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5016
                                                                                                • C:\Windows\SysWOW64\Qffbbldm.exe
                                                                                                  C:\Windows\system32\Qffbbldm.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4120
                                                                                                  • C:\Windows\SysWOW64\Ajanck32.exe
                                                                                                    C:\Windows\system32\Ajanck32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    PID:3304
                                                                                                    • C:\Windows\SysWOW64\Ampkof32.exe
                                                                                                      C:\Windows\system32\Ampkof32.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:4052
                                                                                                      • C:\Windows\SysWOW64\Aqkgpedc.exe
                                                                                                        C:\Windows\system32\Aqkgpedc.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:4752
                                                                                                        • C:\Windows\SysWOW64\Acjclpcf.exe
                                                                                                          C:\Windows\system32\Acjclpcf.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:4420
                                                                                                          • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                                                            C:\Windows\system32\Afhohlbj.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:3060
                                                                                                            • C:\Windows\SysWOW64\Anogiicl.exe
                                                                                                              C:\Windows\system32\Anogiicl.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              PID:4660
                                                                                                              • C:\Windows\SysWOW64\Aqncedbp.exe
                                                                                                                C:\Windows\system32\Aqncedbp.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:2044
                                                                                                                • C:\Windows\SysWOW64\Aeiofcji.exe
                                                                                                                  C:\Windows\system32\Aeiofcji.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:1084
                                                                                                                  • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                    C:\Windows\system32\Agglboim.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:1996
                                                                                                                    • C:\Windows\SysWOW64\Afjlnk32.exe
                                                                                                                      C:\Windows\system32\Afjlnk32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:5068
                                                                                                                      • C:\Windows\SysWOW64\Anadoi32.exe
                                                                                                                        C:\Windows\system32\Anadoi32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:4792
                                                                                                                        • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                          C:\Windows\system32\Amddjegd.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:1580
                                                                                                                          • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                            C:\Windows\system32\Acnlgp32.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:3244
                                                                                                                            • C:\Windows\SysWOW64\Ajhddjfn.exe
                                                                                                                              C:\Windows\system32\Ajhddjfn.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:3004
                                                                                                                              • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                C:\Windows\system32\Amgapeea.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • Modifies registry class
                                                                                                                                PID:1956
                                                                                                                                • C:\Windows\SysWOW64\Aeniabfd.exe
                                                                                                                                  C:\Windows\system32\Aeniabfd.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:628
                                                                                                                                  • C:\Windows\SysWOW64\Aglemn32.exe
                                                                                                                                    C:\Windows\system32\Aglemn32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4992
                                                                                                                                    • C:\Windows\SysWOW64\Ajkaii32.exe
                                                                                                                                      C:\Windows\system32\Ajkaii32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:4960
                                                                                                                                      • C:\Windows\SysWOW64\Anfmjhmd.exe
                                                                                                                                        C:\Windows\system32\Anfmjhmd.exe
                                                                                                                                        67⤵
                                                                                                                                          PID:5104
                                                                                                                                          • C:\Windows\SysWOW64\Aadifclh.exe
                                                                                                                                            C:\Windows\system32\Aadifclh.exe
                                                                                                                                            68⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:5032
                                                                                                                                            • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                              C:\Windows\system32\Accfbokl.exe
                                                                                                                                              69⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:4164
                                                                                                                                              • C:\Windows\SysWOW64\Bfabnjjp.exe
                                                                                                                                                C:\Windows\system32\Bfabnjjp.exe
                                                                                                                                                70⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2168
                                                                                                                                                • C:\Windows\SysWOW64\Bnhjohkb.exe
                                                                                                                                                  C:\Windows\system32\Bnhjohkb.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  PID:3364
                                                                                                                                                  • C:\Windows\SysWOW64\Bagflcje.exe
                                                                                                                                                    C:\Windows\system32\Bagflcje.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    PID:4824
                                                                                                                                                    • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                                                                                      C:\Windows\system32\Bebblb32.exe
                                                                                                                                                      73⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:4728
                                                                                                                                                      • C:\Windows\SysWOW64\Bganhm32.exe
                                                                                                                                                        C:\Windows\system32\Bganhm32.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        PID:2040
                                                                                                                                                        • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                                                                                          C:\Windows\system32\Bfdodjhm.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2096
                                                                                                                                                          • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                                                                                                            C:\Windows\system32\Beeoaapl.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5056
                                                                                                                                                            • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                                                              C:\Windows\system32\Bgcknmop.exe
                                                                                                                                                              77⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              PID:2088
                                                                                                                                                              • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                                                                                                                                C:\Windows\system32\Bjagjhnc.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                PID:3664
                                                                                                                                                                • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                                                                                                  C:\Windows\system32\Bmpcfdmg.exe
                                                                                                                                                                  79⤵
                                                                                                                                                                    PID:3624
                                                                                                                                                                    • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                                                                      C:\Windows\system32\Beglgani.exe
                                                                                                                                                                      80⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:4304
                                                                                                                                                                      • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                                                                                                        C:\Windows\system32\Bjddphlq.exe
                                                                                                                                                                        81⤵
                                                                                                                                                                          PID:1296
                                                                                                                                                                          • C:\Windows\SysWOW64\Beihma32.exe
                                                                                                                                                                            C:\Windows\system32\Beihma32.exe
                                                                                                                                                                            82⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:4736
                                                                                                                                                                            • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                                                              C:\Windows\system32\Bhhdil32.exe
                                                                                                                                                                              83⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:2156
                                                                                                                                                                              • C:\Windows\SysWOW64\Bfkedibe.exe
                                                                                                                                                                                C:\Windows\system32\Bfkedibe.exe
                                                                                                                                                                                84⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                PID:1020
                                                                                                                                                                                • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                                                                                                                  C:\Windows\system32\Bapiabak.exe
                                                                                                                                                                                  85⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2960
                                                                                                                                                                                  • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                                                                                                    C:\Windows\system32\Belebq32.exe
                                                                                                                                                                                    86⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:5132
                                                                                                                                                                                    • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                      C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                      87⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:5176
                                                                                                                                                                                      • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                                                                                                        C:\Windows\system32\Cndikf32.exe
                                                                                                                                                                                        88⤵
                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:5220
                                                                                                                                                                                        • C:\Windows\SysWOW64\Cabfga32.exe
                                                                                                                                                                                          C:\Windows\system32\Cabfga32.exe
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          PID:5264
                                                                                                                                                                                          • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                                                                                                                            C:\Windows\system32\Cdabcm32.exe
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:5308
                                                                                                                                                                                            • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                                                                                                                              C:\Windows\system32\Cfpnph32.exe
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5352
                                                                                                                                                                                              • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                                C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:5396
                                                                                                                                                                                                • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                                                                                                                  C:\Windows\system32\Cmiflbel.exe
                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:5440
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                                                                                    C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:5484
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                                                                                                                      C:\Windows\system32\Chokikeb.exe
                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:5528
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                                                                                                                        C:\Windows\system32\Cjmgfgdf.exe
                                                                                                                                                                                                        96⤵
                                                                                                                                                                                                          PID:5572
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                            C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                              PID:5616
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                                                                                                                                C:\Windows\system32\Cagobalc.exe
                                                                                                                                                                                                                98⤵
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:5660
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                                                  C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                                                  99⤵
                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  PID:5704
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Chagok32.exe
                                                                                                                                                                                                                    100⤵
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    PID:5748
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                                                                                                                                      C:\Windows\system32\Cfdhkhjj.exe
                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      PID:5792
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                                                                                                                        C:\Windows\system32\Cnkplejl.exe
                                                                                                                                                                                                                        102⤵
                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                        PID:5836
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                                                                                                                                          C:\Windows\system32\Cmnpgb32.exe
                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          PID:5880
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                                                                                                                            C:\Windows\system32\Cajlhqjp.exe
                                                                                                                                                                                                                            104⤵
                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                            PID:5924
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Ceehho32.exe
                                                                                                                                                                                                                              105⤵
                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                              PID:5964
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                                                                                                                                C:\Windows\system32\Chcddk32.exe
                                                                                                                                                                                                                                106⤵
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:6008
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                                                                                                  107⤵
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  PID:6052
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Cnnlaehj.exe
                                                                                                                                                                                                                                    108⤵
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:6096
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                                                                                                      109⤵
                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                      PID:6140
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Calhnpgn.exe
                                                                                                                                                                                                                                        110⤵
                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                        PID:5164
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                                                          111⤵
                                                                                                                                                                                                                                            PID:5244
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Dfiafg32.exe
                                                                                                                                                                                                                                              112⤵
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:5288
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Djdmffnn.exe
                                                                                                                                                                                                                                                113⤵
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:5360
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dmcibama.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Dmcibama.exe
                                                                                                                                                                                                                                                  114⤵
                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:5436
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Dejacond.exe
                                                                                                                                                                                                                                                    115⤵
                                                                                                                                                                                                                                                      PID:5512
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Dfknkg32.exe
                                                                                                                                                                                                                                                        116⤵
                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        PID:5580
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Delnin32.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\Delnin32.exe
                                                                                                                                                                                                                                                          117⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                          PID:5672
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                                                                                                                            118⤵
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            PID:5740
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                                                                                                                              119⤵
                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                              PID:5844
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Dodbbdbb.exe
                                                                                                                                                                                                                                                                120⤵
                                                                                                                                                                                                                                                                  PID:5908
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\Daconoae.exe
                                                                                                                                                                                                                                                                    121⤵
                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                    PID:5992
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Deokon32.exe
                                                                                                                                                                                                                                                                      122⤵
                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                      PID:6088
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                                                                                                                                        123⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:5160
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                                            PID:5232
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                                                                                                                                              125⤵
                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                              PID:5412
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                                                                                                                                126⤵
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                PID:5564
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                  PID:5828
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                                                                                                                                    128⤵
                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                    PID:6000
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                      PID:6132
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                                                                                                                                                        130⤵
                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                        PID:5280
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                          131⤵
                                                                                                                                                                                                                                                                                            PID:5476
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 408
                                                                                                                                                                                                                                                                                              132⤵
                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                              PID:6124
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5476 -ip 5476
                        1⤵
                          PID:2620

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\SysWOW64\Bgcknmop.exe

                                Filesize

                                128KB

                                MD5

                                a70e10a3ba605c1745eddd84b19a4a74

                                SHA1

                                c584a84463fb5d29ae27d77c7398b090362f0f07

                                SHA256

                                9689da7d3a0bf1ef8a1a58f9b2bc403aa25b7b7574b23f72d02922c057b7da42

                                SHA512

                                19f8cab1301cbeec5cc191780d10862de1e2d2da9616818765e9093ffdcb779252f39bc7a6b2765ad953b5e1999dad192e2fc0eafc6618c67c1cda1369d26c2a

                              • C:\Windows\SysWOW64\Bjddphlq.exe

                                Filesize

                                128KB

                                MD5

                                1dbcc0e566118d805f6cdc678917fcea

                                SHA1

                                573c7f2d04167d9cd1aea822bea2b9f231f1735c

                                SHA256

                                3be8fb1907816eea61f11e27c6b3aa488ce84a1ab5e286606db3062abfb80210

                                SHA512

                                ce1ba5cfbfef5a748704a627241ec832ad14297ac0ad4ec6ed2c2a247e7f5cf469f9c3ea142ebc9c9f4c124a6c209dfbe8e97928f860cadcf01f52ca67c4ebfd

                              • C:\Windows\SysWOW64\Dmcibama.exe

                                Filesize

                                128KB

                                MD5

                                2bc28bbb5fe112da5f062d4ef7599d69

                                SHA1

                                6e9d0b5dbced0e5a27b85cecae06cd90668a5924

                                SHA256

                                031288b94d0d993863a14b69d630161e45df4fd29baf46d15ba49be8e9367ec9

                                SHA512

                                8045dc2ba247e63c03d9d1f4d7ffe015b0e3f9204761a7535387d079107c1ca9139d3a3df8a69d73a21b2f37b7ea13be6429ae64e79c9caabeaf044888bee962

                              • C:\Windows\SysWOW64\Dmllipeg.exe

                                Filesize

                                128KB

                                MD5

                                77f9c4ec6e3bfddab7df50eee4217834

                                SHA1

                                1fee3f1c040b643e061a580192ef1b23913bbe52

                                SHA256

                                0f52bbfdae865fce7fd7c4d850d0f6b5fbb1e2bb5e15eefcb8c3b28a9e16356a

                                SHA512

                                bcfaad10c2db954f6c0770f8af6a8d09c895813b801347a3b48cd58ec04d331b4fd793fb22e074436ac85373b8b0564bc7c04b12933e21fd62c5b9dded23362a

                              • C:\Windows\SysWOW64\Najmlf32.dll

                                Filesize

                                7KB

                                MD5

                                9441693bf2248387e5441883a0762ccf

                                SHA1

                                7f78d889ce71c9769a5c488df28cc93a05048959

                                SHA256

                                edc60f45fdfd6737584448afb32b5cd9a3c07fd1eef779f8a41d3a49c4376485

                                SHA512

                                f4184cb5f22f5a27a79c35a733ac9d7561e24dcee589c6a62d5b2f5cf7f5cc60d4709b1372785629ebd0fe19f820e1f03c94c04d638a87701fff6769e5d43f3e

                              • C:\Windows\SysWOW64\Nggjdc32.exe

                                Filesize

                                128KB

                                MD5

                                f0b9c0297c93884a1e1b9aef9ff77ccd

                                SHA1

                                3385bb8eb73bbebe825fffb5e83733b3d5505723

                                SHA256

                                65bfd4788de5a22a0125fe9ad2b7481622250192baee0dfc47e030389b5a216d

                                SHA512

                                1598b9303c3ab45fbc3fccc045b4f56b6d8172a957513a8a6fffa3440213c1373bc9feefd6f8e92ebe517f16476b8a755e5972d5687ea1e0e1e92d448a84d2c7

                              • C:\Windows\SysWOW64\Njefqo32.exe

                                Filesize

                                128KB

                                MD5

                                916623f72a23d6e340b8cf7901992550

                                SHA1

                                643ff4d46aee74fa052f2c37eae43c8b03694d05

                                SHA256

                                63d11557f18f580c5a11b7a2c5c3a093351d62bd6bbf306e1bbf2f79dcad3a7a

                                SHA512

                                81273f6af2fd8f3646f4c983753b9478e08f54d2e0d6627f6760bd4dde1549294fa5d4f566eb4dc792756b3cabb0510e10973253cdc5f89c88e94c6106a64469

                              • C:\Windows\SysWOW64\Npmagine.exe

                                Filesize

                                128KB

                                MD5

                                cb3d837744a3fe3be4d22011c49c40dc

                                SHA1

                                cc24a1eed959ed0c6c66e42f602d6117b2936887

                                SHA256

                                6575a7a9a7e72607ba1d47e4c1c0e7024db6fd01c6ecdd871ab715a0925aadb9

                                SHA512

                                170194a1856fc04e9d807043f2f0bf9984eb24c0399d7f73fff288a7abfbc076f67a7c54489a451a2b27b27a0563a157a75c90d9cddeacc699f81c3a8b33b746

                              • C:\Windows\SysWOW64\Ocnjidkf.exe

                                Filesize

                                128KB

                                MD5

                                602add5dbce47072df8a2d5112e4fb2f

                                SHA1

                                2467e2f90d4d7522837aa2a839bc865c6e0f4874

                                SHA256

                                4595bd92ae509b1f3690ec067bfcf0239aab7591aad158647ec3f9729bd738f4

                                SHA512

                                89c61487ea6361f06a33957f473f6374ea64f7bc359db907bdf8fb8acdf84d65a891953196b81e00f410c0523969e9c24bc98bd7d6bb1d8f4c5da69b160c7933

                              • C:\Windows\SysWOW64\Odapnf32.exe

                                Filesize

                                128KB

                                MD5

                                789661ab73b35852676fb7b2b88a45d0

                                SHA1

                                9bb2eebe0bc5a19ac65ed1a1d7be9a0df84138b4

                                SHA256

                                311ff168cad561caec984a0a01a6bdf824c1f3279d281107fb26be5e7b6d0425

                                SHA512

                                efdfd755d7d0eb6dea78b3563672faba52c0ac4d1a26d6a05a58fe1ec9b773f129e34a9170532d4f558abf56c189a43d1b4d73e18421484996605cf4d46e4b54

                              • C:\Windows\SysWOW64\Oflgep32.exe

                                Filesize

                                128KB

                                MD5

                                f6f08a8b7d3013468141a8785b8acca5

                                SHA1

                                313708e17767be453b41c45ea8a72637388dd3e3

                                SHA256

                                f267496e7a5918b31230253d2db9f8096633584d6870451e0281b8ef17259036

                                SHA512

                                9d6ba0327e1a640d4cc40b586fcacd97104dea7f72a569af3c373b09ab44a3d0a16c0a9a2314953326f31fa4748b94e8d58aa91e149a1c41fcee5fa3c0472e02

                              • C:\Windows\SysWOW64\Ofnckp32.exe

                                Filesize

                                128KB

                                MD5

                                545416bad0ee07ac87f4a4d2c2d9294b

                                SHA1

                                f42d4d6cf9947798591f224e7c17dc673237b66a

                                SHA256

                                3aef2d385612fb86b5a622803c337de5d6f41ab47fb9d0ce1555678266b943f4

                                SHA512

                                0e54c712580a57be90a1a1ce2a82fdda63279010a639a7d59b2d8221c5d48aabb9e8e48425637b8dc41c800a6381f67014ddf49ac265c4edd544bed11df41f86

                              • C:\Windows\SysWOW64\Ogbipa32.exe

                                Filesize

                                128KB

                                MD5

                                fdadef518040448a2dc320edf55ca9d3

                                SHA1

                                49e9f7976491490fd190c1d7fdac4fc7c4453189

                                SHA256

                                66173599b406698831054205506b185e53a17f5a7c6f347124084aa70ff64730

                                SHA512

                                40a3855b82384889ca36aa29cdc58887ffae63c42f2c49739fe8f139f640cbe9092e283b7685d1d8664b6c9e517f50e7702c9f3bf40151c5e7e63afdd2cbb400

                              • C:\Windows\SysWOW64\Ogkcpbam.exe

                                Filesize

                                128KB

                                MD5

                                3a111cb16bd058ebec820dde81acb3cc

                                SHA1

                                f384f040920caec73b3ff7e0618246e08aebfe0f

                                SHA256

                                d517f59a012babd5a96b64d8b933b71a438c6b49a38c6db357409b486131c712

                                SHA512

                                d3ee48057bfa10a1c6f0e7536d3a6b03ea43b0c3a6cc93dfb744aba277f5a4bffbc6963d9c8fe933b7e4365d2a9aaeb7c7927d1b1c9a3ae993cc1bf73494451f

                              • C:\Windows\SysWOW64\Ognpebpj.exe

                                Filesize

                                128KB

                                MD5

                                37cc4914973dec42bb240e8f5a317516

                                SHA1

                                51c1bd9c3e8e649500816fc99a5ae8ac761a5f92

                                SHA256

                                5105d75335034259c9a0e18163e063b9f833b9d977fb4127512d94679ee4d63b

                                SHA512

                                b1576c6d730ad83fb044fd5fcce344c7369db7aae1167faf8f87f550ffc4d84c5842feefcec9b658863b16fb018e223e5b6981d1856d238340bded41c874b466

                              • C:\Windows\SysWOW64\Ogpmjb32.exe

                                Filesize

                                128KB

                                MD5

                                c4086f4c9d2e0de2b1a5f53b1756bec8

                                SHA1

                                26c64b687d8972005fb5e599aea7a223510a7cbc

                                SHA256

                                0894cf68bb39041cb9f44a88ae19d7c0cef8a3444bd760f85cc97390ef0b808f

                                SHA512

                                b062f91fe4cbcd42bcc1cd8fff9cb2bc4e7b0ecef32b50e931d490b7c1f1373cbe499bdd5e5799218ef74253e0336aee493df32dced4894283e7862516b09fdf

                              • C:\Windows\SysWOW64\Ojaelm32.exe

                                Filesize

                                128KB

                                MD5

                                c90530f1728d6277dddad0bece6ca204

                                SHA1

                                3c69ddfe756462613bfd7426864e5c84506a1be6

                                SHA256

                                4ddfc2dc89a8e13c4759f55e84a98b1b0e890a1e46347c4a9f3ba1739f62665e

                                SHA512

                                cd359a75f98b63a9d24b6808d44b7d3c9a8d08644543973543354fcce26885510c0e6c037ad83792cc4a444d301566e352a53e01929005aeae116b4ae52d41ba

                              • C:\Windows\SysWOW64\Ojgbfocc.exe

                                Filesize

                                128KB

                                MD5

                                128b02c1c66a8af113f5d17506d5c093

                                SHA1

                                f733695d766da32a00e645bcfb54c1859623a487

                                SHA256

                                0a5d90951606d98f958b6f733835df83b6e7946cc674de0054d1a2990bfcfcad

                                SHA512

                                4679b4365d37137614f04e1b28a3e8ea411a780d6b561db3b1e933080f52552bc127fdb14275bdf7a75837a989115d7553e0be616577559e52a44913840d2726

                              • C:\Windows\SysWOW64\Ojoign32.exe

                                Filesize

                                128KB

                                MD5

                                964be48adac9a434c8b201d771c3619b

                                SHA1

                                a64eefdcdeb9af0e45a64ac2f93b9e4ea10d674c

                                SHA256

                                080ccda0de042075f40771bc98eb0118b34cda86fb214a737b8b4eb83418a9b2

                                SHA512

                                a88e8ee596c9cd5a077cfd9e2e084a9dcfb4d261369bbf65a3970396745578ea0c7a96b909faab9397404a5f0c5c4cd95d1a3fa86eeef0721713a0a5d35a9cda

                              • C:\Windows\SysWOW64\Olcbmj32.exe

                                Filesize

                                128KB

                                MD5

                                6c146bd7d7093d41ba8e9377a6908013

                                SHA1

                                5d56535a362dcf582c8556a2e52c6efd0123e3d5

                                SHA256

                                56fd0e22a41eee7462f14dc93d27ec062b7181b4618accae6fe7ef4d6047a991

                                SHA512

                                49097d93e54d0a800f77478136ed23f3e8a1139782880fa6a4fdf1fb6d98a9e2f5893c76ff6988170b50c7970a4816eea7ed5f6a9cbe612612333d12a54a4e3d

                              • C:\Windows\SysWOW64\Oneklm32.exe

                                Filesize

                                128KB

                                MD5

                                90d77ecfbe65506e03297cff7dde1c54

                                SHA1

                                66845398836f9d29dd51d69944c6ef22e9236ce3

                                SHA256

                                2342ac7f85d0a90a351d19861cbba6725dda41553ff0936743ac559c9ea23824

                                SHA512

                                2dc24563947fdf004671b39f8e6e985df68d12d9314c6c8b36aeab9c4f16cbc6f9284b32342b031accb2fad89ca02647f8b005ddd63be2a112a13273babaf225

                              • C:\Windows\SysWOW64\Onhhamgg.exe

                                Filesize

                                128KB

                                MD5

                                6b744544ad3b0493dad58b5b86979211

                                SHA1

                                5caf468c468017cf7459f076f45b8599bf227483

                                SHA256

                                ebbf215ef44c32de345a22ee5a7341958eaf53193b97540e50de5d1b5f1a6bab

                                SHA512

                                fe1cca51df22a165e6b57574169ac36324fe146afb894349fd606dd761c228792aa7d553c77c1950cfcebd72d69640bc05ffbc58f10bdbbcbb38f815961b3d49

                              • C:\Windows\SysWOW64\Opakbi32.exe

                                Filesize

                                128KB

                                MD5

                                078645dc59959e9a0052e5b9abeb1b85

                                SHA1

                                5a430e622b577ac2dc761aa4a0ff67c7979f59fa

                                SHA256

                                258fa9d26d43d1850ff0d952a927860586579dc62c7fc974b9493086e9c4ab8c

                                SHA512

                                38f354605efd0d2cce4745995b5fefe7db5662c800af2423d5ede5807c7e1ff7f0fd51e07647300fd479b18790603d88b7f00339e92350839dd6718e52a221c2

                              • C:\Windows\SysWOW64\Opdghh32.exe

                                Filesize

                                128KB

                                MD5

                                7b1947cbf69c6f10dd955a0a481d570b

                                SHA1

                                86f85aac5d1f3e34cfd0e64d60e47c3e36b1d1a7

                                SHA256

                                30e7a60b0c310665194e6b35fcb56f3ce716b1c6a54bfbfad4c4a0655e37ab8d

                                SHA512

                                b6a190d4fdc9ef54c16c05a233c05d746759f0063f180d1d22d00828f7750108cc67c6f0f0e687bf30be8ca9501179a387a0951f77e9b35e430c14a1446acb5a

                              • C:\Windows\SysWOW64\Opdghh32.exe

                                Filesize

                                128KB

                                MD5

                                c7cc828a80b7d9ad320b77871dd3ab9e

                                SHA1

                                1d2f5602bab4db04cd36de347102538be8f0b6c9

                                SHA256

                                3bbd3d33637e0d4041384d5ade11212f7828cae97c7abaf0d9d4e3252d87c3b4

                                SHA512

                                e03295f5c06510373da2c2397686df37b6b5d4c96af1734135c08491ade8275002081c4eca5e238dd88630231d7948ccaa776af31d28c9eefe9c6f6e038f8bb0

                              • C:\Windows\SysWOW64\Oqhacgdh.exe

                                Filesize

                                128KB

                                MD5

                                20dd796cd7169cd0d6e72206f86e10a9

                                SHA1

                                d5039305c2ebb674165231750503527de6846067

                                SHA256

                                2bc0231eead45e93c293cd034c391f3917a88b4ec0fcd56a4f68231064056d3b

                                SHA512

                                17af8f64c7bb0eb7bcddb79fba7e5354092471c956795a15af713e11d0d62060ed1bdc59ae020f423441882fe023934b642120515c69eee231af54afcd81d0c4

                              • C:\Windows\SysWOW64\Pcncpbmd.exe

                                Filesize

                                128KB

                                MD5

                                d511f0db342fabe234b629dc40d383ab

                                SHA1

                                bfc9d33f0eaa93aa8dbf6ce84d8ee33876d23de9

                                SHA256

                                a0cb5eb4da7cfce49508c9e1eaff47acaef3a87a9cd61a47c01db63804c2d086

                                SHA512

                                d962bc269284014d5d1a83812a2cda00c020107e52508e58b7755d27d64a6033d6ffca730b9a36d020f3feaf7637423fa4abfd5ecdf4488866209ed7367488da

                              • C:\Windows\SysWOW64\Pdmpje32.exe

                                Filesize

                                128KB

                                MD5

                                87b9bee38704a3b3f46c333b9125ffc5

                                SHA1

                                87cba30544cd61ac405abf7ce286445e0cac395d

                                SHA256

                                48f4eae6481ecaaf03668b9261dd554c460bdbd0d7c807c5f767d0044da2a0bb

                                SHA512

                                d00df448f9ea11c08851e4206f3ba0b8f2c0a3adf60d5546d25dc937d5c2b2f7c977ecd74807ecae7ea411c9891dd7800f2addb6207da9f7d1c7546e089e417c

                              • C:\Windows\SysWOW64\Pfhfan32.exe

                                Filesize

                                128KB

                                MD5

                                f9ea3ad4533d9b8ebce47f8e6865ad0d

                                SHA1

                                b24b051f6fdfa1791b2f2538d18955c07f209563

                                SHA256

                                d1ee57f47e5043f48abf8591d2d7199d7681bd883951bbce2129d0dc462b309a

                                SHA512

                                1e61bcdb550a435c143bb949ec3190229dbe321eb45376563aa3e9a2316c6c147370042b3b83604d26a6be60e005f2be5348d79b98547130759c74a4fd45efe8

                              • C:\Windows\SysWOW64\Pggbkagp.exe

                                Filesize

                                128KB

                                MD5

                                6f7a7f81c8f83cda7d4f599e5d2b2eea

                                SHA1

                                7ec3ea17d6359b8f4275bee16a103c77b943ab5d

                                SHA256

                                c94cc63f58e4dc221057d0f3081def0eeca1f57467171b0f24beeb9c683d33ac

                                SHA512

                                5a0c9a537136b47f6d9e412f56becdc60ad09f8493b47e9597328650d7aa22730f4d40292187e58a5605298545e33f3e2d443dc4c02f4b26f5aaef802b1f97c7

                              • C:\Windows\SysWOW64\Pjcbbmif.exe

                                Filesize

                                128KB

                                MD5

                                e60c8d9701575292507440c6bb04e5ae

                                SHA1

                                9569cc4f4885da20057a867d231903852490e111

                                SHA256

                                c403dcc2619d856d0fedc3b1e10f7a7af71501813004378a55a5eb3b01030aa2

                                SHA512

                                6356bbc8f3d00d348b2f289802a40dd9c7a94acf588738f43eb59d486cf67d51faf55985019872ec8a4eb368f82c41b7a099056dff61245f8f8594fa4ff1d75d

                              • C:\Windows\SysWOW64\Pjeoglgc.exe

                                Filesize

                                128KB

                                MD5

                                e45709eb2a06843498b3e55d8084caef

                                SHA1

                                bb3824d090119ac4415bff0290f4e2d96e3c339f

                                SHA256

                                a051f931875f7e863aeb2b701f537994ef902d72c164a5eb4c015c23f7bc6006

                                SHA512

                                b84fe58b28fe3741ac9e142f4f922d1e688687eb6901571f28a5536a092f12d6032131178e86df139e4bce76fceceb19a06bd9d4b19424ab33c054e132bf96aa

                              • C:\Windows\SysWOW64\Pjhlml32.exe

                                Filesize

                                128KB

                                MD5

                                1280453208c37d2229b97b36ae7bd16e

                                SHA1

                                3843ffd365203b99cdb1e99b5c722e9b556925a5

                                SHA256

                                9b3895d89fd053a74c7f88b756f67d87673c2b970110aba93ae5f913055cbaf2

                                SHA512

                                2a8f3ec0eedf44fe369e083929b656788326bfdbb6744c8193d70c8822d8df612a8bbc2c4836c8efe467ba4cc97a686e766a49cc59928288ad64cda0e86d98cd

                              • C:\Windows\SysWOW64\Pmannhhj.exe

                                Filesize

                                128KB

                                MD5

                                a7d79c6d43d7b74d8b49d4b03f7961a5

                                SHA1

                                0f7208fcd506c58c6808e31e602b748f7301c38f

                                SHA256

                                d82b3282f24ab8c70d944b639d8bb08b5f3a7102a523ce49743e51b1f1f424a1

                                SHA512

                                3c3a828ba33e8ef439c47cc20dfe2e307d417015822a519cd162e06bc1faebff0903e294c83108e402a513de35ef7f895e96f80fac34b12f96a395f4c3a4d4d1

                              • C:\Windows\SysWOW64\Pnlaml32.exe

                                Filesize

                                128KB

                                MD5

                                3e2b535b707e82fc1ea6fde204b3d207

                                SHA1

                                72f242191b860662eaa4e397ae233558c3eea518

                                SHA256

                                82b5a1e7c2eb2233bf14f0d6a77075c45c511d5893bc8972f69446c5f8964244

                                SHA512

                                8c8c38f9aa2324d1e3b3468a04cfc795dba23ed62cefa54ab08ec706b881815e611b97e728e2397b6613db5f071579e73da196d2b973c569e1e68418a0e9fb50

                              • C:\Windows\SysWOW64\Pqbdjfln.exe

                                Filesize

                                128KB

                                MD5

                                2d068f01966f79f12f613c4eba0b6a30

                                SHA1

                                588b5dd9e7115764b4d4625d529bbb41db084071

                                SHA256

                                bde6df6ce3fc968da6d674a0affada916a9aa833b8f85590f46c9edd1effce42

                                SHA512

                                233986719984e13890fb7942b5b925972c10ef1d8ee895f3788390d3786c7e97a4d554ac4b83364828d9880c767fcb7311bdd5bb4e1993b11ee57531448d25b2

                              • C:\Windows\SysWOW64\Pqknig32.exe

                                Filesize

                                128KB

                                MD5

                                02aed331bfa8d65c9241d817ca18164b

                                SHA1

                                d7737c41c026848e444c3af4f156f3a517adf206

                                SHA256

                                56236c0c5cb2dfb443b66505956b7260129872b20c4a44acf007228da6b0debb

                                SHA512

                                4f812fb7f3c8b5b5ca8431d0230a61ea80e1528c82e44e9d0ca9c1f92199140988191e29971a0475ce8ad8443010904952b23408971ba9093ee971276def0736

                              • C:\Windows\SysWOW64\Pqpgdfnp.exe

                                Filesize

                                128KB

                                MD5

                                b9fe460d5d1974a40db2bc5d6648af0b

                                SHA1

                                9f97afa54b5e89405e5362efdadc1324d6172670

                                SHA256

                                759fc9747427326efa64d1247af82e37b3eab83dbc67ac6e81c98d83c245806e

                                SHA512

                                9021100ad0d2d0e94b8299db8a0fa37bf7bc3033e9b6e693a194cd28133e4d8dba89e5f8b435dc64bb83713b274090ed56c27294d326b0314664f4dd76b80fe1

                              • memory/400-104-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/408-191-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/412-111-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/628-442-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/676-248-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/864-55-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/864-593-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/876-119-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1012-304-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1020-566-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1084-394-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1192-328-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1264-579-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1264-39-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1296-545-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1580-418-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1772-143-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1784-280-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1812-298-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1944-167-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1956-436-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/1996-402-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2040-502-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2044-388-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2072-322-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2088-520-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2096-508-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2128-175-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2156-559-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2168-478-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2264-268-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2440-565-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2440-23-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2516-232-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2520-310-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2548-151-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2552-63-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2556-215-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2660-334-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2800-224-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2956-159-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/2960-573-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3004-430-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3036-208-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3060-376-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3164-286-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3244-424-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3280-135-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3304-352-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3348-188-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3356-95-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3364-484-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3440-15-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3440-558-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3600-7-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3600-551-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3624-532-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3664-526-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3888-80-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3964-239-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/3996-316-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4000-544-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4000-0-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4044-87-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4052-358-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4120-346-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4164-472-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4224-292-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4304-538-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4328-199-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4420-370-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4660-382-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4728-496-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4736-552-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4752-364-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4776-72-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4792-412-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4824-490-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4828-572-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4828-31-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4860-256-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4960-454-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4984-586-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4984-47-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4988-262-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/4992-448-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5008-274-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5016-340-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5028-128-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5032-466-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5056-514-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5068-406-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5104-460-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5132-580-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5176-587-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5220-597-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                              • memory/5476-896-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB