Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 12:22

General

  • Target

    62cc625197f4baa4a4814665062ef9bbd74d9bc1e89935f42ca04ee3a3a814d6N.exe

  • Size

    104KB

  • MD5

    e101433cceea8fa59d99de2360c3f710

  • SHA1

    6d76bc5cac0d2c1d528856cb13ffad840898f759

  • SHA256

    62cc625197f4baa4a4814665062ef9bbd74d9bc1e89935f42ca04ee3a3a814d6

  • SHA512

    1a67c1d07b82e9163ff6040ac8fbc139767159085ec4a90415fb93ed51a06b9a51b9030b7619a513f0b10419ea6a534aa50e59b2526d3e79ac84fac7caf1803c

  • SSDEEP

    3072:qM2v0FtTxBSJjx4ulUkdzFe5qx7cEGrhkngpDvchkqbAIQS:NZrS5x5O5qx4brq2Ahn

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62cc625197f4baa4a4814665062ef9bbd74d9bc1e89935f42ca04ee3a3a814d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\62cc625197f4baa4a4814665062ef9bbd74d9bc1e89935f42ca04ee3a3a814d6N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\SysWOW64\Mplhql32.exe
      C:\Windows\system32\Mplhql32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Windows\SysWOW64\Mgfqmfde.exe
        C:\Windows\system32\Mgfqmfde.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\SysWOW64\Mmpijp32.exe
          C:\Windows\system32\Mmpijp32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4856
          • C:\Windows\SysWOW64\Mpoefk32.exe
            C:\Windows\system32\Mpoefk32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4788
            • C:\Windows\SysWOW64\Melnob32.exe
              C:\Windows\system32\Melnob32.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\SysWOW64\Mmbfpp32.exe
                C:\Windows\system32\Mmbfpp32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2476
                • C:\Windows\SysWOW64\Mdmnlj32.exe
                  C:\Windows\system32\Mdmnlj32.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2736
                  • C:\Windows\SysWOW64\Menjdbgj.exe
                    C:\Windows\system32\Menjdbgj.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:4848
                    • C:\Windows\SysWOW64\Mnebeogl.exe
                      C:\Windows\system32\Mnebeogl.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3640
                      • C:\Windows\SysWOW64\Ndokbi32.exe
                        C:\Windows\system32\Ndokbi32.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1816
                        • C:\Windows\SysWOW64\Ngmgne32.exe
                          C:\Windows\system32\Ngmgne32.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:3016
                          • C:\Windows\SysWOW64\Nilcjp32.exe
                            C:\Windows\system32\Nilcjp32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:452
                            • C:\Windows\SysWOW64\Nljofl32.exe
                              C:\Windows\system32\Nljofl32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:2024
                              • C:\Windows\SysWOW64\Ngpccdlj.exe
                                C:\Windows\system32\Ngpccdlj.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of WriteProcessMemory
                                PID:952
                                • C:\Windows\SysWOW64\Njnpppkn.exe
                                  C:\Windows\system32\Njnpppkn.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:3252
                                  • C:\Windows\SysWOW64\Nlmllkja.exe
                                    C:\Windows\system32\Nlmllkja.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:3932
                                    • C:\Windows\SysWOW64\Ngbpidjh.exe
                                      C:\Windows\system32\Ngbpidjh.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:4892
                                      • C:\Windows\SysWOW64\Njqmepik.exe
                                        C:\Windows\system32\Njqmepik.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:1824
                                        • C:\Windows\SysWOW64\Nloiakho.exe
                                          C:\Windows\system32\Nloiakho.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:1760
                                          • C:\Windows\SysWOW64\Ncianepl.exe
                                            C:\Windows\system32\Ncianepl.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:1600
                                            • C:\Windows\SysWOW64\Nnneknob.exe
                                              C:\Windows\system32\Nnneknob.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:1644
                                              • C:\Windows\SysWOW64\Npmagine.exe
                                                C:\Windows\system32\Npmagine.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:1116
                                                • C:\Windows\SysWOW64\Nggjdc32.exe
                                                  C:\Windows\system32\Nggjdc32.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:644
                                                  • C:\Windows\SysWOW64\Njefqo32.exe
                                                    C:\Windows\system32\Njefqo32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3680
                                                    • C:\Windows\SysWOW64\Oponmilc.exe
                                                      C:\Windows\system32\Oponmilc.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:1940
                                                      • C:\Windows\SysWOW64\Opakbi32.exe
                                                        C:\Windows\system32\Opakbi32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:2672
                                                        • C:\Windows\SysWOW64\Ocpgod32.exe
                                                          C:\Windows\system32\Ocpgod32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          PID:4380
                                                          • C:\Windows\SysWOW64\Oneklm32.exe
                                                            C:\Windows\system32\Oneklm32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:1960
                                                            • C:\Windows\SysWOW64\Opdghh32.exe
                                                              C:\Windows\system32\Opdghh32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Modifies registry class
                                                              PID:4392
                                                              • C:\Windows\SysWOW64\Ognpebpj.exe
                                                                C:\Windows\system32\Ognpebpj.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:4540
                                                                • C:\Windows\SysWOW64\Onhhamgg.exe
                                                                  C:\Windows\system32\Onhhamgg.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:4184
                                                                  • C:\Windows\SysWOW64\Olkhmi32.exe
                                                                    C:\Windows\system32\Olkhmi32.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    PID:4296
                                                                    • C:\Windows\SysWOW64\Odapnf32.exe
                                                                      C:\Windows\system32\Odapnf32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      PID:1168
                                                                      • C:\Windows\SysWOW64\Ofcmfodb.exe
                                                                        C:\Windows\system32\Ofcmfodb.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:2120
                                                                        • C:\Windows\SysWOW64\Olmeci32.exe
                                                                          C:\Windows\system32\Olmeci32.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          PID:2008
                                                                          • C:\Windows\SysWOW64\Oddmdf32.exe
                                                                            C:\Windows\system32\Oddmdf32.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1812
                                                                            • C:\Windows\SysWOW64\Ogbipa32.exe
                                                                              C:\Windows\system32\Ogbipa32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              PID:4700
                                                                              • C:\Windows\SysWOW64\Ofeilobp.exe
                                                                                C:\Windows\system32\Ofeilobp.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2128
                                                                                • C:\Windows\SysWOW64\Pmoahijl.exe
                                                                                  C:\Windows\system32\Pmoahijl.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2968
                                                                                  • C:\Windows\SysWOW64\Pqknig32.exe
                                                                                    C:\Windows\system32\Pqknig32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    PID:2564
                                                                                    • C:\Windows\SysWOW64\Pcijeb32.exe
                                                                                      C:\Windows\system32\Pcijeb32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1068
                                                                                      • C:\Windows\SysWOW64\Pjcbbmif.exe
                                                                                        C:\Windows\system32\Pjcbbmif.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4588
                                                                                        • C:\Windows\SysWOW64\Pqmjog32.exe
                                                                                          C:\Windows\system32\Pqmjog32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          PID:1848
                                                                                          • C:\Windows\SysWOW64\Pdifoehl.exe
                                                                                            C:\Windows\system32\Pdifoehl.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:3504
                                                                                            • C:\Windows\SysWOW64\Pggbkagp.exe
                                                                                              C:\Windows\system32\Pggbkagp.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:4948
                                                                                              • C:\Windows\SysWOW64\Pfjcgn32.exe
                                                                                                C:\Windows\system32\Pfjcgn32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                PID:4496
                                                                                                • C:\Windows\SysWOW64\Pmdkch32.exe
                                                                                                  C:\Windows\system32\Pmdkch32.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  PID:4916
                                                                                                  • C:\Windows\SysWOW64\Pdkcde32.exe
                                                                                                    C:\Windows\system32\Pdkcde32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:4884
                                                                                                    • C:\Windows\SysWOW64\Pgioqq32.exe
                                                                                                      C:\Windows\system32\Pgioqq32.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies registry class
                                                                                                      PID:3208
                                                                                                      • C:\Windows\SysWOW64\Pflplnlg.exe
                                                                                                        C:\Windows\system32\Pflplnlg.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1184
                                                                                                        • C:\Windows\SysWOW64\Pncgmkmj.exe
                                                                                                          C:\Windows\system32\Pncgmkmj.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:4944
                                                                                                          • C:\Windows\SysWOW64\Pdmpje32.exe
                                                                                                            C:\Windows\system32\Pdmpje32.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Modifies registry class
                                                                                                            PID:1580
                                                                                                            • C:\Windows\SysWOW64\Pgllfp32.exe
                                                                                                              C:\Windows\system32\Pgllfp32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:4844
                                                                                                              • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                                                                C:\Windows\system32\Pfolbmje.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:2980
                                                                                                                • C:\Windows\SysWOW64\Pnfdcjkg.exe
                                                                                                                  C:\Windows\system32\Pnfdcjkg.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:4568
                                                                                                                  • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                                                                                                    C:\Windows\system32\Pdpmpdbd.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:3724
                                                                                                                    • C:\Windows\SysWOW64\Pgnilpah.exe
                                                                                                                      C:\Windows\system32\Pgnilpah.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:4452
                                                                                                                      • C:\Windows\SysWOW64\Pjmehkqk.exe
                                                                                                                        C:\Windows\system32\Pjmehkqk.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2484
                                                                                                                        • C:\Windows\SysWOW64\Qnhahj32.exe
                                                                                                                          C:\Windows\system32\Qnhahj32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • Modifies registry class
                                                                                                                          PID:932
                                                                                                                          • C:\Windows\SysWOW64\Qgqeappe.exe
                                                                                                                            C:\Windows\system32\Qgqeappe.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Modifies registry class
                                                                                                                            PID:1956
                                                                                                                            • C:\Windows\SysWOW64\Qjoankoi.exe
                                                                                                                              C:\Windows\system32\Qjoankoi.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4636
                                                                                                                              • C:\Windows\SysWOW64\Qcgffqei.exe
                                                                                                                                C:\Windows\system32\Qcgffqei.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:3536
                                                                                                                                • C:\Windows\SysWOW64\Qgcbgo32.exe
                                                                                                                                  C:\Windows\system32\Qgcbgo32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:1012
                                                                                                                                  • C:\Windows\SysWOW64\Ajanck32.exe
                                                                                                                                    C:\Windows\system32\Ajanck32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:1804
                                                                                                                                    • C:\Windows\SysWOW64\Ampkof32.exe
                                                                                                                                      C:\Windows\system32\Ampkof32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      PID:1616
                                                                                                                                      • C:\Windows\SysWOW64\Acjclpcf.exe
                                                                                                                                        C:\Windows\system32\Acjclpcf.exe
                                                                                                                                        67⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:3024
                                                                                                                                        • C:\Windows\SysWOW64\Ajckij32.exe
                                                                                                                                          C:\Windows\system32\Ajckij32.exe
                                                                                                                                          68⤵
                                                                                                                                            PID:1324
                                                                                                                                            • C:\Windows\SysWOW64\Aeiofcji.exe
                                                                                                                                              C:\Windows\system32\Aeiofcji.exe
                                                                                                                                              69⤵
                                                                                                                                                PID:2288
                                                                                                                                                • C:\Windows\SysWOW64\Afjlnk32.exe
                                                                                                                                                  C:\Windows\system32\Afjlnk32.exe
                                                                                                                                                  70⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:2728
                                                                                                                                                  • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                                                                                                                    C:\Windows\system32\Ajfhnjhq.exe
                                                                                                                                                    71⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:4112
                                                                                                                                                    • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                                                      C:\Windows\system32\Amddjegd.exe
                                                                                                                                                      72⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:3020
                                                                                                                                                      • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                                                        C:\Windows\system32\Acnlgp32.exe
                                                                                                                                                        73⤵
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:1416
                                                                                                                                                        • C:\Windows\SysWOW64\Afmhck32.exe
                                                                                                                                                          C:\Windows\system32\Afmhck32.exe
                                                                                                                                                          74⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:3684
                                                                                                                                                          • C:\Windows\SysWOW64\Andqdh32.exe
                                                                                                                                                            C:\Windows\system32\Andqdh32.exe
                                                                                                                                                            75⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:1552
                                                                                                                                                            • C:\Windows\SysWOW64\Aabmqd32.exe
                                                                                                                                                              C:\Windows\system32\Aabmqd32.exe
                                                                                                                                                              76⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              PID:2716
                                                                                                                                                              • C:\Windows\SysWOW64\Acqimo32.exe
                                                                                                                                                                C:\Windows\system32\Acqimo32.exe
                                                                                                                                                                77⤵
                                                                                                                                                                  PID:4512
                                                                                                                                                                  • C:\Windows\SysWOW64\Anfmjhmd.exe
                                                                                                                                                                    C:\Windows\system32\Anfmjhmd.exe
                                                                                                                                                                    78⤵
                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    PID:4148
                                                                                                                                                                    • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                                                      C:\Windows\system32\Accfbokl.exe
                                                                                                                                                                      79⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:3940
                                                                                                                                                                      • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                                                                                                                        C:\Windows\system32\Bjmnoi32.exe
                                                                                                                                                                        80⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:5076
                                                                                                                                                                        • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                                                                                                                          C:\Windows\system32\Bmkjkd32.exe
                                                                                                                                                                          81⤵
                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          PID:1980
                                                                                                                                                                          • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                                                                                                            C:\Windows\system32\Bebblb32.exe
                                                                                                                                                                            82⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            PID:2688
                                                                                                                                                                            • C:\Windows\SysWOW64\Bjokdipf.exe
                                                                                                                                                                              C:\Windows\system32\Bjokdipf.exe
                                                                                                                                                                              83⤵
                                                                                                                                                                                PID:2328
                                                                                                                                                                                • C:\Windows\SysWOW64\Bmngqdpj.exe
                                                                                                                                                                                  C:\Windows\system32\Bmngqdpj.exe
                                                                                                                                                                                  84⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:4608
                                                                                                                                                                                  • C:\Windows\SysWOW64\Bchomn32.exe
                                                                                                                                                                                    C:\Windows\system32\Bchomn32.exe
                                                                                                                                                                                    85⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:4672
                                                                                                                                                                                    • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                                                                                                                      C:\Windows\system32\Bffkij32.exe
                                                                                                                                                                                      86⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:4928
                                                                                                                                                                                      • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                                                                                                                                                        C:\Windows\system32\Bjagjhnc.exe
                                                                                                                                                                                        87⤵
                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                        PID:5128
                                                                                                                                                                                        • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                                                                                                                          C:\Windows\system32\Bmpcfdmg.exe
                                                                                                                                                                                          88⤵
                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                          PID:5176
                                                                                                                                                                                          • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                                                                                            C:\Windows\system32\Beglgani.exe
                                                                                                                                                                                            89⤵
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:5220
                                                                                                                                                                                            • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                                                                                                                              C:\Windows\system32\Bgehcmmm.exe
                                                                                                                                                                                              90⤵
                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              PID:5264
                                                                                                                                                                                              • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                                                                                                                                C:\Windows\system32\Bjddphlq.exe
                                                                                                                                                                                                91⤵
                                                                                                                                                                                                  PID:5308
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Beihma32.exe
                                                                                                                                                                                                    C:\Windows\system32\Beihma32.exe
                                                                                                                                                                                                    92⤵
                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:5352
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bfkedibe.exe
                                                                                                                                                                                                      C:\Windows\system32\Bfkedibe.exe
                                                                                                                                                                                                      93⤵
                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:5396
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                                                                                                                                        C:\Windows\system32\Bjfaeh32.exe
                                                                                                                                                                                                        94⤵
                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:5440
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                                                                                                                                          C:\Windows\system32\Bapiabak.exe
                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5484
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Belebq32.exe
                                                                                                                                                                                                            C:\Windows\system32\Belebq32.exe
                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:5528
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                                              C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                                              97⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:5576
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cabfga32.exe
                                                                                                                                                                                                                C:\Windows\system32\Cabfga32.exe
                                                                                                                                                                                                                98⤵
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                PID:5620
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                                                                                                                                                  C:\Windows\system32\Cdabcm32.exe
                                                                                                                                                                                                                  99⤵
                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                  PID:5660
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                                                                                                                                    C:\Windows\system32\Chmndlge.exe
                                                                                                                                                                                                                    100⤵
                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:5708
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                                                                                                                                                      C:\Windows\system32\Cfpnph32.exe
                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:5752
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                                                        C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                                                        102⤵
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:5796
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                                                                                                          C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                                                                                                          103⤵
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          PID:5848
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Cdcoim32.exe
                                                                                                                                                                                                                            104⤵
                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:5900
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Cfbkeh32.exe
                                                                                                                                                                                                                              105⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:5944
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                                                C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                                                106⤵
                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:6004
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Cagobalc.exe
                                                                                                                                                                                                                                  107⤵
                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                  PID:6060
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                                                                    108⤵
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:6128
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Chagok32.exe
                                                                                                                                                                                                                                      109⤵
                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                      PID:5160
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Cfdhkhjj.exe
                                                                                                                                                                                                                                        110⤵
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Cjpckf32.exe
                                                                                                                                                                                                                                          111⤵
                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:5348
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Cajlhqjp.exe
                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                            PID:5452
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ceehho32.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Ceehho32.exe
                                                                                                                                                                                                                                              113⤵
                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:5512
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cdhhdlid.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Cdhhdlid.exe
                                                                                                                                                                                                                                                114⤵
                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:5572
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Cffdpghg.exe
                                                                                                                                                                                                                                                  115⤵
                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                  PID:5640
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                                                                                                                    116⤵
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:5728
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                                                                                                                      117⤵
                                                                                                                                                                                                                                                        PID:5772
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\Calhnpgn.exe
                                                                                                                                                                                                                                                          118⤵
                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                          PID:5888
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                                                                            119⤵
                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                            PID:5956
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Dhfajjoj.exe
                                                                                                                                                                                                                                                              120⤵
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              PID:6072
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\Dfiafg32.exe
                                                                                                                                                                                                                                                                121⤵
                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:4708
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Dopigd32.exe
                                                                                                                                                                                                                                                                  122⤵
                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:5184
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\Danecp32.exe
                                                                                                                                                                                                                                                                    123⤵
                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                    PID:5424
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Dhhnpjmh.exe
                                                                                                                                                                                                                                                                      124⤵
                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                      PID:5548
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                        PID:5676
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Dobfld32.exe
                                                                                                                                                                                                                                                                          126⤵
                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                          PID:5780
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Daqbip32.exe
                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                            PID:5916
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                                                                                                                                              128⤵
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:6040
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Daconoae.exe
                                                                                                                                                                                                                                                                                129⤵
                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                PID:5204
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                                                                                                                                  130⤵
                                                                                                                                                                                                                                                                                    PID:5472
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                                                                                      131⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      PID:5648
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                                                                                                                                        132⤵
                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                        PID:5864
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                          133⤵
                                                                                                                                                                                                                                                                                            PID:6048
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 408
                                                                                                                                                                                                                                                                                              134⤵
                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                              PID:5704
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6048 -ip 6048
                    1⤵
                      PID:5592

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\SysWOW64\Bebblb32.exe

                      Filesize

                      104KB

                      MD5

                      e7ff6d1c3f4490260b60d2f61bd83e3c

                      SHA1

                      02cbbb294a402b865cc241f6548433155a146289

                      SHA256

                      e1e151e4f3b721cc99078aa3aa113efebfd51b73df792b36b7ceb4cf279b30e1

                      SHA512

                      1263ab0db3708716a85164cc2e6936bb37e7a0fa0a945524fe77b36d8e4740e5c5ba68f73c86a00bd12a74f5ff4e18b403c5ae198b90b6f2abba2a96d585a06f

                    • C:\Windows\SysWOW64\Cabfga32.exe

                      Filesize

                      104KB

                      MD5

                      9f80e74f48650628922fef964852bd3c

                      SHA1

                      06e7a1ec52b5b6e6f0d5e963007e31ea667c7a67

                      SHA256

                      333372b07883266e5610b885b5b36ac087e720fcfa5dc993bdc66ff3ee420fb9

                      SHA512

                      66397c71f2f4b9b8ffa25bb2d0bfd202a3bb51d71781dfdb60bc24957b8a5a80955ad788aefe6773a64f7a9ab24ad12ef274ff7fdfc5d3d91c5e6d92dc4563a6

                    • C:\Windows\SysWOW64\Calhnpgn.exe

                      Filesize

                      104KB

                      MD5

                      f0f79774833faa643457f8cc8ed6dcd1

                      SHA1

                      1047ca7eb2fd8d9592c94704b59724d2d1990ccc

                      SHA256

                      343ace6d4e1d20a0186e25bfbacf3799330febf6330a2999302db01871bac9dc

                      SHA512

                      e927d9589badf17e2187f4630653e8a677fe4dda3d22479f331399268e28e72d3394e3e4b8f78bd26120a3b77466b468463a8b15b7f8507a55f16c0e0d1fab35

                    • C:\Windows\SysWOW64\Eghpcp32.dll

                      Filesize

                      7KB

                      MD5

                      2a912c2205e39e0a4c19d3ae48f4ff27

                      SHA1

                      8fdda70169a2f8e6416ea42bf854dea2d8fb349a

                      SHA256

                      69177d14fd618edfaf8114ae819c3013bb0c217f87ea801dc05fca744783dc93

                      SHA512

                      1016c0bc48b82eff12e12bd6e8c5b742c826a03143349b6cfb4700b2d39b8ca76b102d61adc648a1c1c9c01ab4103c28da249e0e56fa8779aeaab944fdd5e77e

                    • C:\Windows\SysWOW64\Mdmnlj32.exe

                      Filesize

                      104KB

                      MD5

                      ab1bc6b981613d18633335df30ea89b8

                      SHA1

                      1788e7035643b138d82611fbab39231bd21672de

                      SHA256

                      6d85c37ba307b1f1ab42f918c08b19420c1f179f1dfa752c97592804bdcad220

                      SHA512

                      d378aae7f8ea4190426a25dedceeb78a37bbe323b861362ebe15e9192c5d32afad40722030bc01221190a80cfb870bd4836d1f553a37d559aac87eb7943892dc

                    • C:\Windows\SysWOW64\Melnob32.exe

                      Filesize

                      104KB

                      MD5

                      99494b6097e7a0589fbd28a062a6d651

                      SHA1

                      eb4d40bd5b41a1e99de73a6d122c5d7040ffb989

                      SHA256

                      b4642841d0424558997df1203fc69d14b5e62d9ad5b5276f0ab75c50348ebfec

                      SHA512

                      4b268fb866298cbd623fc14c1b2be0c47f077df4f84ff40cfb7b82c87c661f349643bd4d80a0cd10e848084a42b359f29782ba1f692f9e9a66ef9a658a843d56

                    • C:\Windows\SysWOW64\Menjdbgj.exe

                      Filesize

                      104KB

                      MD5

                      35dac06ccfd81ffdb80b5217f634f0ba

                      SHA1

                      8e2bfd2ebcb1bffcb5c3da8744ebcba75a00ddc0

                      SHA256

                      8f61399c05158a640c1c925a51af8f9dafdfa7d03b4a93b19a0d0f4840c95557

                      SHA512

                      45559db151ec06c1ac580f16c1081fad2ab89ba3f8de80b24ebe31b0490e2b0974a16a8a6b26f2fb4059ee83ff5828d01a2100915ff0fa012d5a19d1bb5b2c99

                    • C:\Windows\SysWOW64\Mgfqmfde.exe

                      Filesize

                      104KB

                      MD5

                      080b50fa5505affdb9ed55a48046e457

                      SHA1

                      cd251a8c62a40dff544bca5d445b522aca1c8873

                      SHA256

                      302d827398a6db3bdff6f3d1371da2fa623cc670f43bad676fe6868d7a7f0242

                      SHA512

                      7107957b9fe358a365bd2bac876d6bc52466484ace5a70f45b82366b1d14e5f4238730d7ad5f9b007e69c4b694721eb6dd8c61c16455cae7384ebeb2c2fac795

                    • C:\Windows\SysWOW64\Mmbfpp32.exe

                      Filesize

                      104KB

                      MD5

                      f31a471cbab92d9588529135f8b91b8d

                      SHA1

                      b614f733bab5d3c88409c3fabdd4777b79d9bfe4

                      SHA256

                      e6f0df28637160651db65923ff0f08370eec586dc304a3038f501324c3d81e03

                      SHA512

                      0574b536faefff42345b6830bb7308c808f65e67a7ead029dfd58565940ca5290da18a4de66ae78b2dd712e9482b600b1fe22507c6a693a4b9d799447838e82f

                    • C:\Windows\SysWOW64\Mmpijp32.exe

                      Filesize

                      104KB

                      MD5

                      8467eb61c9e7298d03405b7bc417f51c

                      SHA1

                      1d3ba453ce484300273620c49bb5b305851a165e

                      SHA256

                      ad49a5ca155177bdb099bfe5121bddfedccb011287e6e1ed8f259bb2f05a8289

                      SHA512

                      f31d82b7b682bfb832accf18b2e6fdd38a0f10f18f561596ee025109961a74ea2af32f62ed7e9a2b66418afce732b4575112e892ef7d0dfc7c54fc262fe7a228

                    • C:\Windows\SysWOW64\Mnebeogl.exe

                      Filesize

                      104KB

                      MD5

                      60b6c6736d3c5e2e137ddb93a4fe96b0

                      SHA1

                      9f55f0ca8583d6307911196eb1704cb4eda40942

                      SHA256

                      185f79357748f41ccde586b9c7f8302d55f3b7bf12917a928d1ec2d8219df3b2

                      SHA512

                      bfed86371efe5c7ef83c6e4c78c36710c36ae628d074bf9285754008be7e9ff1e64eca259950700f6896c090ba45ec2bc0b7c0452ca195219f76c35660e608c7

                    • C:\Windows\SysWOW64\Mplhql32.exe

                      Filesize

                      104KB

                      MD5

                      c0e71f77c7832df5e2ca0485e6036c36

                      SHA1

                      993120c315e10a30d4383ad037b59d5a1b887abd

                      SHA256

                      d3ecf3dfc3d2b38a6627696c40cefdd1aef7c81f0cc3c18c3b23e1b9bdc5721f

                      SHA512

                      826562d9c539b95f4250b3d2c6c4655542f14930bdbf138418918297f9843543a78dd93e63e8778368263979a6ddb3dddbd6367431da88de1f938cb6d3d94aec

                    • C:\Windows\SysWOW64\Mpoefk32.exe

                      Filesize

                      104KB

                      MD5

                      ecec8746bec7abf97633bc3f97a7d129

                      SHA1

                      99ef8c596daae4bdbd16d6e76b08c4b45b8bcb3a

                      SHA256

                      a4016967baac8e3501ed95564d212a0b86612dd70a036712b0aadb24653d5b00

                      SHA512

                      4a866ccf2df53f5b6db2941e3a649a147ef55064671f0fe667aede88680171c6b13a7efbd3788d26cc4e6fbec73d73500bc548b5de9ea62ac0d78f14c35f04f1

                    • C:\Windows\SysWOW64\Ncianepl.exe

                      Filesize

                      104KB

                      MD5

                      65adc481a2f8e1ca062a315f94485c73

                      SHA1

                      fe695fb9f4d69ef9d862dd91b0e807827336185b

                      SHA256

                      c900e4a9d480d22e0ea5c57ae68991e214a574f55d7e0e71c7a7867aa07c1b2e

                      SHA512

                      228353914e09988075811fbf8b40bff7f4f4d8e87225b08ff8a9c3329668768a9f811638a99bc76b93dcdf7900796e4e27944437f455b9a02ac4c444bf989921

                    • C:\Windows\SysWOW64\Ndokbi32.exe

                      Filesize

                      104KB

                      MD5

                      8d5b365056a95e00a93b6ddb3ecdb32a

                      SHA1

                      06a9eacf11a5aafd91e4b0d6d292ba13645bff11

                      SHA256

                      d7b2e17f04f1f07bde4f63456d5d584da1c9363a1eee14b465ce75b54c9990f6

                      SHA512

                      8b512539840b9ca6e0cc3bbfbd6693a82a0e7bcd7d8e68f3f4af5da28e718644b1b86e31ed39a4dc549fe8f2361c9c70331389997ba869d84d7612afb5f435d3

                    • C:\Windows\SysWOW64\Ngbpidjh.exe

                      Filesize

                      104KB

                      MD5

                      a0eb8e2037d67f78a3261a9868588398

                      SHA1

                      0dad8f6fb5d1cc7612bcbc38d5cb62815431d7b6

                      SHA256

                      b5aec734bc358aab17a7b5adf3a75587e6576004305df07810a74b0e7be2ac45

                      SHA512

                      bacf88251d5b6451b0401107d309c540b2f0d4c56d553d973f73c079936bfa3cc3cf54eda199443a165b8be99ea28ade9b843036de80a5eb77dbeed0cff7c30f

                    • C:\Windows\SysWOW64\Nggjdc32.exe

                      Filesize

                      104KB

                      MD5

                      2d18804364cfdd409d3d1e0a13eca9fa

                      SHA1

                      9f733e02c3c380cf797ba025e10a36e77856e69f

                      SHA256

                      f089460ee66b746b0dbc4c9fa27a0b911a81195e5ffc3ff28f1838d3b2c34dd2

                      SHA512

                      af5d8da01d474072a53f095fab3f1501c1b3acaf34a62a763e7edd69916474fbf8231e0936a41e0f442abff3fdcd8a5fad7d4ad2d67c47b6f36e64cc87125848

                    • C:\Windows\SysWOW64\Ngmgne32.exe

                      Filesize

                      104KB

                      MD5

                      907dcf2509de336addcee3d45a9c9bb5

                      SHA1

                      c67888ba109aeb9455082f38d12a49d4e8aa60df

                      SHA256

                      33ee27a5d4f86296b462617945fe379bc32a2270264e884c475e704cac709b9a

                      SHA512

                      9cc037d0ea7748d2b1a4ece7944e9d395e60263d69a269ca6bfcc44af22434da39eeb45246dceb5ba33cf25a3e6b1638c86afba024c376b9a1e9aed496aee506

                    • C:\Windows\SysWOW64\Ngpccdlj.exe

                      Filesize

                      104KB

                      MD5

                      be06d10b087fb77c79e5544fdc014287

                      SHA1

                      3506e8e74cdef73a584b900b829967840b66880c

                      SHA256

                      315254f5237e72f29f3bec74d6a25a2b82a0d15e0dde93abb08b56eab5eb5359

                      SHA512

                      1c56a3e958af70e4d941549f43d1c4248396046d56dfd6ed5b0496240c791df842b977ae4f03e138e983f30d61b88a87b1302ced56129a9c528338ec95252e0a

                    • C:\Windows\SysWOW64\Nilcjp32.exe

                      Filesize

                      104KB

                      MD5

                      bfe5137929102f6ee2a1e1092a4433be

                      SHA1

                      8df4e7e01bdcf118302e55ff9596b4002e3e207f

                      SHA256

                      b18a065aee2292553bc821ba676cd185a4a009e20d4aaee4fb00e5c5a150a04a

                      SHA512

                      40cb94d83063656090247baa9ddd29480ea6b7c645c31fac3a3f45ef3540d16c2fdba5cbd2931488631ffd65e02b531c526f7d44ee410dd90a16e8ad956b032b

                    • C:\Windows\SysWOW64\Njefqo32.exe

                      Filesize

                      104KB

                      MD5

                      fa4fce1949f9993a3fe922739533ae75

                      SHA1

                      0078062d58a4fc54333018a7c75b54dd670348b4

                      SHA256

                      1ddfff26d2da663206a1dd72d97bcfad9693d76b9b635089d3d5e6fa17fd3137

                      SHA512

                      dc05efb0acc9bd721096c6d554509244195c47d55c90d2823575e75e70e68bb0da8256650da0e715b7c220473911d4d595acb2cd1a4d5ce58912f93e3339e0f9

                    • C:\Windows\SysWOW64\Njnpppkn.exe

                      Filesize

                      104KB

                      MD5

                      9bdcf287796ad3c281d0daf9e4ac9417

                      SHA1

                      0a2817303fd11e05cdee7a5fafeff999cb8fc50b

                      SHA256

                      21b1c147072f313b6329b7b7631f6e6b705bb14018833ca8033bcc498c2eb0b0

                      SHA512

                      e1e6713a9eaf4d99a76f36ff6f73c07b9d4cbff205f1324e09d73ff50b671e58f32cc35a327742cbbf9bb46665a40ddd69192d9ae479179ba4934cc45af1d413

                    • C:\Windows\SysWOW64\Njqmepik.exe

                      Filesize

                      104KB

                      MD5

                      4a4c22d4105149eb641c49b7acd6ce44

                      SHA1

                      a95507e28b7ba91a543e0a97b32f14a3a71c09d3

                      SHA256

                      a9c8a0af7b560f1d80b183ae1ddd53299946a245abf7a373581ccafe6b30f65c

                      SHA512

                      8fac6febb04b0fe6f3cef813241594b322c708c4755516ee1e8f93e3f08120e9c6638d2032b778ae891782ed42d05cddfe1c7ac8491e46f035baebe1e834ac34

                    • C:\Windows\SysWOW64\Nljofl32.exe

                      Filesize

                      104KB

                      MD5

                      b475a55f65d7d257ec5be4423e4ea161

                      SHA1

                      531d275ee545fea1031ebc08d2bef485667ed15a

                      SHA256

                      cfedd5be35deb4adeb0472acc2bf57a85724ff6e668ee62a1ab8ae6e64bb676a

                      SHA512

                      7d038fa856915c5232c3d0c30ab844d21c223bb0556e98099d8224188ec8d73328eeddca0d03d764d97197d0d00c5271d1f0c6a77edd4f5eaeb55dc931a3fad5

                    • C:\Windows\SysWOW64\Nlmllkja.exe

                      Filesize

                      104KB

                      MD5

                      e1ee3a969923fa8eb050b225c18c7cb2

                      SHA1

                      5881d72bbfe8edcb561ac56cd350a3c5836ef217

                      SHA256

                      1d282f995c3808e8185c575fcd4cf8ee3f581294f3e517fccb79aa0fbe03abbc

                      SHA512

                      3228fe3ada1ce84d6045ac09e3caea42dbc0c563716d704c87b4bd1bcba9a81df824d34975dfc8db2ccc8144adbffb568a9022ecf13e449d823e80c61e90ae73

                    • C:\Windows\SysWOW64\Nloiakho.exe

                      Filesize

                      104KB

                      MD5

                      38c59344a3a67811ffef3978a8cda418

                      SHA1

                      8e5ecaceec790779056dafa2f8105cf1ed2cbba2

                      SHA256

                      b238786010fc90fa057d07bbc65b02d1c95091e1281b08f6206af5cdd59c4ba2

                      SHA512

                      dd74d382e33da461e537654185e9e0079b30b09382d9cdf507037b2dedcb7fd56a5bd4d12504faac32774628fd41a7180b2a3ce422125cf45ef07d3e033d4b79

                    • C:\Windows\SysWOW64\Nnneknob.exe

                      Filesize

                      104KB

                      MD5

                      2ca5cd944017815c8213e838bbf17c14

                      SHA1

                      8810d186776c77385dbaf9c39f16231eb8049155

                      SHA256

                      b314708d97e29f1c423afdc3c60b5a0de47a4acc4d5045cc8c548bfc759ded05

                      SHA512

                      b9f0af9a3413709bea08d5b47fec805be6e64ea9c815517dc8b0cc9fd037d77d7548fb737599ab547d3dbd69f5b9aade1f2db4ebd07a2b3bed894c7a54737876

                    • C:\Windows\SysWOW64\Npmagine.exe

                      Filesize

                      104KB

                      MD5

                      3695a4400fa3ba86e52d6cf8c43bd01f

                      SHA1

                      7483577bb58767568863941401b08a3ea14c7584

                      SHA256

                      50560c865547bfb8df1abfbbffdc33b741729de0909b5942951d1d463baa6647

                      SHA512

                      85d237d6f868c7a9874045cf6e02a3825630fa359b8d6b7826afc128d39e18afe0c8ca158a240e5eb3dce8934ed20d017b180b4c9fab29f43220f82b6f38c05b

                    • C:\Windows\SysWOW64\Ocpgod32.exe

                      Filesize

                      104KB

                      MD5

                      a60a2fc58f0dc096b304327acc1a97cd

                      SHA1

                      dec6dd18d8684f694b0034e2655bd2ea17e62128

                      SHA256

                      6d32c6e9e68880dd6fb9f624e3502ff3b4eb69620bdbd323ce95657537c3ed53

                      SHA512

                      9aa305a33aa3e14b5c6702524ead42056e4d54e0c86e2df47e86bfa361cd448ca32280df720ae7843558db47605223134a2ed5a82ac19dda9d45a9239c0345ad

                    • C:\Windows\SysWOW64\Ognpebpj.exe

                      Filesize

                      104KB

                      MD5

                      7f168dc82e99fa560c1d627b690fa29e

                      SHA1

                      92be21a847c12f879df6d967ed9b11cadd86a538

                      SHA256

                      627815d386bac69325c87b926ff5e42879694baf4b039034593107d6ab844a58

                      SHA512

                      f89446d3313e358e76dc82c6025aa32d7e57a02d6385916797430955704be0999e6b32c28c97faf6935adb5bb310d4142b682bc087d3cb8e9e4fa224722009e3

                    • C:\Windows\SysWOW64\Olkhmi32.exe

                      Filesize

                      104KB

                      MD5

                      6bd2e65c72dff01cce2a81361cbc4021

                      SHA1

                      25358e309cd9d926b1f48574b6cf9483ec35443e

                      SHA256

                      132b171f29b8beca737472ece7d54db6ceb88c6a3619e35ed29fa47f8346eae8

                      SHA512

                      110d58b35bb83aca912677542a963fadca183eb606cfdcc02cc88f625a8ccbd34229ef010a71fcd12b06aaa999d9c11ef860f45340499844f33d5a0fcaddf553

                    • C:\Windows\SysWOW64\Oneklm32.exe

                      Filesize

                      104KB

                      MD5

                      b34c8a6fd11e60cd3f9e8ab448e0c459

                      SHA1

                      eb16f875883d6df86010efb30f7b0884cb8dff76

                      SHA256

                      a86c716b6a8996ce5c3b8bd6d960204cfa92f1b397796a4dc38e11411056dad5

                      SHA512

                      d2f36d8d5259214fc06b9e440a3c7fbc453bd06770285ebe899dd051fff8e708accda28903ece9154f14fef0c277b7494695ca0d4cf070fafe8b0ff1dce240d8

                    • C:\Windows\SysWOW64\Onhhamgg.exe

                      Filesize

                      104KB

                      MD5

                      b5dbe56a249ba38877840e71564f4fae

                      SHA1

                      f3974821355ebf3763b03086c09211efef412467

                      SHA256

                      21c4e987e97394905f2ac52a45221bdf4edf8afb3ce92e6c7b7b86dc3d5f94aa

                      SHA512

                      cbed155cc05ac89bff701e07d979ccd10213dd94f1883a83f582dbca256d23b7d5db08fed77744aec2e7bf358fe45778db07ef6ce2b04ef00bf5e3274f667ade

                    • C:\Windows\SysWOW64\Opakbi32.exe

                      Filesize

                      104KB

                      MD5

                      5d7945d1c74a13921b33e32bab5c87f2

                      SHA1

                      4d0eb7e05aa54b2e079996d839acecde7244e4aa

                      SHA256

                      457762b4254bfba13a4cb39dee76d1e6e987074a0bc04e736357430a182ae8cd

                      SHA512

                      bf5a1f038121b85b67e4f4ee5868bf68dc147d929d593bbf16352af30ea6513a521bae1110c929b59a9115bafdfd9de2c9b1894c9b112c5bea902e6b62b0d55a

                    • C:\Windows\SysWOW64\Opdghh32.exe

                      Filesize

                      104KB

                      MD5

                      06bac3c7c4fa0c14fba31a9c87fab793

                      SHA1

                      b9bb350dff63b3c127d77f26bb7feb20a51a5adb

                      SHA256

                      e03b3c2093860a1086e998aa4243475ce0ab25ead5c3859a124c8db98c33aed3

                      SHA512

                      6d148670ece9b2f24941febfba12d46bc7ca1be244fdf389514389efd79526a9296bf86a5bc8dcaa71586a9078e1b1462c6a4ca8bbd1208c45210b27d7ecbfab

                    • C:\Windows\SysWOW64\Oponmilc.exe

                      Filesize

                      104KB

                      MD5

                      4e05cb1cb30371a751cf5d74f641363b

                      SHA1

                      5e0270de497ee58481f3175027332745dc4d61ff

                      SHA256

                      0c2577d4400ea5bff67d3b74b41e2831b1118856e1e0d5cee87e9b824f32406f

                      SHA512

                      551174af0fb58ab8b788533501843a381109e11a4c0e56aed1c0da8701f3af2bec73a7c79c65423c754f8d054a2a56883fb281c4147d627a6e7593da8c3882ce

                    • memory/452-96-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/644-183-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/932-418-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/952-111-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1012-442-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1068-310-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1116-175-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1168-262-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1184-364-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1324-466-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1416-496-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1552-508-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1580-376-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1600-159-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1616-454-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1644-167-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1760-152-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1804-448-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1812-280-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1816-80-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1824-144-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1848-322-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1940-199-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1956-424-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1960-223-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/1980-545-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2008-274-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2024-104-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2120-268-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2128-292-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2288-472-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2328-559-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2476-586-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2476-47-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2484-412-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2564-308-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2672-208-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2688-552-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2700-579-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2700-39-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2716-514-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2728-478-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2736-593-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2736-55-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2968-298-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/2980-388-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3016-87-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3020-490-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3024-460-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3208-358-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3252-120-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3504-328-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3536-436-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3640-71-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3680-192-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3684-502-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3724-400-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3748-0-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3748-544-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3932-127-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/3940-532-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4112-484-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4148-526-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4184-252-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4296-260-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4380-216-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4392-232-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4452-406-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4496-340-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4512-520-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4540-239-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4568-394-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4588-316-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4608-566-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4636-430-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4672-573-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4700-286-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4788-572-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4788-31-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4828-558-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4828-15-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4844-382-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4848-64-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4856-24-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4856-565-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4884-352-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4892-140-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4916-346-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4928-580-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4944-370-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/4948-334-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/5076-538-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/5096-551-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/5096-7-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/5128-587-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                    • memory/5176-597-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB