Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:40

General

  • Target

    be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe

  • Size

    92KB

  • MD5

    8b790cad0b498c571317b5d5af416d90

  • SHA1

    cb5f6d52907df299081a831518d7300ed4b22152

  • SHA256

    be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808

  • SHA512

    7341ed9424b32c0bd28ab1aa0d2d327be43084b51f1001845b6d05c7b35239bbc1589e054a6f05a6b12fd58bbde5337553df6359ae03021305fe87db04b2ceb5

  • SSDEEP

    1536:JlWIH04xVPaqTFReV+j65YVepJJZIcqID59KOJk24VEI4Lar/ju7JC5:5HTVP97362e/nIcqIOOJF4EISi/iG

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Executes dropped EXE 61 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe
    "C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\Bmbplc32.exe
      C:\Windows\system32\Bmbplc32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\Beihma32.exe
        C:\Windows\system32\Beihma32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\SysWOW64\Bhhdil32.exe
          C:\Windows\system32\Bhhdil32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\SysWOW64\Bjfaeh32.exe
            C:\Windows\system32\Bjfaeh32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2128
            • C:\Windows\SysWOW64\Bapiabak.exe
              C:\Windows\system32\Bapiabak.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2156
              • C:\Windows\SysWOW64\Chjaol32.exe
                C:\Windows\system32\Chjaol32.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1708
                • C:\Windows\SysWOW64\Cndikf32.exe
                  C:\Windows\system32\Cndikf32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4752
                  • C:\Windows\SysWOW64\Cabfga32.exe
                    C:\Windows\system32\Cabfga32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1832
                    • C:\Windows\SysWOW64\Cdabcm32.exe
                      C:\Windows\system32\Cdabcm32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3460
                      • C:\Windows\SysWOW64\Cjkjpgfi.exe
                        C:\Windows\system32\Cjkjpgfi.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4024
                        • C:\Windows\SysWOW64\Ceqnmpfo.exe
                          C:\Windows\system32\Ceqnmpfo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4356
                          • C:\Windows\SysWOW64\Cjmgfgdf.exe
                            C:\Windows\system32\Cjmgfgdf.exe
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4380
                            • C:\Windows\SysWOW64\Cnicfe32.exe
                              C:\Windows\system32\Cnicfe32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:2612
                              • C:\Windows\SysWOW64\Cagobalc.exe
                                C:\Windows\system32\Cagobalc.exe
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4588
                                • C:\Windows\SysWOW64\Ceckcp32.exe
                                  C:\Windows\system32\Ceckcp32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:3712
                                  • C:\Windows\SysWOW64\Chagok32.exe
                                    C:\Windows\system32\Chagok32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1420
                                    • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                      C:\Windows\system32\Cfdhkhjj.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:1100
                                      • C:\Windows\SysWOW64\Cjpckf32.exe
                                        C:\Windows\system32\Cjpckf32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4028
                                        • C:\Windows\SysWOW64\Cnkplejl.exe
                                          C:\Windows\system32\Cnkplejl.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:408
                                          • C:\Windows\SysWOW64\Cajlhqjp.exe
                                            C:\Windows\system32\Cajlhqjp.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:636
                                            • C:\Windows\SysWOW64\Ceehho32.exe
                                              C:\Windows\system32\Ceehho32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:2760
                                              • C:\Windows\SysWOW64\Cdhhdlid.exe
                                                C:\Windows\system32\Cdhhdlid.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:4856
                                                • C:\Windows\SysWOW64\Cffdpghg.exe
                                                  C:\Windows\system32\Cffdpghg.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:3892
                                                  • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                    C:\Windows\system32\Cjbpaf32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:3908
                                                    • C:\Windows\SysWOW64\Cmqmma32.exe
                                                      C:\Windows\system32\Cmqmma32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2532
                                                      • C:\Windows\SysWOW64\Calhnpgn.exe
                                                        C:\Windows\system32\Calhnpgn.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:2928
                                                        • C:\Windows\SysWOW64\Cegdnopg.exe
                                                          C:\Windows\system32\Cegdnopg.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:4764
                                                          • C:\Windows\SysWOW64\Ddjejl32.exe
                                                            C:\Windows\system32\Ddjejl32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:4432
                                                            • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                              C:\Windows\system32\Dhfajjoj.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:3604
                                                              • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                C:\Windows\system32\Dfiafg32.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:1912
                                                                • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                  C:\Windows\system32\Djdmffnn.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2972
                                                                  • C:\Windows\SysWOW64\Dopigd32.exe
                                                                    C:\Windows\system32\Dopigd32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2476
                                                                    • C:\Windows\SysWOW64\Dmcibama.exe
                                                                      C:\Windows\system32\Dmcibama.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:2408
                                                                      • C:\Windows\SysWOW64\Danecp32.exe
                                                                        C:\Windows\system32\Danecp32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1896
                                                                        • C:\Windows\SysWOW64\Dejacond.exe
                                                                          C:\Windows\system32\Dejacond.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:5060
                                                                          • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                            C:\Windows\system32\Ddmaok32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:2560
                                                                            • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                              C:\Windows\system32\Dhhnpjmh.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:956
                                                                              • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                C:\Windows\system32\Dfknkg32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:2888
                                                                                • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                  C:\Windows\system32\Djgjlelk.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:5052
                                                                                  • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                    C:\Windows\system32\Dobfld32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:3388
                                                                                    • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                      C:\Windows\system32\Daqbip32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1524
                                                                                      • C:\Windows\SysWOW64\Delnin32.exe
                                                                                        C:\Windows\system32\Delnin32.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:3160
                                                                                        • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                          C:\Windows\system32\Ddonekbl.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1376
                                                                                          • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                            C:\Windows\system32\Dhkjej32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:4580
                                                                                            • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                              C:\Windows\system32\Dfnjafap.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:1824
                                                                                              • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                C:\Windows\system32\Dkifae32.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:1456
                                                                                                • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                  C:\Windows\system32\Dodbbdbb.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:4932
                                                                                                  • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                    C:\Windows\system32\Dmgbnq32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:3040
                                                                                                    • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                      C:\Windows\system32\Daconoae.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:3828
                                                                                                      • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                        C:\Windows\system32\Deokon32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:4120
                                                                                                        • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                          C:\Windows\system32\Ddakjkqi.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:1096
                                                                                                          • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                            C:\Windows\system32\Dfpgffpm.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:1948
                                                                                                            • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                              C:\Windows\system32\Dkkcge32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:3660
                                                                                                              • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                C:\Windows\system32\Dogogcpo.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:712
                                                                                                                • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                  C:\Windows\system32\Dmjocp32.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:1660
                                                                                                                  • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                    C:\Windows\system32\Daekdooc.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:5096
                                                                                                                    • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                      C:\Windows\system32\Deagdn32.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:3004
                                                                                                                      • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                        C:\Windows\system32\Dddhpjof.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2584
                                                                                                                        • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                          C:\Windows\system32\Dhocqigp.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:2284
                                                                                                                          • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                            C:\Windows\system32\Dknpmdfc.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:1936
                                                                                                                            • C:\Windows\SysWOW64\Doilmc32.exe
                                                                                                                              C:\Windows\system32\Doilmc32.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:4252
                                                                                                                              • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                C:\Windows\system32\Dmllipeg.exe
                                                                                                                                63⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:4760
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 396
                                                                                                                                  64⤵
                                                                                                                                  • Program crash
                                                                                                                                  PID:4144
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4760 -ip 4760
    1⤵
      PID:4336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Bapiabak.exe

      Filesize

      92KB

      MD5

      6d4a5aef20f9701120e887fbf64ef14d

      SHA1

      062e312e95d429d3497ec4fee62fe44986ea83ec

      SHA256

      bfe2f2bb7e4c507803d9d2244baebabe1a04d96a33d3fd0526680c40fe999b5b

      SHA512

      56be743cb8b609a88d78ab625f3bd90a530b695d208f722e8dc83409ea4f006bd2b1f8bc851541de64e3a42e6eb80be54e21b2ff2ce6fbd417e2d3b1b5d306e3

    • C:\Windows\SysWOW64\Beihma32.exe

      Filesize

      92KB

      MD5

      b60aa944d358d333422e1c88d65fe9b9

      SHA1

      8f5fb389c97fb67bab5b5a1269ff4252d92f94cf

      SHA256

      86b612ee0e9fb953133205268272a77ee3a1328b3af530cfb4c8b784dcedbb79

      SHA512

      296fd4dc9c9b74378c7eec14232ee5c3a2a2c2f8428f5fd8e1eeb8bd46cee3a4eec51a30662638784a5024b6ea47f38fb0354ec544cda1543e9726fc3f701809

    • C:\Windows\SysWOW64\Bhhdil32.exe

      Filesize

      92KB

      MD5

      407cceaf4efda3fb6f97efa1537eedb3

      SHA1

      cea371b1014ec40c630ea6eda27827d1666b8ba0

      SHA256

      1fb3b47565f679fcf73437879cd7f876de3db9060b4b5853769fb0c7289a19cb

      SHA512

      4b8bd1e31e9b39836e61e49e21b40097e406bcb87a6db9cb7d2e15de397a89f0007c48d9c1467412d211f62e78bfe301b380a931a117364211a9159e9a4a0ea7

    • C:\Windows\SysWOW64\Bjfaeh32.exe

      Filesize

      92KB

      MD5

      98246540ecb13b4de34393ec79b97dc7

      SHA1

      a1dc840d6680db1e092ff708506711f3f606d10d

      SHA256

      4c916fbf11b7b54c805daba55b12fe3823bbefe2ffb754c313df479120bde520

      SHA512

      61ef4e1abc35ca413faa9eb0b50e57d04306c0da828827fe24906af61f446daa10841df1e8be8c4e86fccd934a21e803e19cc2d41571fd96f7480db09e38a1f6

    • C:\Windows\SysWOW64\Bmbplc32.exe

      Filesize

      92KB

      MD5

      976905142b45073a08a9be8bb0fa27b5

      SHA1

      9ee0b4bff01230d0689745c81c3b103e0f049bf5

      SHA256

      cfe3ae96cd82a4d4c4b946004f96cf82c7e34f507d809bba82773acd605f84b6

      SHA512

      0f49c29b462c074e45bb7da53bd79024fc27eeb81abb4efd3ef938f1a27e1fbd5d4a6695f5485f47a63668df2eaff941e6d8b8076c414bde2ad66b6270bf88f1

    • C:\Windows\SysWOW64\Cabfga32.exe

      Filesize

      92KB

      MD5

      d801f6f03353468465956ee130e89677

      SHA1

      066a590299b1a2c03a81ff98e599f8856eecadf9

      SHA256

      9d35bd7c0652c490a8bf5e0040d3b585c6f9afcffa37da4588dc79b62201f20e

      SHA512

      490de750600bb9de858ddb7b3f1eb1cbf2c7fe044d173cee7ffd6bf43ac982cb31bc613d0c8dd7f1ce79b2f61a4e79c79d6663f6aff7d6b0471963ffea689e85

    • C:\Windows\SysWOW64\Cagobalc.exe

      Filesize

      92KB

      MD5

      1557ad72b36d3223d9b30a776d9302db

      SHA1

      285aabce9194f426d0dfd36432b331f85dbcb8e3

      SHA256

      cafa1e92e374de920fd2739e831d3aab36d7c32ff66951d15890a2cae064e3b5

      SHA512

      a995e82a6ba649146858c1be6ba0046911c7ddd96ec6795482a331d0218904caff17b10c110a6e6aa9235e5e9ac23b550cd3f9810a86c1c39407e14b36ceeb9f

    • C:\Windows\SysWOW64\Cajlhqjp.exe

      Filesize

      92KB

      MD5

      0b378d0cd659a2d8da4e7e71af38e287

      SHA1

      e68afaa96a2ab59e220776011238382747a07e99

      SHA256

      9a4ea48ce30c8e80f04429e486b5787a61e9ff8ac652a00ffe38904df33ade17

      SHA512

      f0072af0245b6f47ea6a22921def97c2200f664ba3fd8401f2983ee96323e191c421caa1292fe32773aa00e9e16aef1c9d4d4815a738aa797d5f29ef22ea54c9

    • C:\Windows\SysWOW64\Calhnpgn.exe

      Filesize

      92KB

      MD5

      23667cd4d9e45fca37c5448a093a9620

      SHA1

      8c5f9c6c2c1de66d1d22050aa1afedb276df89d9

      SHA256

      9546bb931fc6a48de795f298239291f467b2745aee4977f0beb39725bdbad68c

      SHA512

      c398adbf441d4fd330391216e9243d1cbedf1d9d5ea0aab4cdecd5aaa96cde1f5fe68f5b630816ffdf020154b87abc47174ffd908ce8ccca45137518510380b0

    • C:\Windows\SysWOW64\Cdabcm32.exe

      Filesize

      92KB

      MD5

      521e37581449ddbf68972c9daaade00b

      SHA1

      552ec584f17e7ef90396b89afe507504a1d213fa

      SHA256

      50397d5eb16958be38122d2a99fd0622c7352834ca79f70d26eb4c6e684abad7

      SHA512

      25ae2a20621285be3d647cd21bfd330a61daa05cd8545ef844309d99bd35d5bb9ee44c398b34b24fe8b5e85cb08c678c4ac49585937a06fd82651a6ad98b898d

    • C:\Windows\SysWOW64\Cdhhdlid.exe

      Filesize

      92KB

      MD5

      013a40b077bf5aa15e6e4fdfb8149cb2

      SHA1

      a448bb3d76b99eeb80c2918c1bcd195d40721a55

      SHA256

      fa4348723662b5f0881b61c389717b850a707f3e2b35a0281c90cdcdf591c9aa

      SHA512

      b0efa2f30644f54a980c3c840d0f75980373d92e7d823022f40b4496d32e99c55d7b4600097243167aac9bf2a25354578169bbefae5293265c6e54189b7d74a6

    • C:\Windows\SysWOW64\Ceckcp32.exe

      Filesize

      92KB

      MD5

      4a10c76c0821122705d8c1d98e887275

      SHA1

      230448344316e23bbf0890dc06f5c02642ea0de0

      SHA256

      5dd008cc9096ed36722d5b55a8546845998a265d7f3d291bfcfb9bf1c89fa878

      SHA512

      99400a5b454a57d1c0473413b290b70824df94e08fe3ee6f26c9db94827d4a188acefc73554264894c5deaa99575e63b6a81e71b5d0f79814644f3d38bcced48

    • C:\Windows\SysWOW64\Ceehho32.exe

      Filesize

      92KB

      MD5

      1195831b7bb883c05b7ebf4c0e641345

      SHA1

      f97515d5d0f04e7f6852a2ce287168b5d290475b

      SHA256

      dc0470f9ef3413e51f2f80fa6ce626398e30883bd04c4ba86fc87a7a0d798187

      SHA512

      6321169cbacf17cbc5b5e795fa0f7b4283e4fa89602bf799a9a4449ca199783c9faa60550b6540a55244fa0d905e4c463e72dece88e30b9be0a66e5b3f948e2a

    • C:\Windows\SysWOW64\Cegdnopg.exe

      Filesize

      92KB

      MD5

      17c475eb0a2f041a5ca91bd379d2a18b

      SHA1

      2ced81fb43122a26f97eda69f25ad7b7fb238eb9

      SHA256

      03e2417ccdf547d0a0efecfd1de256849db5b40544c1b1b62599ab18701f7615

      SHA512

      ad536a1f87f17c4a5771d55125fbea0eb731dd9816c6d7816f3aca5641bb42b45b8300e296e7e41e898a979c6dc0e74bffc060c7076c29a41d946adc569fc1ca

    • C:\Windows\SysWOW64\Ceqnmpfo.exe

      Filesize

      92KB

      MD5

      2553a140aa0c2ad4cdfe71ca3f67fbc8

      SHA1

      048190733e892d5353e55a038d28a3f32e5b645d

      SHA256

      e0300972ec4291a638d6f9fae68a48336e0d1862bf78f84c8d2ed69e77b55e61

      SHA512

      6c5e12210000ad416bf3a70d6568a82994c764ba7cfb240d9d1d532120f1dbfba352536db0d4d991d7c0899f40837d951f2acf653ee66796e6d5d71bd285fcc7

    • C:\Windows\SysWOW64\Cfdhkhjj.exe

      Filesize

      92KB

      MD5

      6e5c5e88966c1080ee5ae836625c6d0f

      SHA1

      85f4234c24c29f4be96c9479960fdea68f3625bd

      SHA256

      f85ef654c96fb430d0a12a7b463eb9fd5df0767d1ade5cfc185d9c7f93077ffc

      SHA512

      8f53ef859f7339cae4016fb51140ea96bba9ace16f5a1762f77af094ab3d826a91bf14d3b4b6a59192b41e6525cb3a1932c0e4388de1295b341290817292ac27

    • C:\Windows\SysWOW64\Cffdpghg.exe

      Filesize

      92KB

      MD5

      46f4d9c968cf52b93d06a96313d4c4ab

      SHA1

      edf2da3e4c9caef8795803538a10c04ac2e6678f

      SHA256

      f446e78ca79c456efee5d5a910985819019ffed1a5ed276ec184a8adb2d434c8

      SHA512

      2f6c074eb9f6d763f21e40208925f0f047501c13838ae06187cdd040cf90296b18e959fcad61eeb0fb58dbe9567e31fe59bf30e07b5736db7281d06bc5d54042

    • C:\Windows\SysWOW64\Chagok32.exe

      Filesize

      92KB

      MD5

      93b610ff7224af413a2b595406d90409

      SHA1

      1df8b2051debda096c689fba366e446649af3412

      SHA256

      4f3d5425c040e6c5f7b5db81bb84162a8602a1bd0b68ec4b7848aee82c341acb

      SHA512

      a7a247e86e081d918c7d8cae881ef1a7df97594e1fdfa5a4fadd2d7282df0f409bf1be03b14ec24a38c2c92c204fc74dc31a1606e31017d9f58a8f8a57d4b0fb

    • C:\Windows\SysWOW64\Chjaol32.exe

      Filesize

      92KB

      MD5

      633295bbaba0f6cfab58c8e610fcf70d

      SHA1

      4034240053feef7c725078aa39979f345e0ea477

      SHA256

      d18adfbcaad0fb29f549797d689972fbdf99b966967f62b58d06cfd5876c8878

      SHA512

      17331a8afcec550f14832417104ae00d61453be9405f52a3ba51001993723ad578e658ce02324d855685a0949b73f211425a29b6a4d468bdd08cee873eee47da

    • C:\Windows\SysWOW64\Cjbpaf32.exe

      Filesize

      92KB

      MD5

      815b1c12a0b476ecc64bcd27c273d9ea

      SHA1

      f7ee5d5a83f65493f8c85f78dd459f8e0d999ac2

      SHA256

      46e75083438e667a7feb8d57f7c40a9f289c5d001163339f17eaea839d23d0a4

      SHA512

      fcb57fad4fbe91810aa777c31b6b673ea98e95005547c8dc357d2ed4ccaa3c94b9ac79c67feb6ef42633ff4b1d1919cb4b0cfe063373efb85f0ea74cd53df0e2

    • C:\Windows\SysWOW64\Cjkjpgfi.exe

      Filesize

      92KB

      MD5

      23da000180e7885c9e3827749cdf5d22

      SHA1

      2c59b845fed35120e8c29877c20216d2a6cb2508

      SHA256

      ed8fabbf5ebebd0df58ab8e24e505c6ab46965055b9f5bb4e78bd6553cf19300

      SHA512

      1dc5648f9b91ed5c5afa25cb5be2a5f6a7ce641c0f44383b74a2bae049f08676aebaccb310c91370a0ac11d7d6278552128196b58ba2b618a4efc5728f4e2f7a

    • C:\Windows\SysWOW64\Cjmgfgdf.exe

      Filesize

      92KB

      MD5

      cd6bbe22852ed2c890a39d9d67d2a816

      SHA1

      f4aa4357d49f33aa0bc1f7a75c9fd96b20fa3a1b

      SHA256

      84638c59bc9b9273bdbdd21f82a84c839a1bafda22b498d0f8d8f979f5c7ee97

      SHA512

      32e9b0dda3ca9211628b28c52a042a30880003a8c46445833486ccaf83b00a43f360846fcb047d832e50dbf59e9ca0fa1364f4f41990aec27569be488c5409ad

    • C:\Windows\SysWOW64\Cjpckf32.exe

      Filesize

      92KB

      MD5

      39e12d447f22212764566d626bf60baa

      SHA1

      6c3917ad02454b1e1b23676af0f5edd6e80f4fd9

      SHA256

      7986ce906f9ab6c14b7411a088d4b7cb3672105a3b025dfac8c36748aec9f66e

      SHA512

      570b3f271a174e04ce1725b19700c1ba978df4e207703473b795c224e96c083f0129bbcb63a68fe9f2bb515aa370e60a9dbfcbcb3e555630b9e7e55e0c74bbde

    • C:\Windows\SysWOW64\Cmqmma32.exe

      Filesize

      92KB

      MD5

      a6977ea5a4adf76b4154cf879f237b1e

      SHA1

      d82de23c3a8c3b91ee7d2ac885d5dc1a4f514571

      SHA256

      ec2fb1616c766dea426c77d75074ee32f13bf6c524bbdbd9db5cbd5d3c7d9abd

      SHA512

      fec7d3647b71abd90c2f8fb0b91240f54e2f06f095ff537f6666fc46bb84b6e86efd6e0888e24fa5fccec1443ee7a8904036d8c2795c5297904ffdb00028b19d

    • C:\Windows\SysWOW64\Cndikf32.exe

      Filesize

      92KB

      MD5

      164e575e2d15e3539c85bec7d4bf71f5

      SHA1

      e87e92c5411f5086d1f24474738e3b962a7974af

      SHA256

      b1045b879dc4de0b8dc6776185ecf65981ba0bf1c05b033c11f8bc1e05a6c06a

      SHA512

      7b1a7363bfbe97a451c964b1d01e315e16b58945e0006f093942443240edab455260a27c36f5be8492f649037b7930a9744bfe724f95d09ffb8b4f8766a2106b

    • C:\Windows\SysWOW64\Cnicfe32.exe

      Filesize

      92KB

      MD5

      02a441ef861c539a8df630db114a0abc

      SHA1

      cc6bca0885b4cb869613ab59b3bf807addb7e9c4

      SHA256

      0e2b3a01fb38ac2de400e10b39b7105fe9902937147b5512e703368d056d0911

      SHA512

      c34026a66b3d82d72b0405debbf7c01979d9ef57ee556c4c99756e6603f676707dac1af8c9a8ec9e7d345b278f8ddd3a7959ba5a8873210b4bca21dbc950a3fd

    • C:\Windows\SysWOW64\Cnkplejl.exe

      Filesize

      92KB

      MD5

      e387882045eee6c86a5c50ed79a4fdde

      SHA1

      49c40de6fa0e347cebc09298899fb0aabb4e1d94

      SHA256

      c2f9ceed51f16527ae94a8ea2b558628c90e4374f010c8970ea5648c1380f27e

      SHA512

      b8bd3fb4c6308c5a43afc3ec0c81a468d4763b25d3f0ca738f3ce764619dddfad90b3f5cd3f1d76dd72991a90a941827367e61f93e848b33be7d813d8cf79dfa

    • C:\Windows\SysWOW64\Ddjejl32.exe

      Filesize

      92KB

      MD5

      1e2b7d1504125746bea041bb62982e77

      SHA1

      3f15ec19ef7d92bc3981f116ce38f0505942c21f

      SHA256

      d01536c01923d97f18f494f00998ba3c31d9e974107526589f57418e73a1dbe7

      SHA512

      8fc0f8a2184c3f17e1b9d8fe4b992885f0cf0f7df4d5c00938b4ee49ef36feb0a3e037693dfc82929c59f8c08bb3e883db1d5e93c6ad8c5f1531645aa25e98a0

    • C:\Windows\SysWOW64\Dfiafg32.exe

      Filesize

      92KB

      MD5

      e5b0d2dd28eff3ec2e74dddbcd75610d

      SHA1

      d398fc0f5b098ba7be309d4c8c54525b28609dd4

      SHA256

      c14ee219a35ee436e6a000af8677d34304a28dce44f0198b050610f3ea5e4b72

      SHA512

      8f0c490150555927149ba3fae5caef292f6e071cf4699224da5f06ba7f8021dd571dc64732f72e8805842385be3a66db59a8aea41fa16356d2645620658f1596

    • C:\Windows\SysWOW64\Dhfajjoj.exe

      Filesize

      92KB

      MD5

      49b1071c6c4ba63a5ad82d4b756b3aaa

      SHA1

      b1b2f46ff6d6d00161f072ffa8eaaab1f09afbcb

      SHA256

      85a1570689487de87507a7d159052a6a2329f05f89655124f955660fb55d3293

      SHA512

      9671fdd4203e8173391c6541bd200f43df2a368ef1fd3f7b5b381bcacf73c81007a0568eee6671b1ec1e146e6010b87d554cdc2bafc978a9f3714a38a261706d

    • C:\Windows\SysWOW64\Djdmffnn.exe

      Filesize

      92KB

      MD5

      8033ad7aef16c6aa4cf459ab6bb61019

      SHA1

      fd8aeee839fafece23990b28a5113cd5f12d4555

      SHA256

      e8506c5225fd6cfff2bc85618586d807bad02bc068e46d19469a1e6df33f8596

      SHA512

      5fc740748d45c6f7891a1b7fd4c690255107a898ea3c3d2b8c2705081921b9aecc980c41e053ccdbaf13262bbfa73c4f2a623c517956ff9c084d1d178305f4be

    • C:\Windows\SysWOW64\Dopigd32.exe

      Filesize

      92KB

      MD5

      8f2020adfb2b924ab4add14dc6fc3286

      SHA1

      aa8550f2a33777ad675c72c176554781bca9b641

      SHA256

      7c7db047f1a046629fc33fcecaec209eecf84710e9112f7de3117efd123ab02c

      SHA512

      7883c17f2514fa39f9b9c784d2631d69d6b247ed12fd9b831171ec8329b2d70a3ca6c8df406e045f7d140d26fa676a19ac8d2c6ffbe59576913493f1c9c65d23

    • memory/316-15-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/316-97-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/408-167-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/636-176-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/712-408-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/956-305-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1096-389-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1100-149-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1376-342-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1420-139-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1456-360-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1524-329-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1540-28-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1540-106-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1660-413-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1708-47-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1708-137-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1824-354-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1832-63-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1832-157-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1896-288-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1912-259-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1936-443-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1948-395-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1984-0-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/1984-79-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2128-32-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2128-116-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2156-129-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2156-39-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2284-438-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2408-282-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2476-276-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2532-220-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2536-7-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2536-88-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2560-299-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2584-431-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2612-107-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2612-202-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2760-185-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2888-312-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2928-228-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2972-267-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3004-425-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3040-371-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3160-336-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3388-324-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3460-165-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3460-71-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3604-252-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3660-402-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3712-130-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3828-377-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3892-203-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3908-212-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4024-174-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4024-80-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4028-158-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4120-384-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4252-445-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4356-90-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4356-184-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4380-98-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4380-193-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4432-244-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4580-347-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4588-117-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4588-210-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4752-148-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4752-56-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4760-446-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4764-236-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4856-194-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4932-366-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/5052-317-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/5060-293-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/5096-419-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB