Overview

overview

10

Static

static

10

cba73d7491...c9.exe

windows7-x64

10

cba73d7491...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba73d7491c9869d813b5ffe0fd37c44397eb99c23aa98b11b62c32e894670c9.exe

  • Size

    93KB

  • MD5

    846506098527c2225614018b54dbebfe

  • SHA1

    91229bf3aa2a7e0d74f906cfa6645a5cef59beff

  • SHA256

    cba73d7491c9869d813b5ffe0fd37c44397eb99c23aa98b11b62c32e894670c9

  • SHA512

    01ffd042c14dd988201a81317b0c4bdb7218272ef988f0a93b12d9fccf55713795cf6f08fca2b4da57ffecf0626c9651f4bfcf77fb13f4b8c3a070966c8ade35

  • SSDEEP

    1536:Vr3xzWzw45vwWritpfBjeOJTrB1DaYfMZRWuLsV+1R:NxEL5vatdwOpdgYfc0DV+1R

Score
10/10
berbewnjratbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba73d7491c9869d813b5ffe0fd37c44397eb99c23aa98b11b62c32e894670c9.exe
    "C:\Users\Admin\AppData\Local\Temp\cba73d7491c9869d813b5ffe0fd37c44397eb99c23aa98b11b62c32e894670c9.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\Ojoign32.exe
      C:\Windows\system32\Ojoign32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\SysWOW64\Ocgmpccl.exe
        C:\Windows\system32\Ocgmpccl.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\Ojaelm32.exe
          C:\Windows\system32\Ojaelm32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4568
          • C:\Windows\SysWOW64\Pqknig32.exe
            C:\Windows\system32\Pqknig32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\SysWOW64\Pfhfan32.exe
              C:\Windows\system32\Pfhfan32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4308
              • C:\Windows\SysWOW64\Pmannhhj.exe
                C:\Windows\system32\Pmannhhj.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4872
                • C:\Windows\SysWOW64\Pqmjog32.exe
                  C:\Windows\system32\Pqmjog32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2076
                  • C:\Windows\SysWOW64\Pfjcgn32.exe
                    C:\Windows\system32\Pfjcgn32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2444
                    • C:\Windows\SysWOW64\Pnakhkol.exe
                      C:\Windows\system32\Pnakhkol.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3780
                      • C:\Windows\SysWOW64\Pcncpbmd.exe
                        C:\Windows\system32\Pcncpbmd.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4072
                        • C:\Windows\SysWOW64\Pncgmkmj.exe
                          C:\Windows\system32\Pncgmkmj.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3512
                          • C:\Windows\SysWOW64\Pcppfaka.exe
                            C:\Windows\system32\Pcppfaka.exe
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2272
                            • C:\Windows\SysWOW64\Pjjhbl32.exe
                              C:\Windows\system32\Pjjhbl32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1400
                              • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                C:\Windows\system32\Pdpmpdbd.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:5048
                                • C:\Windows\SysWOW64\Pgnilpah.exe
                                  C:\Windows\system32\Pgnilpah.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1540
                                  • C:\Windows\SysWOW64\Qnhahj32.exe
                                    C:\Windows\system32\Qnhahj32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:3844
                                    • C:\Windows\SysWOW64\Qqfmde32.exe
                                      C:\Windows\system32\Qqfmde32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2288
                                      • C:\Windows\SysWOW64\Qgqeappe.exe
                                        C:\Windows\system32\Qgqeappe.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:2848
                                        • C:\Windows\SysWOW64\Qqijje32.exe
                                          C:\Windows\system32\Qqijje32.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:1956
                                          • C:\Windows\SysWOW64\Ampkof32.exe
                                            C:\Windows\system32\Ampkof32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:3068
                                            • C:\Windows\SysWOW64\Ageolo32.exe
                                              C:\Windows\system32\Ageolo32.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:3332
                                              • C:\Windows\SysWOW64\Aqncedbp.exe
                                                C:\Windows\system32\Aqncedbp.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:868
                                                • C:\Windows\SysWOW64\Afjlnk32.exe
                                                  C:\Windows\system32\Afjlnk32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4080
                                                  • C:\Windows\SysWOW64\Aqppkd32.exe
                                                    C:\Windows\system32\Aqppkd32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:5052
                                                    • C:\Windows\SysWOW64\Agjhgngj.exe
                                                      C:\Windows\system32\Agjhgngj.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:1132
                                                      • C:\Windows\SysWOW64\Andqdh32.exe
                                                        C:\Windows\system32\Andqdh32.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:2404
                                                        • C:\Windows\SysWOW64\Aabmqd32.exe
                                                          C:\Windows\system32\Aabmqd32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:4748
                                                          • C:\Windows\SysWOW64\Acqimo32.exe
                                                            C:\Windows\system32\Acqimo32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:2832
                                                            • C:\Windows\SysWOW64\Anfmjhmd.exe
                                                              C:\Windows\system32\Anfmjhmd.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              PID:3968
                                                              • C:\Windows\SysWOW64\Accfbokl.exe
                                                                C:\Windows\system32\Accfbokl.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4812
                                                                • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                  C:\Windows\system32\Bjmnoi32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:1712
                                                                  • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                    C:\Windows\system32\Bmkjkd32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:2408
                                                                    • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                      C:\Windows\system32\Bfdodjhm.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4420
                                                                      • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                                        C:\Windows\system32\Bnkgeg32.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:2704
                                                                        • C:\Windows\SysWOW64\Bchomn32.exe
                                                                          C:\Windows\system32\Bchomn32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:4288
                                                                          • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                                            C:\Windows\system32\Bjagjhnc.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4464
                                                                            • C:\Windows\SysWOW64\Beglgani.exe
                                                                              C:\Windows\system32\Beglgani.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:3556
                                                                              • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                C:\Windows\system32\Bjddphlq.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4924
                                                                                • C:\Windows\SysWOW64\Bmbplc32.exe
                                                                                  C:\Windows\system32\Bmbplc32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:3828
                                                                                  • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                    C:\Windows\system32\Bjfaeh32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:4976
                                                                                    • C:\Windows\SysWOW64\Bmemac32.exe
                                                                                      C:\Windows\system32\Bmemac32.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1844
                                                                                      • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                        C:\Windows\system32\Bapiabak.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:540
                                                                                        • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                          C:\Windows\system32\Cndikf32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1304
                                                                                          • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                            C:\Windows\system32\Cenahpha.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:1708
                                                                                            • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                              C:\Windows\system32\Cnffqf32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:732
                                                                                              • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                C:\Windows\system32\Cfbkeh32.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4808
                                                                                                • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                  C:\Windows\system32\Cjmgfgdf.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:4868
                                                                                                  • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                    C:\Windows\system32\Cdfkolkf.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry class
                                                                                                    PID:4592
                                                                                                    • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                      C:\Windows\system32\Cnkplejl.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:4176
                                                                                                      • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                        C:\Windows\system32\Cmnpgb32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:636
                                                                                                        • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                          C:\Windows\system32\Cjbpaf32.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          PID:2652
                                                                                                          • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                            C:\Windows\system32\Calhnpgn.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:4596
                                                                                                            • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                              C:\Windows\system32\Ddjejl32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:448
                                                                                                              • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                C:\Windows\system32\Dopigd32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:1524
                                                                                                                • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                                                                  C:\Windows\system32\Dhhnpjmh.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:3992
                                                                                                                  • C:\Windows\SysWOW64\Dmefhako.exe
                                                                                                                    C:\Windows\system32\Dmefhako.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry class
                                                                                                                    PID:4960
                                                                                                                    • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                      C:\Windows\system32\Daqbip32.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:916
                                                                                                                      • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                        C:\Windows\system32\Ddonekbl.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:3736
                                                                                                                        • C:\Windows\SysWOW64\Dodbbdbb.exe
                                                                                                                          C:\Windows\system32\Dodbbdbb.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:536
                                                                                                                          • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                            C:\Windows\system32\Dmgbnq32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:4436
                                                                                                                            • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                              C:\Windows\system32\Ddakjkqi.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:2576
                                                                                                                              • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                C:\Windows\system32\Dkkcge32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:968
                                                                                                                                • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                  C:\Windows\system32\Daekdooc.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4652
                                                                                                                                  • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                    C:\Windows\system32\Dmllipeg.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:3060
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 400
                                                                                                                                      66⤵
                                                                                                                                      • Program crash
                                                                                                                                      PID:2432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3060 -ip 3060
    1⤵
      PID:4532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Aabmqd32.exe
      Filesize

      93KB

      MD5

      d136bbadfbc74dd902597ffc4a7a295d

      SHA1

      7fff33f07da1943ba76facbf30205615adcfb63a

      SHA256

      39de6fd7078880ca0226fad5cb6a4e8bbea7b1348837d3dae32f7149ee5a9981

      SHA512

      12144b50384fd41441c2bb1660eea222fd159857bcd39ddba58b6aa65c2577996052bf55955f6c87c9956af763449ed295426b00bfd1e7a17942c910db431c26

      Download Submit

    • C:\Windows\SysWOW64\Accfbokl.exe
      Filesize

      93KB

      MD5

      54cbc6089c6cbe556cac6638588957a1

      SHA1

      41367be265e70e22c8b1606d72e6d142add0a6ec

      SHA256

      3d3800f1fcd1634c0450747a7da48fbf18dc79ba7496194c30f5578059d03760

      SHA512

      c220211a641d0893d4190ca104651662326ad24ba925a7c24f4cc503ddfd9b28fb89b81bbf6f4c14831b73eb2d39e5d36e495c583aae077c360b88ba2706f6d8

      Download Submit

    • C:\Windows\SysWOW64\Acqimo32.exe
      Filesize

      93KB

      MD5

      7c7aef147f5e481e76a5589b3b7a0960

      SHA1

      c25cb5cc20924fd579d962699be6c388784b1db1

      SHA256

      ab655d6309c8520e2e05bfed1e8cf2d0caf21adecce5949d070a5c6d88bd0bbb

      SHA512

      7eb2688b0b3edbfec475c475d12250c1eb09cf02b25cdbeba13b817d0f5b152f2d0c185d14e2b213beabfebc682a674bc9a721baad3ba8d45861b77f280e886f

      Download Submit

    • C:\Windows\SysWOW64\Afjlnk32.exe
      Filesize

      93KB

      MD5

      063f939429d9d8cf675de264e98b441d

      SHA1

      d9e8f4f860719ae5768517750d9f122ae8e1e4fa

      SHA256

      b17fbc22fbdda5fb86c979e50ba4fd91c286245b44e0bbacc7a801dd278d752b

      SHA512

      b06c4f97a0339a88ffd5080355dc2f0e1a56ffb048a088944aab7430420fad98867c9010a7f47ebd7474c93b0347199d657a95c8c4eb00c33e31d4d1eabbefe9

      Download Submit

    • C:\Windows\SysWOW64\Ageolo32.exe
      Filesize

      93KB

      MD5

      09687c4ab05f24a0677b4e6c65c4ab6e

      SHA1

      39612e6638abc715bd4e36a8e09f35aae3881747

      SHA256

      d4f615d4ed61bc2b3024fc530100bf5ccaf3c35e6c8a735ca6f88d38de2bfbba

      SHA512

      a0913752e2d4406649dd319e9787c79027c923be5d4c350154279d3946f843c7f9975c7adbf84fe1ef48d3e724f7baa255d4af9585ac9193525e09ee53143e91

      Download Submit

    • C:\Windows\SysWOW64\Agjhgngj.exe
      Filesize

      93KB

      MD5

      b2306480258927b09c3daee03acff4f1

      SHA1

      c0f53df61288242d86cd69e9c528c89bcd069d75

      SHA256

      885379a2a83f7ef85840e883e403eebb1adc46782fbff09d5063a9c2307f1a8d

      SHA512

      fe6b8dc2c06d70b96c48b4f93c0d37de4d94ebe5dbc62069df2c887bc67b505343ef4ebd4316b0295b24a34a16bb9bde9b32bb56f7976bc67d194015e438f0eb

      Download Submit

    • C:\Windows\SysWOW64\Ampkof32.exe
      Filesize

      93KB

      MD5

      2a2e0f00fc0c1437f721e64bd4d01cf0

      SHA1

      11e22c1aae7f9f75a8fb1a241436e82891c41989

      SHA256

      a1752f9cc2eaa0281cd14541879a81fe433b2f8eeb1cb9eeb3dea8e5cc8dbf29

      SHA512

      68c05a47105f9e1be16ddf8ccb01c95601b82e3b5295456385fc242a87b4e2b56889b4a4ed3741665acbf2c5c7d4015d1c526faffcfec2c1617f828539bf0e90

      Download Submit

    • C:\Windows\SysWOW64\Andqdh32.exe
      Filesize

      93KB

      MD5

      6d0e48e41eacde51c6873f064c3d41d8

      SHA1

      c6675ac7156ae23c654a6cc92ef7f0417feb219f

      SHA256

      bb0a476996e7a4d6f4ca5524ae32579024b4897d41accc7fb0dd9d4f5e3b53ff

      SHA512

      df2e33deabf80118244190d691aa92dcd742d66ac379d15db2b9ee57506de959d04f50e42ebe189a5f8edb3ddfc18e4d68f4e480d5ddb50d37dbd51eaa7abccb

      Download Submit

    • C:\Windows\SysWOW64\Anfmjhmd.exe
      Filesize

      93KB

      MD5

      a5dc0e1715dc09ce40d24063c26abca5

      SHA1

      37fcf9b7ccf3eae04f4a390c50f54cfc9e788b2e

      SHA256

      cf50e1bd1a30d8c749210e94ac3b005a6fc8b71976f2a10ce8d699bd613293d4

      SHA512

      f33fd093b49f8a26eaf19f4835a870d2464c84a9cbce8e786751a1f8297e7e3d24b2f3dd573d15aea8dd7187dd33d135e95dfd0ce1956e06f47f9a4a6db14b76

      Download Submit

    • C:\Windows\SysWOW64\Aqncedbp.exe
      Filesize

      93KB

      MD5

      fa05aca83a6d12c9174f8fdb78fa61dd

      SHA1

      395c087b63dee5e2caf329509311d70a40a492b6

      SHA256

      c7c11bcbaed2a8cf90ea823d6c8d0d2ff6be65fa9fddb4e23d6203ebcaa08f02

      SHA512

      7b53af7bcfb3fcacce34267fb8540bc202b0db9d94ed055fc2c82b881b97e9082d5ec0bdce8975888cf020a67dde4ae900529067a0985b2928f4731c72f704ed

      Download Submit

    • C:\Windows\SysWOW64\Aqppkd32.exe
      Filesize

      93KB

      MD5

      f544d072028627dd7978a81469238251

      SHA1

      143236dddf5a6437d65d3bf0aee7d05037dfb45c

      SHA256

      f2a7957fc17eb7a0d5a71785876b433a14dee91de4e4c82924f236351cdcb23e

      SHA512

      1598a0adea41c788b488709aead332d470e7a73408ed6411f6593dfadbe7f8d7ac5e8951b28b120499aed0495ff13dfc5bb2d71453afca2e66eacc0f51271fc4

      Download Submit

    • C:\Windows\SysWOW64\Bjmnoi32.exe
      Filesize

      93KB

      MD5

      868251a8e6b3b37cd8b589d711311eba

      SHA1

      d32dfeca8c181b7ae8782126d684532071ac9c40

      SHA256

      05a7b8516ea568b05977c351427f8baddad353d593ecc23b8172882af013d55b

      SHA512

      44251c5f3c8952682deaa56198ac74a6930c1e6cb34f1f673a9b3adddd7691c6a93d38b84958bd2ba6fb9e88a7788552664923acb43cb09934222e43fd983c49

      Download Submit

    • C:\Windows\SysWOW64\Bmkjkd32.exe
      Filesize

      93KB

      MD5

      185c32ffba41a2d0bec9f5a29c31d538

      SHA1

      f1c42d38047a2ea88ae3a585d1b553b16d6d7150

      SHA256

      7692c5b23ea9a7b0f89e15322d9287a62294760c6c5fa151b8e6c3c69df8895e

      SHA512

      8a2d11e1f7dfcd1a1e1f49c080378a8f25b1df062daf7b707acad6288ba5bfac72d691f5425834f56f9ca44c78557efa83c4abd8d108aa24961ba10a50d5f434

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      93KB

      MD5

      1668ece09222a2405e38ad8bffd955f8

      SHA1

      4551f7f1cef8c2e675485519ed6687b8b29154c4

      SHA256

      0cffbeea7ca10d3f97c2a5b8b641585ea67b201b25dfa1126656ea32bec3db9a

      SHA512

      03b723405e443e21d5ada27a0de55069dcc4fef66f60c8590d0500263b3f256e44f9957c09817f6b5ebc7ba2db46248b53576636cee3c52bb6f91ed679410c3a

      Download Submit

    • C:\Windows\SysWOW64\Ocgmpccl.exe
      Filesize

      93KB

      MD5

      be452f587acd79411f2a7c33c77d4eab

      SHA1

      516d74f280f5333d766c71e51d8b682b83d890d5

      SHA256

      01dc398c4b4fe523285e57dc589af75abdfb038b52e80851dd7bbc6a8baa8060

      SHA512

      199135d8bb9172bab6dc180df834e4501f2a2cbb27c8fc951dee29d44ceca27d40d1b94a19d33ce45ed201704d08c38061e1bcf791c455e2d3adcea151a96e28

      Download Submit

    • C:\Windows\SysWOW64\Ojaelm32.exe
      Filesize

      93KB

      MD5

      5e3de4435b30222bedf4b57f6e64cb9d

      SHA1

      9206e362048553751f1292cd1f3b5ac720b02c0d

      SHA256

      05191f5a632471b39a6c1349771cf2ce74a88310e246251554c52c711566c546

      SHA512

      c6beac5cc37801996f1d13f4023187822f5fd22672b92f49ed3030cdc60cd03fbf8d21dab34a62c7c9a9600efa379b0d2482399beb898cecdbf10571cdb89c8c

      Download Submit

    • C:\Windows\SysWOW64\Ojoign32.exe
      Filesize

      93KB

      MD5

      83a55eb2fb47e25db2f50821f9ea05f6

      SHA1

      8fdf371bdc099cefe5e3a1b1ad4e1ec13afaf762

      SHA256

      a473032f8337f135756b3006917d0ee41deedaf7485184589a47d7d1ddbd7bae

      SHA512

      385e14071e13f2e9d221ca67fba6c44c1668653914e0b71f6efba52549bcef0554db0143aad2a3eea40e2aaaddf781cd3ee3d69f832edf281c2cce5bc8b05ae3

      Download Submit

    • C:\Windows\SysWOW64\Pcncpbmd.exe
      Filesize

      93KB

      MD5

      bf130a30f648125c312b998e909c0fbf

      SHA1

      3e338f2839a5bfb8a7fecbe3a2456acb503f3559

      SHA256

      ebcaa87a7b1918bfa863d884c86b6e87fc7bdf2401867c04afbed54955d689e7

      SHA512

      bcd5fe9573cf610ee8bf5c6d22dab979cf0ddcec6f6424e30d52bd76e66aa3e38cbbaeecd96f84684cba5d07c09d59233fce52c21ac444ccb6f28f606b4a4591

      Download Submit

    • C:\Windows\SysWOW64\Pcppfaka.exe
      Filesize

      93KB

      MD5

      75c35f195251ff6c6da99e5836663243

      SHA1

      4d2561fa20ac1ff5d7db7702c36da5a8233bb345

      SHA256

      c0ca690af8249aa1f4af73451108403dd336e39e364130b6e2d273b5a5c8b603

      SHA512

      c8ac321a9d194217a31efc3dce846df6649ab67152357bf51c0e82518def932aaef5f59c73653895059e9440d8a2556615a74e6e1d36efd09bacdc78cfd3af38

      Download Submit

    • C:\Windows\SysWOW64\Pdpmpdbd.exe
      Filesize

      93KB

      MD5

      becef55609e96d7f6995c3ebb66c0715

      SHA1

      734dac61aaba0fbbb6772e609d68e7d6c46dab3b

      SHA256

      02c3853a0db63b57c706035c521c664a5bd8f20180ef0dd2248506fe52b47d25

      SHA512

      69e99d39551808dc82ef9b708e926a1b65e945bfc0f845d4a91a29097626491eba131715ca74e4bafafc9b32e33d20f32c37cf8fa3be4c1ff120e7476f6cac73

      Download Submit

    • C:\Windows\SysWOW64\Pfhfan32.exe
      Filesize

      93KB

      MD5

      b3aee34ccf149757450e01a747e14bc0

      SHA1

      8513d4e02a35a99c84366e1eb45b6d78e2a35b6f

      SHA256

      4290da3e1efc6fae26297537e7861be3780bbd03a7b18dd2e34909e9617d07c6

      SHA512

      d8a92d9ee345d6d80344354f588428ee2ae701e202ee682bdd340de2af5a42df51bf600d46d102e24ddb37f15ef87a7e3d56bbcd0a007055925ce4565a720310

      Download Submit

    • C:\Windows\SysWOW64\Pfjcgn32.exe
      Filesize

      93KB

      MD5

      174b273585a68b50b89df5407c16f751

      SHA1

      56ce31597c8df2130c30f820a685e474c815398d

      SHA256

      43c63f031cd2cbd13014d7cba919405f6a3fd630a29bc771bf5b3dc7fbb4737c

      SHA512

      a0e655be69a512b73b6964feb2593bb7c94ef7a14f9af5c7d115ba49382562d2b5bc38c108ffefb78d7131d73e811b98eb2b4de2541df290857b5dee3901a4d4

      Download Submit

    • C:\Windows\SysWOW64\Pgnilpah.exe
      Filesize

      93KB

      MD5

      ef701beceeefb5daf92b370b1dbd0abf

      SHA1

      4413002862e05b6a81d250f74e621317e3212d83

      SHA256

      89650f33f1cfaa1afe8593e019730a24ac52be9b64cc026d7b0ece952871f4d6

      SHA512

      71105f082ed2d8ed1566d31bc55e683399cefaf1095de28d8c17e4b01b1ff66e730b3b54dba05fcfcb04f74f3fc92c5f1d9277ea0b6ed6b3d8a03cbec830a385

      Download Submit

    • C:\Windows\SysWOW64\Pjjhbl32.exe
      Filesize

      93KB

      MD5

      2fc330bcd2b72485bb8d18d31d0f8414

      SHA1

      c9dd05703dbcb3bb5fdf8d217138e5feddbcc2d2

      SHA256

      0558adb76f2b24b32f247b29091130f5da4404178d0a306015fee443f2f804d8

      SHA512

      8f4e1ab06c6b098f14c693c0963ba5645ccc02a4c682bccbe2623f6e6ddea1ae87ba409e91753a794e087df2673eeea7263bc8932a6635b40c764a2e1fdc310e

      Download Submit

    • C:\Windows\SysWOW64\Pmannhhj.exe
      Filesize

      93KB

      MD5

      0465663f8a48da56f1510f421f0f6698

      SHA1

      8db3aa8e1ca4e8e5b74379244c5661784ecd72e5

      SHA256

      a825b172b43474234cee3b7235c742b1317406f41744cc86aabd5c741350ed42

      SHA512

      c52064367522a2ea4972b3d3b6fb46449461a2daf5c3454c52f9ba2fd29e6c1d90e026a1b94518560289093f4366a76d1a6ae35abaecf33a193a089580bb2d53

      Download Submit

    • C:\Windows\SysWOW64\Pnakhkol.exe
      Filesize

      93KB

      MD5

      80c6e5c1f04591711c0245b81d9dbaac

      SHA1

      7ad5fdcc4235e859022eec72acfa42d5eef3b263

      SHA256

      941bf1c2ff00b767df5440c39dfe6837c4da1c121a54dc736e54a69a81a5016f

      SHA512

      0ad820c75f1bb787d66f92fbee36e0a9bbdc4596f7d726d96d82a36fc4483ddd4f2e0e32d47c663de10f3b925220756e1ab7bc043970808cf006e9bcd8b5eca4

      Download Submit

    • C:\Windows\SysWOW64\Pncgmkmj.exe
      Filesize

      93KB

      MD5

      9010d98d7cd91fefe3eb745ef823cd9f

      SHA1

      fd2ead20619c43c78fe3a7c99b2ddb63dc217ccf

      SHA256

      75d2acf9aacc4cde91f08ebdc1cf7006eda4d91b42257e70ee4ea2762daced53

      SHA512

      26aa5853eed0bff48ace22d917a11ba608af17904b6caed10c3a52b8a6f7b7b105e15da82ef785695a8bcb33e8b75c64c582cd100d4d12af1e54f89d41981fe8

      Download Submit

    • C:\Windows\SysWOW64\Pqknig32.exe
      Filesize

      93KB

      MD5

      ef5ca856f78401d245050cd2c4dbd077

      SHA1

      a0ce2c41b4a6c44a389b51a4174a7902778feba5

      SHA256

      2d4760e6afff918cb08b5baaabb1bd1d17a5b036799842c228248028e853321a

      SHA512

      6e53877e4990ceb1079ef14a0a3ff279c048178cc54c31166e58fe03c8680d20c9a18645be294e20002b7f511b185ef02016a65f0772f460cca975f4a03ffa4f

      Download Submit

    • C:\Windows\SysWOW64\Pqmjog32.exe
      Filesize

      93KB

      MD5

      adc5bfb0b22b0253227cb1c42456ce6b

      SHA1

      9855182f9f174fe14f7c7dce9e047951ce8f0dd1

      SHA256

      350ee76244cc904deec639160f2f3367339b321e3b89c1be9fc281f984afdc0e

      SHA512

      6ad67079c43086ea083709f5d59939117d99226832937eb639b67f165cc9c44043fe6e8de7e645bb9828985c50282df691166899a6583a75aa34b8990868b89a

      Download Submit

    • C:\Windows\SysWOW64\Qgqeappe.exe
      Filesize

      93KB

      MD5

      2c3bc82195494078e0ed14cb95ac5e70

      SHA1

      43a2590d6f55f60f6b37d32ac9794f90a9f36e5f

      SHA256

      00a10c5d4e1ac21df68bb76884f15a46d75ff3ba580fd4cd3dbfaa9ab2cf6a21

      SHA512

      5152372f4ca8822f72230a9351e33908f157dee3d2c8905a13ba2a7b804ea656596d7e67993ca17e099d7aae86ea27ea10470ec56abc57880068265e1cd2cbc7

      Download Submit

    • C:\Windows\SysWOW64\Qnhahj32.exe
      Filesize

      93KB

      MD5

      8da151b4c5d9ca0e263172d700109932

      SHA1

      565d9f9abb229f86275e182c0ddd231dec9dfc25

      SHA256

      aeffe6dc4b09a4610e93af00b3234c2a1925dc80ef6c88ff6ed80c426f37801f

      SHA512

      b30d120efe4abcba7f9e39c8721712b893660cf29ccc4b8d142106ac1e615cf2e225c31bdf3ae86abaf51c7363d42cd5967d43ea828d460568545dfb5eec2ca0

      Download Submit

    • C:\Windows\SysWOW64\Qqfmde32.exe
      Filesize

      93KB

      MD5

      88872016ad62170a80791548ea5f3363

      SHA1

      d3abd5ab1fdaa7494793b0ed36de038b8c16fcab

      SHA256

      69c995b7f1fbafcec8c7fd4e657ceafc26f9404d5c1b21448e53d435eec37670

      SHA512

      b066419e141d94f4807c638a9a7787786c2965b6a0c8fe213654e0df2e84f53965ea3872811bfa6585239ff2025ca29aa2fa609394cd84f7f2e558e9da3ebb2c

      Download Submit

    • C:\Windows\SysWOW64\Qqijje32.exe
      Filesize

      93KB

      MD5

      79b9392a4ece215ebcbf92d2426837f1

      SHA1

      a92670393cb4d58f952d48daa03cf037038f76f8

      SHA256

      e2914a6eafc78a9ddc1ca4af9cc6f1e30ccd97aee359ecf465edd03b5ca86516

      SHA512

      b0d6c3224b0eb390df830ed6edb5ab0f468a1b71478730b1fb15829aae32e4957fde498ca7036ff68b535f90347129b0f5e5649e02e7823be2e8b775249289dd

      Download Submit

    • memory/448-473-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/448-383-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/536-419-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/536-461-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/540-317-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/540-495-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/628-8-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/636-365-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/636-479-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/732-335-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/732-489-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/868-176-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/916-465-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/916-407-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/968-437-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/968-456-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1132-200-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1304-323-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1304-493-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1400-104-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1524-389-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1524-471-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1540-120-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1708-491-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1708-329-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1712-249-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1832-16-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1844-497-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1844-311-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1956-152-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2076-56-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2272-97-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2288-136-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2404-208-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2408-256-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2444-64-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2488-33-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2576-457-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2576-431-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2652-371-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2652-477-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2704-269-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2832-224-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2848-144-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3060-449-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3060-452-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3068-160-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3332-168-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3512-88-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3556-505-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3556-287-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3736-463-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3736-413-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3780-72-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3828-501-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3828-299-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3844-129-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3968-232-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3992-395-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3992-469-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4072-80-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4080-184-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4176-481-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4176-359-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4288-509-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4288-275-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4308-41-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4420-263-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4436-459-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4436-425-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4464-507-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4464-281-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4568-25-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4592-483-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4592-353-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4596-475-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4596-377-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4652-443-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4652-453-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4748-217-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4808-487-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4808-341-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4812-240-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4868-485-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4868-347-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4872-48-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4924-503-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4924-293-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4960-401-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4960-467-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4976-305-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4976-499-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4992-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4992-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5048-112-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/5052-192-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download