84aadf27b55ade8c26f3e4c7dd966511b4ac1bbdcd4b21e238feffcd7c5ce6aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 03:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c0787efc3e6192d07195b0821da5937.exe
Size

252KB
MD5

5c0787efc3e6192d07195b0821da5937
SHA1

17cbb41c6173e5b4577aa8e6a37e04d6b2e6ab35
SHA256

84aadf27b55ade8c26f3e4c7dd966511b4ac1bbdcd4b21e238feffcd7c5ce6aa
SHA512

6ead2aeafecab20f9f6839d5cdec7522ecd87520fc95c07bba967cd0506c1d63aeb3947843beb9e8a985ea282206a707d4f475c2b0974d18f737c2fc127ead73
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpxj:ZY7xh6SZI4z7FSVpxj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 54 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wmdohhdu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wxslypn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wxjdwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wmqtsb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	woyp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wuvrjxe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wpfab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wtcyavnj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wccgip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wyvpvcgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wakrraw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wsxbpf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wrqt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	5c0787efc3e6192d07195b0821da5937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wlvblbge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wyosrnfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wqrqao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wibfxrewb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wdko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wblal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wximvmbkh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wqbtxsxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wyaob.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wtdggg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wfad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wmwbuvpp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wfltsf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wukaacgm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wgaccy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wyuiom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wwqyjcwp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wkfu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wuqaoi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wbsala.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wmscglx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wlijxqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	whrqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wtxmmvh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wjwkgsrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wpxyyebxx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wvglne.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wcxabj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wjhiuc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wrqptm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wkcigm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wqvnfs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wjsfjm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wqbpeusr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	weuqhq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wqb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	whknllgxi.exe

Executes dropped EXE 54 IoCs

pid	Process
2724	wim.exe
2112	wjsfjm.exe
212	wsxbpf.exe
3168	wbsala.exe
3924	wvglne.exe
4140	wmscglx.exe
1932	wtdggg.exe
4664	wmdohhdu.exe
1104	wqrqao.exe
4148	wyvpvcgl.exe
3216	wlijxqo.exe
1912	wqbpeusr.exe
2372	wuvrjxe.exe
1936	wlvblbge.exe
4044	wfad.exe
3872	wyuiom.exe
3008	wcxabj.exe
4456	wmwbuvpp.exe
3680	wpfab.exe
4420	whrqs.exe
2500	wor.exe
4680	weuqhq.exe
1600	wxslypn.exe
4032	wqbtxsxm.exe
1556	wtxmmvh.exe
3512	wxjdwu.exe
2492	wfltsf.exe
4960	wblal.exe
1748	wibfxrewb.exe
3736	wjhiuc.exe
3208	wjwkgsrh.exe
4332	wmqtsb.exe
5036	woyp.exe
1092	wakrraw.exe
1340	wdko.exe
1436	wwqyjcwp.exe
3244	wtcyavnj.exe
2944	wrqptm.exe
4512	wgaccy.exe
4000	wuqaoi.exe
4720	wvn.exe
4672	wkcigm.exe
4032	wqb.exe
4336	wximvmbkh.exe
1556	wqvnfs.exe
3512	wpxyyebxx.exe
3580	wukaacgm.exe
920	whknllgxi.exe
3320	wrqt.exe
2832	wccgip.exe
4780	wyosrnfd.exe
3356	wyaob.exe
2204	wkfu.exe
4672	wgavmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wtcyavnj.exe	wwqyjcwp.exe
File opened for modification	C:\Windows\SysWOW64\wyaob.exe	wyosrnfd.exe
File opened for modification	C:\Windows\SysWOW64\wlijxqo.exe	wyvpvcgl.exe
File opened for modification	C:\Windows\SysWOW64\wakrraw.exe	woyp.exe
File opened for modification	C:\Windows\SysWOW64\wxslypn.exe	weuqhq.exe
File created	C:\Windows\SysWOW64\wvglne.exe	wbsala.exe
File created	C:\Windows\SysWOW64\wmscglx.exe	wvglne.exe
File opened for modification	C:\Windows\SysWOW64\wvn.exe	wuqaoi.exe
File created	C:\Windows\SysWOW64\wjsfjm.exe	wim.exe
File opened for modification	C:\Windows\SysWOW64\wtdggg.exe	wmscglx.exe
File created	C:\Windows\SysWOW64\wqbpeusr.exe	wlijxqo.exe
File created	C:\Windows\SysWOW64\wmwbuvpp.exe	wcxabj.exe
File opened for modification	C:\Windows\SysWOW64\wqbtxsxm.exe	wxslypn.exe
File opened for modification	C:\Windows\SysWOW64\wrqptm.exe	wtcyavnj.exe
File opened for modification	C:\Windows\SysWOW64\wgaccy.exe	wrqptm.exe
File opened for modification	C:\Windows\SysWOW64\wccgip.exe	wrqt.exe
File opened for modification	C:\Windows\SysWOW64\wyvpvcgl.exe	wqrqao.exe
File created	C:\Windows\SysWOW64\wlijxqo.exe	wyvpvcgl.exe
File opened for modification	C:\Windows\SysWOW64\wdko.exe	wakrraw.exe
File opened for modification	C:\Windows\SysWOW64\wuqaoi.exe	wgaccy.exe
File created	C:\Windows\SysWOW64\wtdggg.exe	wmscglx.exe
File created	C:\Windows\SysWOW64\wlvblbge.exe	wuvrjxe.exe
File opened for modification	C:\Windows\SysWOW64\wim.exe	5c0787efc3e6192d07195b0821da5937.exe
File opened for modification	C:\Windows\SysWOW64\wyuiom.exe	wfad.exe
File created	C:\Windows\SysWOW64\wxjdwu.exe	wtxmmvh.exe
File opened for modification	C:\Windows\SysWOW64\wjsfjm.exe	wim.exe
File created	C:\Windows\SysWOW64\wyvpvcgl.exe	wqrqao.exe
File opened for modification	C:\Windows\SysWOW64\wrqt.exe	whknllgxi.exe
File created	C:\Windows\SysWOW64\wtxmmvh.exe	wqbtxsxm.exe
File created	C:\Windows\SysWOW64\wgaccy.exe	wrqptm.exe
File opened for modification	C:\Windows\SysWOW64\wximvmbkh.exe	wqb.exe
File opened for modification	C:\Windows\SysWOW64\wkfu.exe	wyaob.exe
File created	C:\Windows\SysWOW64\wyaob.exe	wyosrnfd.exe
File created	C:\Windows\SysWOW64\wgavmd.exe	wkfu.exe
File opened for modification	C:\Windows\SysWOW64\wibfxrewb.exe	wblal.exe
File created	C:\Windows\SysWOW64\wjhiuc.exe	wibfxrewb.exe
File created	C:\Windows\SysWOW64\wukaacgm.exe	wpxyyebxx.exe
File opened for modification	C:\Windows\SysWOW64\wmwbuvpp.exe	wcxabj.exe
File opened for modification	C:\Windows\SysWOW64\wjwkgsrh.exe	wjhiuc.exe
File created	C:\Windows\SysWOW64\wim.exe	5c0787efc3e6192d07195b0821da5937.exe
File opened for modification	C:\Windows\SysWOW64\wyosrnfd.exe	wccgip.exe
File opened for modification	C:\Windows\SysWOW64\wqbpeusr.exe	wlijxqo.exe
File opened for modification	C:\Windows\SysWOW64\wbsala.exe	wsxbpf.exe
File created	C:\Windows\SysWOW64\weuqhq.exe	wor.exe
File created	C:\Windows\SysWOW64\wuvrjxe.exe	wqbpeusr.exe
File opened for modification	C:\Windows\SysWOW64\whknllgxi.exe	wukaacgm.exe
File opened for modification	C:\Windows\SysWOW64\wjhiuc.exe	wibfxrewb.exe
File created	C:\Windows\SysWOW64\wvn.exe	wuqaoi.exe
File created	C:\Windows\SysWOW64\wximvmbkh.exe	wqb.exe
File created	C:\Windows\SysWOW64\wrqt.exe	whknllgxi.exe
File created	C:\Windows\SysWOW64\wbsala.exe	wsxbpf.exe
File opened for modification	C:\Windows\SysWOW64\wmdohhdu.exe	wtdggg.exe
File created	C:\Windows\SysWOW64\wmqtsb.exe	wjwkgsrh.exe
File opened for modification	C:\Windows\SysWOW64\wor.exe	whrqs.exe
File created	C:\Windows\SysWOW64\wfltsf.exe	wxjdwu.exe
File created	C:\Windows\SysWOW64\wmdohhdu.exe	wtdggg.exe
File opened for modification	C:\Windows\SysWOW64\wqrqao.exe	wmdohhdu.exe
File opened for modification	C:\Windows\SysWOW64\woyp.exe	wmqtsb.exe
File opened for modification	C:\Windows\SysWOW64\wqvnfs.exe	wximvmbkh.exe
File opened for modification	C:\Windows\SysWOW64\wpxyyebxx.exe	wqvnfs.exe
File opened for modification	C:\Windows\SysWOW64\wlvblbge.exe	wuvrjxe.exe
File created	C:\Windows\SysWOW64\wjwkgsrh.exe	wjhiuc.exe
File opened for modification	C:\Windows\SysWOW64\wblal.exe	wfltsf.exe
File opened for modification	C:\Windows\SysWOW64\wmqtsb.exe	wjwkgsrh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1232	3924	WerFault.exe	108
676	1556	WerFault.exe	172
3244	2492	WerFault.exe	180
1348	3208	WerFault.exe	194
916	5036	WerFault.exe	202
3032	1340	WerFault.exe	210
4256	1556	WerFault.exe	242
2876	2204	WerFault.exe	268

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 2724	3264	5c0787efc3e6192d07195b0821da5937.exe	90
PID 3264 wrote to memory of 2724	3264	5c0787efc3e6192d07195b0821da5937.exe	90
PID 3264 wrote to memory of 2724	3264	5c0787efc3e6192d07195b0821da5937.exe	90
PID 3264 wrote to memory of 1932	3264	5c0787efc3e6192d07195b0821da5937.exe	92
PID 3264 wrote to memory of 1932	3264	5c0787efc3e6192d07195b0821da5937.exe	92
PID 3264 wrote to memory of 1932	3264	5c0787efc3e6192d07195b0821da5937.exe	92
PID 2724 wrote to memory of 2112	2724	wim.exe	96
PID 2724 wrote to memory of 2112	2724	wim.exe	96
PID 2724 wrote to memory of 2112	2724	wim.exe	96
PID 2724 wrote to memory of 3884	2724	wim.exe	97
PID 2724 wrote to memory of 3884	2724	wim.exe	97
PID 2724 wrote to memory of 3884	2724	wim.exe	97
PID 2112 wrote to memory of 212	2112	wjsfjm.exe	100
PID 2112 wrote to memory of 212	2112	wjsfjm.exe	100
PID 2112 wrote to memory of 212	2112	wjsfjm.exe	100
PID 2112 wrote to memory of 3936	2112	wjsfjm.exe	101
PID 2112 wrote to memory of 3936	2112	wjsfjm.exe	101
PID 2112 wrote to memory of 3936	2112	wjsfjm.exe	101
PID 212 wrote to memory of 3168	212	wsxbpf.exe	105
PID 212 wrote to memory of 3168	212	wsxbpf.exe	105
PID 212 wrote to memory of 3168	212	wsxbpf.exe	105
PID 212 wrote to memory of 5100	212	wsxbpf.exe	106
PID 212 wrote to memory of 5100	212	wsxbpf.exe	106
PID 212 wrote to memory of 5100	212	wsxbpf.exe	106
PID 3168 wrote to memory of 3924	3168	wbsala.exe	108
PID 3168 wrote to memory of 3924	3168	wbsala.exe	108
PID 3168 wrote to memory of 3924	3168	wbsala.exe	108
PID 3168 wrote to memory of 2020	3168	wbsala.exe	109
PID 3168 wrote to memory of 2020	3168	wbsala.exe	109
PID 3168 wrote to memory of 2020	3168	wbsala.exe	109
PID 3924 wrote to memory of 4140	3924	wvglne.exe	111
PID 3924 wrote to memory of 4140	3924	wvglne.exe	111
PID 3924 wrote to memory of 4140	3924	wvglne.exe	111
PID 3924 wrote to memory of 1784	3924	wvglne.exe	114
PID 3924 wrote to memory of 1784	3924	wvglne.exe	114
PID 3924 wrote to memory of 1784	3924	wvglne.exe	114
PID 4140 wrote to memory of 1932	4140	wmscglx.exe	117
PID 4140 wrote to memory of 1932	4140	wmscglx.exe	117
PID 4140 wrote to memory of 1932	4140	wmscglx.exe	117
PID 4140 wrote to memory of 920	4140	wmscglx.exe	118
PID 4140 wrote to memory of 920	4140	wmscglx.exe	118
PID 4140 wrote to memory of 920	4140	wmscglx.exe	118
PID 1932 wrote to memory of 4664	1932	wtdggg.exe	120
PID 1932 wrote to memory of 4664	1932	wtdggg.exe	120
PID 1932 wrote to memory of 4664	1932	wtdggg.exe	120
PID 1932 wrote to memory of 2236	1932	wtdggg.exe	121
PID 1932 wrote to memory of 2236	1932	wtdggg.exe	121
PID 1932 wrote to memory of 2236	1932	wtdggg.exe	121
PID 4664 wrote to memory of 1104	4664	wmdohhdu.exe	123
PID 4664 wrote to memory of 1104	4664	wmdohhdu.exe	123
PID 4664 wrote to memory of 1104	4664	wmdohhdu.exe	123
PID 4664 wrote to memory of 2172	4664	wmdohhdu.exe	124
PID 4664 wrote to memory of 2172	4664	wmdohhdu.exe	124
PID 4664 wrote to memory of 2172	4664	wmdohhdu.exe	124
PID 1104 wrote to memory of 4148	1104	wqrqao.exe	126
PID 1104 wrote to memory of 4148	1104	wqrqao.exe	126
PID 1104 wrote to memory of 4148	1104	wqrqao.exe	126
PID 1104 wrote to memory of 1020	1104	wqrqao.exe	127
PID 1104 wrote to memory of 1020	1104	wqrqao.exe	127
PID 1104 wrote to memory of 1020	1104	wqrqao.exe	127
PID 4148 wrote to memory of 3216	4148	wyvpvcgl.exe	129
PID 4148 wrote to memory of 3216	4148	wyvpvcgl.exe	129
PID 4148 wrote to memory of 3216	4148	wyvpvcgl.exe	129
PID 4148 wrote to memory of 1388	4148	wyvpvcgl.exe	130

C:\Users\Admin\AppData\Local\Temp\5c0787efc3e6192d07195b0821da5937.exe
"C:\Users\Admin\AppData\Local\Temp\5c0787efc3e6192d07195b0821da5937.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\wim.exe
  "C:\Windows\system32\wim.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\wjsfjm.exe
    "C:\Windows\system32\wjsfjm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\wsxbpf.exe
      "C:\Windows\system32\wsxbpf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Windows\SysWOW64\wbsala.exe
        
        "C:\Windows\system32\wbsala.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
      - C:\Windows\SysWOW64\wvglne.exe
        
        "C:\Windows\system32\wvglne.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\wmscglx.exe
        
        "C:\Windows\system32\wmscglx.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\wtdggg.exe
        
        "C:\Windows\system32\wtdggg.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\wmdohhdu.exe
        
        "C:\Windows\system32\wmdohhdu.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\wqrqao.exe
        
        "C:\Windows\system32\wqrqao.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\wyvpvcgl.exe
        
        "C:\Windows\system32\wyvpvcgl.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\wlijxqo.exe
        
        "C:\Windows\system32\wlijxqo.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\wqbpeusr.exe
        
        "C:\Windows\system32\wqbpeusr.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\wuvrjxe.exe
        
        "C:\Windows\system32\wuvrjxe.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\wlvblbge.exe
        
        "C:\Windows\system32\wlvblbge.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\wfad.exe
        
        "C:\Windows\system32\wfad.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\wyuiom.exe
        
        "C:\Windows\system32\wyuiom.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\wcxabj.exe
        
        "C:\Windows\system32\wcxabj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\wmwbuvpp.exe
        
        "C:\Windows\system32\wmwbuvpp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\wpfab.exe
        
        "C:\Windows\system32\wpfab.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpfab.exe"
        21⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\whrqs.exe
        
        "C:\Windows\system32\whrqs.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\wor.exe
        
        "C:\Windows\system32\wor.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\weuqhq.exe
        
        "C:\Windows\system32\weuqhq.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\wxslypn.exe
        
        "C:\Windows\system32\wxslypn.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\wqbtxsxm.exe
        
        "C:\Windows\system32\wqbtxsxm.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\wtxmmvh.exe
        
        "C:\Windows\system32\wtxmmvh.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wxjdwu.exe
        
        "C:\Windows\system32\wxjdwu.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\wfltsf.exe
        
        "C:\Windows\system32\wfltsf.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\wblal.exe
        
        "C:\Windows\system32\wblal.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\wibfxrewb.exe
        
        "C:\Windows\system32\wibfxrewb.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\wjhiuc.exe
        
        "C:\Windows\system32\wjhiuc.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\wjwkgsrh.exe
        
        "C:\Windows\system32\wjwkgsrh.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\wmqtsb.exe
        
        "C:\Windows\system32\wmqtsb.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\woyp.exe
        
        "C:\Windows\system32\woyp.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\wakrraw.exe
        
        "C:\Windows\system32\wakrraw.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\wdko.exe
        
        "C:\Windows\system32\wdko.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\wwqyjcwp.exe
        
        "C:\Windows\system32\wwqyjcwp.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\wtcyavnj.exe
        
        "C:\Windows\system32\wtcyavnj.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\wrqptm.exe
        
        "C:\Windows\system32\wrqptm.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\wgaccy.exe
        
        "C:\Windows\system32\wgaccy.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\wuqaoi.exe
        
        "C:\Windows\system32\wuqaoi.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\wvn.exe
        
        "C:\Windows\system32\wvn.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\wkcigm.exe
        
        "C:\Windows\system32\wkcigm.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\wqb.exe
        
        "C:\Windows\system32\wqb.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\wximvmbkh.exe
        
        "C:\Windows\system32\wximvmbkh.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\wqvnfs.exe
        
        "C:\Windows\system32\wqvnfs.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wpxyyebxx.exe
        
        "C:\Windows\system32\wpxyyebxx.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\wukaacgm.exe
        
        "C:\Windows\system32\wukaacgm.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\whknllgxi.exe
        
        "C:\Windows\system32\whknllgxi.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\wrqt.exe
        
        "C:\Windows\system32\wrqt.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\wccgip.exe
        
        "C:\Windows\system32\wccgip.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wyosrnfd.exe
        
        "C:\Windows\system32\wyosrnfd.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\wyaob.exe
        
        "C:\Windows\system32\wyaob.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\wkfu.exe
        
        "C:\Windows\system32\wkfu.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\wgavmd.exe
        
        "C:\Windows\system32\wgavmd.exe"
        55⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfu.exe"
        55⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1672
        55⤵
        Program crash
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyaob.exe"
        54⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyosrnfd.exe"
        53⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccgip.exe"
        52⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqt.exe"
        51⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whknllgxi.exe"
        50⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukaacgm.exe"
        49⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxyyebxx.exe"
        48⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvnfs.exe"
        47⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1452
        47⤵
        Program crash
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wximvmbkh.exe"
        46⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqb.exe"
        45⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcigm.exe"
        44⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvn.exe"
        43⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqaoi.exe"
        42⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgaccy.exe"
        41⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqptm.exe"
        40⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcyavnj.exe"
        39⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqyjcwp.exe"
        38⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdko.exe"
        37⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1060
        37⤵
        Program crash
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakrraw.exe"
        36⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyp.exe"
        35⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1372
        35⤵
        Program crash
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqtsb.exe"
        34⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwkgsrh.exe"
        33⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1580
        33⤵
        Program crash
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhiuc.exe"
        32⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibfxrewb.exe"
        31⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblal.exe"
        30⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfltsf.exe"
        29⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 116
        29⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjdwu.exe"
        28⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxmmvh.exe"
        27⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1208
        27⤵
        Program crash
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbtxsxm.exe"
        26⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxslypn.exe"
        25⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuqhq.exe"
        24⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wor.exe"
        23⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrqs.exe"
        22⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwbuvpp.exe"
        20⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxabj.exe"
        19⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyuiom.exe"
        18⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfad.exe"
        17⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvblbge.exe"
        16⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvrjxe.exe"
        15⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqbpeusr.exe"
        14⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlijxqo.exe"
        13⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvpvcgl.exe"
        12⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrqao.exe"
        11⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdohhdu.exe"
        10⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtdggg.exe"
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmscglx.exe"
        8⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvglne.exe"
        7⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 748
        7⤵
        Program crash
        
        PID:1232
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbsala.exe"
        6⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsxbpf.exe"
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjsfjm.exe"
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wim.exe"
    3⤵
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\5c0787efc3e6192d07195b0821da5937.exe"
  2⤵
  PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3924 -ip 3924
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1556 -ip 1556
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2492 -ip 2492
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3208 -ip 3208
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5036 -ip 5036
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1340 -ip 1340
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1556 -ip 1556
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2204 -ip 2204
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wblal.exe

Filesize
253KB

MD5
bd81721907568b2aa1c84254a7f83b7d

SHA1
9a70ed567cdf9194fdd6981b99d0b1e7fdb7a81e

SHA256
0bbc8785f897e3ae9276926d8ace4a96a6538d4822cadb9c6945706c2f92cbe0

SHA512
f5e7ef27284d7e84b5351bf8304223cbf6b074dcf602ead53d1fedba4dc39a4865fb4a650c96f59bbc7ac14a378869dcb8adb162a276581f27ae8cebddeee23f

Download Submit
C:\Windows\SysWOW64\wbsala.exe

Filesize
252KB

MD5
792c447b0a0f89a11c85cfc515143f18

SHA1
c285e43ea934975c81e68015b081d210863269ab

SHA256
f4e990028e1b5421292709bfa19c1d9acb9c431e47cf710b3e9ceb5594c444cf

SHA512
02e19033f304b94a661de0164290401094de9856c0b86dc6aa829a72c483d33fee2f49aacaf2062707e736fc2c0e9fcbdfe9bffa15e9273ef01bf71a39acb05d

Download Submit
C:\Windows\SysWOW64\wcxabj.exe

Filesize
253KB

MD5
ecbb2b49a4d17d9cf97b5168928efd30

SHA1
8f4e5b0fdc0e38968ecf1c2dfc8d976a2a91e36c

SHA256
8630e91236d03d43b801bef3461baf03079da260cc176232ec640ebd0cf732bd

SHA512
9aecdbefda1fc1fa689656fa9e5e353574b2cdc5be8888b195181b904e3cd69c7ab586481bc000784df14fe5cbbbf130cab3c6f96457cae8fa0f3e46cd54c2ab

Download Submit
C:\Windows\SysWOW64\weuqhq.exe

Filesize
253KB

MD5
fbdddbf0247555d5d62e57a8243533f1

SHA1
e8a5b6c1268aab8589b335ad9247bfdf968d01b2

SHA256
34294769cc59d7cd96dae3ac9d08d5981db729979429c749e4433c5576d5f75d

SHA512
5c1f2063f0f65c6ab505d19666697d2c0cb6b3cefb79ff57acf8edb45515cb59f0523c059878faa78f39c2bf7ed69d753d09da06768e8bdcfbb1ea241caa4f9e

Download Submit
C:\Windows\SysWOW64\wfad.exe

Filesize
253KB

MD5
bc6b3b2cdf5596a5536fc607b6bb39a1

SHA1
b1bc32b0448de80fd0f8e51ef8e08e79496ad3c3

SHA256
96b5df9f1c81d18013b5804c8bcf297402b3e6d902b6824e510f9a80a045ea3a

SHA512
b04196b452d138f471d80f5de4ef9c33b47f9337dd6ca6128be3bf655f34716a54351cf18ce175b71a0831fe534495580392e873cec680e0ce42b4918390ef12

Download Submit
C:\Windows\SysWOW64\wfltsf.exe

Filesize
253KB

MD5
dae0edb47d4ff9f97eff8efc69cc3854

SHA1
3befc3499b6b4e0f64a08cff5a5ac58dc5ce3233

SHA256
41d16d426d3f2fda69d636826f34aa23fde403aa34ef4a79d772e90c19ab56d5

SHA512
61d630034fc9a41790f8754f2e98e9a4fb90fe72f7d1d602493cdf78519fa224b9ccfb640a683d172b23369b2ef493de92cf25e835dd08ddcdfee311dd096121

Download Submit
C:\Windows\SysWOW64\whrqs.exe

Filesize
253KB

MD5
6e57fe98008b913797aef9b040ea970d

SHA1
f93f841876b1b6b1e8a3a589e2717f2b34ef71f7

SHA256
c7ae352415c722941c2b4bd154d5e5d99a5a70ec049bc55b6ca9e046569eb483

SHA512
46d641e0e80935c5592c90c77f696530bf41642813234180348343b0968a7fafdbbca8e9dc82d259dedc54e17f383c8807e43ea5369bc193fb268cc2bfa4e0c3

Download Submit
C:\Windows\SysWOW64\wibfxrewb.exe

Filesize
253KB

MD5
e8f37455cf9fb726b68129037891ee92

SHA1
772ed346675ee566458989c9ed3ef69694df1183

SHA256
c3c405f636a849df1de55f35e088e9d6a6858fe64b5bc5e18017f2a7fa4c21a7

SHA512
a39eb3ec6368e0df32a9363c86d73401904e1e2381da5c219bb63c54b7d9b1e2bfa5465df5e439411d1b157da135f62a03c51e6333ddb89f11dbba33d02e97f7

Download Submit
C:\Windows\SysWOW64\wim.exe

Filesize
252KB

MD5
15f9be7f7259e19ede1e92115a21422b

SHA1
3c73d67b60e32582136d0c57456bdcdb01b313cd

SHA256
130c314489d89c896ca218a915f7353c79fe03563113bc23924fb20fbcaf18ac

SHA512
78d685a8c33584b2eb0b20058c7fbfd4c3742564fe54fff57dfc72f6bca794b70bb9cf6aea0acb2c371b9fde7263a159fd96c9498eeb4f17c6541918219e0ebb

Download Submit
C:\Windows\SysWOW64\wjhiuc.exe

Filesize
253KB

MD5
eb74df3fca17f47c72ad6bb0989dc1a6

SHA1
a7becfb17744956685fe25b45a80235f7c11d82f

SHA256
9b2f0b65c118534fc2d97fba85c4a203308e34de82b7354c42ba7232cc98cfe7

SHA512
d2ca8f81055c08ed5b5c9c9c8c74e505484491de53a5b606616ab9878af332f22136de1250f2cc4a02264f49b6ee9d20e9bd9487849a3309a17f0e27be19cf65

Download Submit
C:\Windows\SysWOW64\wjsfjm.exe

Filesize
252KB

MD5
daa29f5280fc67cc217a99c8c569b149

SHA1
65210b1ac26e8652f2a4b404a3c25925663fb2a2

SHA256
7ded2d59440c65345ea382203883abc53ab78cdbf46b425f32ff05dd6bed8cb4

SHA512
a7f11a2ce0126ef5bf1d12a39d560a2fd8b13c038536817f7e09ebca134bc2a286a1ca55ba2ecc680d2cf2854a0d5d4c5a09b3d5d6f10d3c1b7d66df5a19e1bb

Download Submit
C:\Windows\SysWOW64\wjwkgsrh.exe

Filesize
253KB

MD5
42ed1562f551d1ef9a6a13bf91b31c09

SHA1
3e86c3cab802503a43fb4ec19c63e4e97f79832e

SHA256
ee14ce09ded9ec3fbfe863a5d737d73ddb0571e8f4eb675685740ddffd748cd8

SHA512
6b7bf7ab343b750b474456882ff7f221b18b1fb37c1c369fbdd8e31b44e36db24eb4b38a7e3f07c67531abd202663e34031e025344d2c7affa4c075b121ad35d

Download Submit
C:\Windows\SysWOW64\wlijxqo.exe

Filesize
253KB

MD5
b058dfd3a11ecb67ea859768d2864bde

SHA1
35cec22da905274ff42e96277e4dd9848e7cac41

SHA256
51310b018e9b245b094abb61c4209aeb2e7509d45a6a312db27789383d237645

SHA512
b1014b504d654c067077d8da9f7d5a162ea26e65097d0ce90cc5f8683a92e2c503657e486b66137b9557e78c1c3600d7616d72b27157d7624c38f3080c36104d

Download Submit
C:\Windows\SysWOW64\wlvblbge.exe

Filesize
253KB

MD5
c6e3f3933c06825e6470fcdc6f1d0217

SHA1
51cc1bf69c6a11d4102c7c56433e252f47a5be5d

SHA256
dd9af5a74f2a8136df5c8580bf374e75fec1d3ea8611523ee1155c648810a5d8

SHA512
62acf9114c4a7c5a5eba5002addad0113fd2c45c414dfabc858c78b8bd2850fe4de0aecde16e5b0bcba154fd093c60c2a60bf69192ae2d19968ec9fff0032bdc

Download Submit
C:\Windows\SysWOW64\wmdohhdu.exe

Filesize
252KB

MD5
5334909838c5b8ed21ead1e0c517f9b1

SHA1
7904d993eba04b041be312b0f5659a72adece2a5

SHA256
828ddfc88826f532eb83efb78e029fc604fff0cacf6ff9300fa93e22b80f0e87

SHA512
4ee9dcb030e8da7e3ee9006dee84260c983f787b75749ef83899349b26970675294b80876c1039881dec58d37fae2e39c5571b7819510d519ac96b714c29ef81

Download Submit
C:\Windows\SysWOW64\wmqtsb.exe

Filesize
253KB

MD5
50e83b3c2e84afa63a4a4f14f60b0c83

SHA1
ca53dfae4fd17532ac78e343b90654e55f7b01b9

SHA256
ea9f63fb147e11ee2e1ed0ec95075cd17e26c0f792cb02a17990cee35d655028

SHA512
4b4a11c22c49fe9304177149c47c206f1f422f7496660b6353249b72454d22b5b6b08d5d3071bc6858018f49f70161bc8384b16ca8e23ff997d4acf3628dc24a

Download Submit
C:\Windows\SysWOW64\wmscglx.exe

Filesize
252KB

MD5
367a64e287cd3da60862a65854667840

SHA1
4fdacc0f8d0aaf94d4ec2e14a7531faa443d6ee1

SHA256
18a374d0168f42c06fab500ec1f6dc4a7f8cf0412862e6c19860022f3b13146e

SHA512
5b443e80b9682ca299604da7ded1fa2d8351ce27dd52534acdbab583fdc40fc82638625705db2a5edbbd7a6daaaf54ff279971b1d5105a843b4bf220bcfe75cc

Download Submit
C:\Windows\SysWOW64\wmwbuvpp.exe

Filesize
253KB

MD5
6260023c4750f2be8b3b4a3e6bb3ed43

SHA1
62294d03eae7b405086d644048f3e58780808f88

SHA256
b5197ca71c92642f3f60db949dc9ebff0a382b7bba8a6417fdec42adf9f9eb49

SHA512
990fc403fb3cca7975ce9eab528a0c7c75ba8bdd7da4ab6410ad0051acc94fed9954c081d69608407647e038767ba225ce5a171117f29cddef64de70bf5571fe

Download Submit
C:\Windows\SysWOW64\wor.exe

Filesize
253KB

MD5
2b601111e1ea2d0f33509762d8695ab6

SHA1
a3231e2c8db57dde5bf19bbd39af74962a605278

SHA256
598278dceb1f4b0ba64bc9b11bfd4588054bbcd88b3c23d9a996365f04279407

SHA512
17b0765248a23949d612713689bf0dc5f07e38c5d507aaa8120e140539d301655652029cf4b05cae5c5a640881590f7723a3118e7d1c1d1b79d2556767283180

Download Submit
C:\Windows\SysWOW64\wpfab.exe

Filesize
253KB

MD5
21d3079801b42fadadf869fa3f58444b

SHA1
19f60bc65c2dfdd90b47c4e4855ac95ee652ec75

SHA256
64cdf5e13472937fe0e63052e2d3aecb5c053141c9dc5ea602c24f9edb01fef4

SHA512
8a3a04a037a870b51e14e9e2935897a84693269ac7aff9ff2f047e01f1d39cb0c9f5d9a90140bad3286bb63c969ad856d240c9f9554eae2e6c4062fb6c41cb02

Download Submit
C:\Windows\SysWOW64\wqbpeusr.exe

Filesize
253KB

MD5
eed1c517613b984213dab32ed92bdb33

SHA1
cfc16400d7b85be34bed33f45395170da829e1b5

SHA256
0f84f7eb1d042a376d74e9f6adad9cc39146ca49fbe9dcbacf2f8cd909010c05

SHA512
6414675e816367252158bb1e8e029fde5d60addfbb2e1df59c9ca55a57f2b88154ee0addeaa8401b8dfebf782fc11a242b534dbc06ab6ec8c0c32082c4b5f610

Download Submit
C:\Windows\SysWOW64\wqbtxsxm.exe

Filesize
253KB

MD5
81e6043de9cc3ae10ba278dcd3b113ff

SHA1
27617a1c66ae402c55067b956af0b7e633769093

SHA256
d64970f86522a0b90b0b564793a1c3e952c6a799fb51e03d48779055f858651a

SHA512
f5f24a982174fe8de1f9adb7ca6bee8e950e35f286fc995ed8ac205652caa96dcd6b6e00b8011787b61e1f6c92e028a54ce800b34433c4e7882fb20b9608daed

Download Submit
C:\Windows\SysWOW64\wqrqao.exe

Filesize
253KB

MD5
109704c14bc1514d52751ca6b178d21b

SHA1
617d5b41fb324dc664efa1cb7e94b7ed04ea0f00

SHA256
6a790d7d9217f9ac029422d91150c5a3cdf680751242a85c240562e4f4c7cb74

SHA512
68708d901a6d3caf7ae139c67e3af5038919ae05340a3a6d8574c68bde32a0a61b691b2d9d6b34c1418cb1c51a2bec7752d54c653e3711152df05772e5d0137d

Download Submit
C:\Windows\SysWOW64\wsxbpf.exe

Filesize
252KB

MD5
f832f5cc7a9c5702b3b7fd35e88a3975

SHA1
99ff7d431b056cf885c7ea734b3f19e0b0b034c7

SHA256
674f55e6386e6344c4c076eb079033345df17c9fe26987ef511737b6ee1c6f6c

SHA512
082e7444f5c2a9dc862ef8e47199f3541152b4f58e77fb751a278e8cafae6ea223f9599aa54c5007abef9246d462fbba103037209de3cec03810867c15b199e7

Download Submit
C:\Windows\SysWOW64\wtdggg.exe

Filesize
252KB

MD5
39782f43d34ff7975036f2b0284d5052

SHA1
da34116a52c82902cfe15b92680180a72afa6085

SHA256
d1391815a145629f03ecb38fd8072281cbdef9df740095095877cd6a1b7dcd4c

SHA512
5c93400ffde3e4e006a90ac64edb172d7a273bdd3b61816ee6ffe402657656c3ecf4e4e7cb49c3f111d32821ad76576130339ccf2fdcc5963c7d01b8979222c2

Download Submit
C:\Windows\SysWOW64\wtxmmvh.exe

Filesize
253KB

MD5
bd267dc846504473ddfa04b331c21420

SHA1
58e5ee160c0d1b339a261820390a3392d49caecd

SHA256
968a8b44f4c0efcfcc0251a4e3c00169505ddfb8613e7862e90b8fd8b87686b9

SHA512
a776b168777afc87659362fe0b52724369ff0b155596de80cf352fa3db40de87684fa6f96af4ea8ca42c401d58efc91ad3c37a89eac8dc2643a96a4246ff9bdc

Download Submit
C:\Windows\SysWOW64\wuvrjxe.exe

Filesize
253KB

MD5
65d023bfe6faf50186d48ebd253167d0

SHA1
339c1a692d2b87707f67c7e43588155a366a4d2f

SHA256
7ed43e4be4388feee566c3e3e803498c5b45b9a72bc2a262e2d72a04373eed45

SHA512
b3edbb2ace971745efb9eb2628935beaa9523bfa2a7e434754223e5395f4d72239c824bc1fd58a7254bc4303c1a755a390d62f96e2b87aee73e4d46e9aa04b2b

Download Submit
C:\Windows\SysWOW64\wvglne.exe

Filesize
252KB

MD5
12c7992d953bfaf9766c08247339a9c4

SHA1
913965e1ca764cd19dff378e603cac3196b93e6a

SHA256
f97c95efc1316af09596c528149c06b0c974fb1800f075a268e042500214be48

SHA512
d2ba9c1502011a3eff890cce6f22798a099503387583e8ea7242cb0ee6b6949045823d8846a950dd8db5669c34da6a6dde65a0fce2d65ae90cb734ca721c10ba

Download Submit
C:\Windows\SysWOW64\wxjdwu.exe

Filesize
253KB

MD5
e3107ffee9eabaa430bf5a9089963f8f

SHA1
62e1a44aec653e5d37afeffc7dd31d14d90912ad

SHA256
42ac0940cb9e34daedcf0a8c34974df09df147caeb47bda2e3540859003f72a4

SHA512
21e792ebe3561a463b8f06e60bc7f1db760c653803357c78714cb2d6ffedc5d4218a0bb60780fdbaaa9401d3675160d0bd5a46323fa733de1c250c43fda8ed2a

Download Submit
C:\Windows\SysWOW64\wxslypn.exe

Filesize
253KB

MD5
77af939c756ce7826c02e82521f85bc3

SHA1
ab87b9f49ebd36d723f446cb807326c79fad4186

SHA256
57d5b3b0c5cc721f14dbf17cea530fb94c7299ed07253ad21d108967a97c2c1d

SHA512
9d912d3e07eb8e6b30d0834a6983655e49fccbc182d3f6899305442b7fc72e875e30d6b3de9c6bd6482bb8d4495739952f2885cb421d34ad7f3129515d820f2d

Download Submit
C:\Windows\SysWOW64\wyuiom.exe

Filesize
253KB

MD5
a6a80977970bceb5208a5e5b944fcc88

SHA1
e43c03b7b0d1456971cc1fd965563170146f10bb

SHA256
d45b1f2e1b55a2bd6ca6b6a807b4776e464dfc51e115421daa2e89f12ce34da3

SHA512
f68d2d90802fb204334b913f4af8be9521783fbc6a3f1d89b31d7177694516c4a3c55fc4a7c4d079a080b94f2ac423647c95723bc2a89d6db5c539c56a724543

Download Submit
C:\Windows\SysWOW64\wyuiom.exe

Filesize
119KB

MD5
e658f889a03533ccb77254072a1e09cd

SHA1
f4444c3cc12c59dd9336f7bab20ebf6e973292a1

SHA256
41dfaaf969ffe80b08b63695cb02a2b60c6cc6b4095f37d5d11a44b94462b9cc

SHA512
d0432a5cdad9dc87b366c9f48dd30622b94f065c7f0cd6a9154c069bc89e5c0aca56df923df96e075ea64b5bb9a7eae6fa15b9dcb0e6210df9e3db5e212da558

Download Submit
C:\Windows\SysWOW64\wyvpvcgl.exe

Filesize
253KB

MD5
73d8c3703a8aa0263598e9f7183bb302

SHA1
7f665b961797084f5d446b231b398ee7e00a05e9

SHA256
62241afb18a7e72ce379a9f66cf994c14d8bd136c39f2cc44736f9fb4daec82f

SHA512
980fb0764c6a4728223d49983a095c9915683f116970d9d2dc5ed7e25c325fb54c636f159a6547bb9ecebbfc864f2d27b55ce92fc9e0b85ad696cfa7873a8c9c

Download Submit
memory/212-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/212-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1092-366-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1092-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1104-96-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1104-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1340-375-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1340-365-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1436-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1436-374-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1556-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1600-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1748-319-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-128-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-86-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2112-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2372-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2372-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2500-223-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2500-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2944-399-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3008-192-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3008-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3168-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-329-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3216-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3244-391-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3264-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3264-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3512-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-202-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-213-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-318-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3736-330-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3872-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3872-170-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3924-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4000-416-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4032-255-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4032-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4044-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4140-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4140-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4148-118-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4148-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4332-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4420-224-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4456-203-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4512-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4664-85-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4664-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4672-424-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4680-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4680-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4960-307-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4960-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-357-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download