9e89ecd28be4d6a18d526770d2e14048760678b2fb0fe6883e6335090140f28a

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7df70632ef1710871eaeeb9fb98e0c28.exe
Size

251KB
MD5

7df70632ef1710871eaeeb9fb98e0c28
SHA1

3a2390b2495ac6f0eb3336af04cba49ad1134a77
SHA256

9e89ecd28be4d6a18d526770d2e14048760678b2fb0fe6883e6335090140f28a
SHA512

2f70600a5200f95f31488dd12d06dd31e3dd67d70501732514e5908eebc5edfd4cc1a6a90a26099186816b8ebf16eebb7b932442f2a1eba1d7bb45f1f50af99e
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVp6:ZY7xh6SZI4z7FSVp6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wjolemd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wvakth.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wylsmw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wnktsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wxeetu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wcoar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wifbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wrif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	worcpqtb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wsgbu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wnwksng.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wqcrdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wxekcsun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wukninl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	whqfbq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wnbeobs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wjulcpe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wpwutsal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wdye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wojkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	waaop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wrrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wyalmhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wnmbghw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	whvhpgwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wguvy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wgyvdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wdjcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7df70632ef1710871eaeeb9fb98e0c28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wwupxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wsej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wqeoxw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wnofbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wuqdxekho.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wwrln.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wxpegfs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wlwhpw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wjqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wejab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wcsfvih.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wspq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wkcxbnso.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wgncuveo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wdmjk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	woxwylr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wuuqhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wplftx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wyg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wgqwpjr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wffeuorx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wujbptei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wuelycf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wojooto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wiumcv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wvtcmwu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wnghvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wmovidaq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wqgepbmj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wwx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wbeoip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wxqok.exe

Executes dropped EXE 64 IoCs

pid	Process
3456	wuqdxekho.exe
4720	whvhpgwa.exe
4728	wujbptei.exe
1292	wukninl.exe
1516	wwrln.exe
3132	wplftx.exe
4248	wuelycf.exe
3888	whqfbq.exe
1592	wcoar.exe
4536	wkcxbnso.exe
3912	wap.exe
4692	wojkj.exe
1192	wxpegfs.exe
2272	wiumcv.exe
1864	waaop.exe
556	wvtcmwu.exe
2204	wwx.exe
1796	wojooto.exe
3484	wnghvj.exe
2732	wjolemd.exe
1768	worcpqtb.exe
2880	wejab.exe
2452	wyg.exe
5008	wifbc.exe
5016	wrrx.exe
3476	wwupxt.exe
1836	wvakth.exe
4348	wnwksng.exe
3280	wnbeobs.exe
4716	wbeoip.exe
5036	wsej.exe
3048	woxwylr.exe
3500	wguvy.exe
1820	wrif.exe
3152	wyalmhe.exe
4224	wylsmw.exe
3508	wnmbghw.exe
1944	wxqok.exe
2712	wcsfvih.exe
4484	wqcrdt.exe
2768	wnktsk.exe
4036	wqeoxw.exe
2500	wgyvdj.exe
2492	wjulcpe.exe
1140	wark.exe
412	wsgbu.exe
4772	wnofbf.exe
4108	wlwhpw.exe
4232	wgncuveo.exe
1352	wgqwpjr.exe
3496	wjqs.exe
2892	wuw.exe
5048	wxekcsun.exe
1492	wmovidaq.exe
3936	wuuqhe.exe
3920	wqgepbmj.exe
2928	wdmjk.exe
4288	wdjcs.exe
2588	wpwutsal.exe
3488	wdye.exe
764	wffeuorx.exe
820	wxeetu.exe
1980	wspq.exe
2596	wnnmtr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wxeetu.exe	wffeuorx.exe
File opened for modification	C:\Windows\SysWOW64\wguvy.exe	woxwylr.exe
File opened for modification	C:\Windows\SysWOW64\wrif.exe	wguvy.exe
File created	C:\Windows\SysWOW64\wgyvdj.exe	wqeoxw.exe
File opened for modification	C:\Windows\SysWOW64\wuelycf.exe	wplftx.exe
File created	C:\Windows\SysWOW64\wcoar.exe	whqfbq.exe
File created	C:\Windows\SysWOW64\wrrx.exe	wifbc.exe
File opened for modification	C:\Windows\SysWOW64\woxwylr.exe	wsej.exe
File created	C:\Windows\SysWOW64\wiumcv.exe	wxpegfs.exe
File created	C:\Windows\SysWOW64\wjolemd.exe	wnghvj.exe
File opened for modification	C:\Windows\SysWOW64\wsej.exe	wbeoip.exe
File created	C:\Windows\SysWOW64\wpwutsal.exe	wdjcs.exe
File opened for modification	C:\Windows\SysWOW64\wujbptei.exe	whvhpgwa.exe
File created	C:\Windows\SysWOW64\wxekcsun.exe	wuw.exe
File created	C:\Windows\SysWOW64\wdjcs.exe	wdmjk.exe
File created	C:\Windows\SysWOW64\wgqwpjr.exe	wgncuveo.exe
File opened for modification	C:\Windows\SysWOW64\wspq.exe	wxeetu.exe
File created	C:\Windows\SysWOW64\wukninl.exe	wujbptei.exe
File created	C:\Windows\SysWOW64\wyg.exe	wejab.exe
File opened for modification	C:\Windows\SysWOW64\wrrx.exe	wifbc.exe
File created	C:\Windows\SysWOW64\wsgbu.exe	wark.exe
File created	C:\Windows\SysWOW64\wxeetu.exe	wffeuorx.exe
File created	C:\Windows\SysWOW64\worcpqtb.exe	wjolemd.exe
File created	C:\Windows\SysWOW64\wmovidaq.exe	wxekcsun.exe
File opened for modification	C:\Windows\SysWOW64\wdye.exe	wpwutsal.exe
File created	C:\Windows\SysWOW64\wgncuveo.exe	wlwhpw.exe
File created	C:\Windows\SysWOW64\wwrln.exe	wukninl.exe
File opened for modification	C:\Windows\SysWOW64\wylsmw.exe	wyalmhe.exe
File created	C:\Windows\SysWOW64\wcsfvih.exe	wxqok.exe
File opened for modification	C:\Windows\SysWOW64\wnktsk.exe	wqcrdt.exe
File opened for modification	C:\Windows\SysWOW64\whvhpgwa.exe	wuqdxekho.exe
File opened for modification	C:\Windows\SysWOW64\wnofbf.exe	wsgbu.exe
File opened for modification	C:\Windows\SysWOW64\wlwhpw.exe	wnofbf.exe
File created	C:\Windows\SysWOW64\wuw.exe	wjqs.exe
File opened for modification	C:\Windows\SysWOW64\waaop.exe	wiumcv.exe
File created	C:\Windows\SysWOW64\wnghvj.exe	wojooto.exe
File created	C:\Windows\SysWOW64\wnktsk.exe	wqcrdt.exe
File created	C:\Windows\SysWOW64\wjqs.exe	wgqwpjr.exe
File opened for modification	C:\Windows\SysWOW64\wukninl.exe	wujbptei.exe
File opened for modification	C:\Windows\SysWOW64\wnmbghw.exe	wylsmw.exe
File opened for modification	C:\Windows\SysWOW64\wiumcv.exe	wxpegfs.exe
File created	C:\Windows\SysWOW64\wylsmw.exe	wyalmhe.exe
File opened for modification	C:\Windows\SysWOW64\wqeoxw.exe	wnktsk.exe
File opened for modification	C:\Windows\SysWOW64\wyalmhe.exe	wrif.exe
File opened for modification	C:\Windows\SysWOW64\wgyvdj.exe	wqeoxw.exe
File created	C:\Windows\SysWOW64\wuqdxekho.exe	7df70632ef1710871eaeeb9fb98e0c28.exe
File created	C:\Windows\SysWOW64\whqfbq.exe	wuelycf.exe
File created	C:\Windows\SysWOW64\wxpegfs.exe	wojkj.exe
File opened for modification	C:\Windows\SysWOW64\wbeoip.exe	wnbeobs.exe
File opened for modification	C:\Windows\SysWOW64\wmovidaq.exe	wxekcsun.exe
File created	C:\Windows\SysWOW64\wyalmhe.exe	wrif.exe
File opened for modification	C:\Windows\SysWOW64\wojkj.exe	wap.exe
File opened for modification	C:\Windows\SysWOW64\wxpegfs.exe	wojkj.exe
File opened for modification	C:\Windows\SysWOW64\wyg.exe	wejab.exe
File opened for modification	C:\Windows\SysWOW64\wifbc.exe	wyg.exe
File created	C:\Windows\SysWOW64\wojooto.exe	wwx.exe
File opened for modification	C:\Windows\SysWOW64\wojooto.exe	wwx.exe
File opened for modification	C:\Windows\SysWOW64\wejab.exe	worcpqtb.exe
File created	C:\Windows\SysWOW64\wnnmtr.exe	wspq.exe
File opened for modification	C:\Windows\SysWOW64\wjqs.exe	wgqwpjr.exe
File opened for modification	C:\Windows\SysWOW64\wuuqhe.exe	wmovidaq.exe
File created	C:\Windows\SysWOW64\whvhpgwa.exe	wuqdxekho.exe
File opened for modification	C:\Windows\SysWOW64\wxqok.exe	wnmbghw.exe
File opened for modification	C:\Windows\SysWOW64\wgncuveo.exe	wlwhpw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2240	3888	WerFault.exe	113
3940	1192	WerFault.exe	132
3784	1820	WerFault.exe	197
4984	4484	WerFault.exe	217
1240	4772	WerFault.exe	240
1740	4772	WerFault.exe	240

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3456	1388	7df70632ef1710871eaeeb9fb98e0c28.exe	84
PID 1388 wrote to memory of 3456	1388	7df70632ef1710871eaeeb9fb98e0c28.exe	84
PID 1388 wrote to memory of 3456	1388	7df70632ef1710871eaeeb9fb98e0c28.exe	84
PID 1388 wrote to memory of 3484	1388	7df70632ef1710871eaeeb9fb98e0c28.exe	86
PID 1388 wrote to memory of 3484	1388	7df70632ef1710871eaeeb9fb98e0c28.exe	86
PID 1388 wrote to memory of 3484	1388	7df70632ef1710871eaeeb9fb98e0c28.exe	86
PID 3456 wrote to memory of 4720	3456	wuqdxekho.exe	88
PID 3456 wrote to memory of 4720	3456	wuqdxekho.exe	88
PID 3456 wrote to memory of 4720	3456	wuqdxekho.exe	88
PID 3456 wrote to memory of 3492	3456	wuqdxekho.exe	89
PID 3456 wrote to memory of 3492	3456	wuqdxekho.exe	89
PID 3456 wrote to memory of 3492	3456	wuqdxekho.exe	89
PID 4720 wrote to memory of 4728	4720	whvhpgwa.exe	93
PID 4720 wrote to memory of 4728	4720	whvhpgwa.exe	93
PID 4720 wrote to memory of 4728	4720	whvhpgwa.exe	93
PID 4720 wrote to memory of 3656	4720	whvhpgwa.exe	94
PID 4720 wrote to memory of 3656	4720	whvhpgwa.exe	94
PID 4720 wrote to memory of 3656	4720	whvhpgwa.exe	94
PID 4728 wrote to memory of 1292	4728	wujbptei.exe	98
PID 4728 wrote to memory of 1292	4728	wujbptei.exe	98
PID 4728 wrote to memory of 1292	4728	wujbptei.exe	98
PID 4728 wrote to memory of 1768	4728	wujbptei.exe	99
PID 4728 wrote to memory of 1768	4728	wujbptei.exe	99
PID 4728 wrote to memory of 1768	4728	wujbptei.exe	99
PID 1292 wrote to memory of 1516	1292	wukninl.exe	102
PID 1292 wrote to memory of 1516	1292	wukninl.exe	102
PID 1292 wrote to memory of 1516	1292	wukninl.exe	102
PID 1292 wrote to memory of 1300	1292	wukninl.exe	103
PID 1292 wrote to memory of 1300	1292	wukninl.exe	103
PID 1292 wrote to memory of 1300	1292	wukninl.exe	103
PID 1516 wrote to memory of 3132	1516	wwrln.exe	105
PID 1516 wrote to memory of 3132	1516	wwrln.exe	105
PID 1516 wrote to memory of 3132	1516	wwrln.exe	105
PID 1516 wrote to memory of 2500	1516	wwrln.exe	106
PID 1516 wrote to memory of 2500	1516	wwrln.exe	106
PID 1516 wrote to memory of 2500	1516	wwrln.exe	106
PID 3132 wrote to memory of 4248	3132	wplftx.exe	110
PID 3132 wrote to memory of 4248	3132	wplftx.exe	110
PID 3132 wrote to memory of 4248	3132	wplftx.exe	110
PID 3132 wrote to memory of 3936	3132	wplftx.exe	112
PID 3132 wrote to memory of 3936	3132	wplftx.exe	112
PID 3132 wrote to memory of 3936	3132	wplftx.exe	112
PID 4248 wrote to memory of 3888	4248	wuelycf.exe	113
PID 4248 wrote to memory of 3888	4248	wuelycf.exe	113
PID 4248 wrote to memory of 3888	4248	wuelycf.exe	113
PID 4248 wrote to memory of 216	4248	wuelycf.exe	114
PID 4248 wrote to memory of 216	4248	wuelycf.exe	114
PID 4248 wrote to memory of 216	4248	wuelycf.exe	114
PID 3888 wrote to memory of 1592	3888	whqfbq.exe	116
PID 3888 wrote to memory of 1592	3888	whqfbq.exe	116
PID 3888 wrote to memory of 1592	3888	whqfbq.exe	116
PID 3888 wrote to memory of 4496	3888	whqfbq.exe	117
PID 3888 wrote to memory of 4496	3888	whqfbq.exe	117
PID 3888 wrote to memory of 4496	3888	whqfbq.exe	117
PID 1592 wrote to memory of 4536	1592	wcoar.exe	123
PID 1592 wrote to memory of 4536	1592	wcoar.exe	123
PID 1592 wrote to memory of 4536	1592	wcoar.exe	123
PID 1592 wrote to memory of 3600	1592	wcoar.exe	124
PID 1592 wrote to memory of 3600	1592	wcoar.exe	124
PID 1592 wrote to memory of 3600	1592	wcoar.exe	124
PID 4536 wrote to memory of 3912	4536	wkcxbnso.exe	126
PID 4536 wrote to memory of 3912	4536	wkcxbnso.exe	126
PID 4536 wrote to memory of 3912	4536	wkcxbnso.exe	126
PID 4536 wrote to memory of 2732	4536	wkcxbnso.exe	127

C:\Users\Admin\AppData\Local\Temp\7df70632ef1710871eaeeb9fb98e0c28.exe
"C:\Users\Admin\AppData\Local\Temp\7df70632ef1710871eaeeb9fb98e0c28.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\wuqdxekho.exe
  "C:\Windows\system32\wuqdxekho.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\whvhpgwa.exe
    "C:\Windows\system32\whvhpgwa.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\wujbptei.exe
      "C:\Windows\system32\wujbptei.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\SysWOW64\wukninl.exe
        
        "C:\Windows\system32\wukninl.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\SysWOW64\wwrln.exe
        
        "C:\Windows\system32\wwrln.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\wplftx.exe
        
        "C:\Windows\system32\wplftx.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\wuelycf.exe
        
        "C:\Windows\system32\wuelycf.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\whqfbq.exe
        
        "C:\Windows\system32\whqfbq.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\wcoar.exe
        
        "C:\Windows\system32\wcoar.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\wkcxbnso.exe
        
        "C:\Windows\system32\wkcxbnso.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\wap.exe
        
        "C:\Windows\system32\wap.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\wojkj.exe
        
        "C:\Windows\system32\wojkj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\wxpegfs.exe
        
        "C:\Windows\system32\wxpegfs.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\wiumcv.exe
        
        "C:\Windows\system32\wiumcv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\waaop.exe
        
        "C:\Windows\system32\waaop.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\wvtcmwu.exe
        
        "C:\Windows\system32\wvtcmwu.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\wwx.exe
        
        "C:\Windows\system32\wwx.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\wojooto.exe
        
        "C:\Windows\system32\wojooto.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\wnghvj.exe
        
        "C:\Windows\system32\wnghvj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\wjolemd.exe
        
        "C:\Windows\system32\wjolemd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\worcpqtb.exe
        
        "C:\Windows\system32\worcpqtb.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\wejab.exe
        
        "C:\Windows\system32\wejab.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wyg.exe
        
        "C:\Windows\system32\wyg.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\wifbc.exe
        
        "C:\Windows\system32\wifbc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\wrrx.exe
        
        "C:\Windows\system32\wrrx.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\wwupxt.exe
        
        "C:\Windows\system32\wwupxt.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\wvakth.exe
        
        "C:\Windows\system32\wvakth.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\wnwksng.exe
        
        "C:\Windows\system32\wnwksng.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\wnbeobs.exe
        
        "C:\Windows\system32\wnbeobs.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\wbeoip.exe
        
        "C:\Windows\system32\wbeoip.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\wsej.exe
        
        "C:\Windows\system32\wsej.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\woxwylr.exe
        
        "C:\Windows\system32\woxwylr.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\wguvy.exe
        
        "C:\Windows\system32\wguvy.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\wrif.exe
        
        "C:\Windows\system32\wrif.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wyalmhe.exe
        
        "C:\Windows\system32\wyalmhe.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\wylsmw.exe
        
        "C:\Windows\system32\wylsmw.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\wnmbghw.exe
        
        "C:\Windows\system32\wnmbghw.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\wxqok.exe
        
        "C:\Windows\system32\wxqok.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wcsfvih.exe
        
        "C:\Windows\system32\wcsfvih.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\wqcrdt.exe
        
        "C:\Windows\system32\wqcrdt.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\wnktsk.exe
        
        "C:\Windows\system32\wnktsk.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\wqeoxw.exe
        
        "C:\Windows\system32\wqeoxw.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\wgyvdj.exe
        
        "C:\Windows\system32\wgyvdj.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\wjulcpe.exe
        
        "C:\Windows\system32\wjulcpe.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\wark.exe
        
        "C:\Windows\system32\wark.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\wsgbu.exe
        
        "C:\Windows\system32\wsgbu.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\wnofbf.exe
        
        "C:\Windows\system32\wnofbf.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\wlwhpw.exe
        
        "C:\Windows\system32\wlwhpw.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\wgncuveo.exe
        
        "C:\Windows\system32\wgncuveo.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\wgqwpjr.exe
        
        "C:\Windows\system32\wgqwpjr.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\wjqs.exe
        
        "C:\Windows\system32\wjqs.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\wuw.exe
        
        "C:\Windows\system32\wuw.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\wxekcsun.exe
        
        "C:\Windows\system32\wxekcsun.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\wmovidaq.exe
        
        "C:\Windows\system32\wmovidaq.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\wuuqhe.exe
        
        "C:\Windows\system32\wuuqhe.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\wqgepbmj.exe
        
        "C:\Windows\system32\wqgepbmj.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\wdmjk.exe
        
        "C:\Windows\system32\wdmjk.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wdjcs.exe
        
        "C:\Windows\system32\wdjcs.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\wpwutsal.exe
        
        "C:\Windows\system32\wpwutsal.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\wdye.exe
        
        "C:\Windows\system32\wdye.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\wffeuorx.exe
        
        "C:\Windows\system32\wffeuorx.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\wxeetu.exe
        
        "C:\Windows\system32\wxeetu.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\wspq.exe
        
        "C:\Windows\system32\wspq.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\wnnmtr.exe
        
        "C:\Windows\system32\wnnmtr.exe"
        65⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspq.exe"
        65⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeetu.exe"
        64⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffeuorx.exe"
        63⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdye.exe"
        62⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwutsal.exe"
        61⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdjcs.exe"
        60⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmjk.exe"
        59⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgepbmj.exe"
        58⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuuqhe.exe"
        57⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmovidaq.exe"
        56⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxekcsun.exe"
        55⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuw.exe"
        54⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjqs.exe"
        53⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqwpjr.exe"
        52⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgncuveo.exe"
        51⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwhpw.exe"
        50⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnofbf.exe"
        49⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1268
        49⤵
        Program crash
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1428
        49⤵
        Program crash
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgbu.exe"
        48⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wark.exe"
        47⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjulcpe.exe"
        46⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgyvdj.exe"
        45⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqeoxw.exe"
        44⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnktsk.exe"
        43⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcrdt.exe"
        42⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1400
        42⤵
        Program crash
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsfvih.exe"
        41⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqok.exe"
        40⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmbghw.exe"
        39⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylsmw.exe"
        38⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyalmhe.exe"
        37⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrif.exe"
        36⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1696
        36⤵
        Program crash
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wguvy.exe"
        35⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxwylr.exe"
        34⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsej.exe"
        33⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbeoip.exe"
        32⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbeobs.exe"
        31⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnwksng.exe"
        30⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvakth.exe"
        29⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwupxt.exe"
        28⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrx.exe"
        27⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifbc.exe"
        26⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyg.exe"
        25⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejab.exe"
        24⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\worcpqtb.exe"
        23⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjolemd.exe"
        22⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnghvj.exe"
        21⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojooto.exe"
        20⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwx.exe"
        19⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtcmwu.exe"
        18⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waaop.exe"
        17⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiumcv.exe"
        16⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpegfs.exe"
        15⤵
        
        PID:800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1692
        15⤵
        Program crash
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wojkj.exe"
        14⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wap.exe"
        13⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcxbnso.exe"
        12⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcoar.exe"
        11⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whqfbq.exe"
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 744
        10⤵
        Program crash
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuelycf.exe"
        9⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplftx.exe"
        8⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrln.exe"
        7⤵
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wukninl.exe"
        6⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujbptei.exe"
        5⤵
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvhpgwa.exe"
      4⤵
      PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqdxekho.exe"
    3⤵
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\7df70632ef1710871eaeeb9fb98e0c28.exe"
  2⤵
  PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3888 -ip 3888
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1192 -ip 1192
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1820 -ip 1820
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4484 -ip 4484
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4772 -ip 4772
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4772 -ip 4772
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\waaop.exe

Filesize
252KB

MD5
8740525b0c2bc3968ed131289dac2dc1

SHA1
d7b8ac6e22366c3f1453721552d2afe9c66cc0db

SHA256
24aa930a14ac5e65325e0ad2bb2aac4260c7cfcef90a6e37dad868665809a952

SHA512
6bccb0711ad64121fc5f258031950c3fc209ecf8a64b9c440f42f409f4ce4b95ae2c42baa97fc571e795355cfadf978aaf5ce598debf410331210a97e77860cb

Download Submit
C:\Windows\SysWOW64\wap.exe

Filesize
252KB

MD5
c6fe3cc68aea0622de0f9c028b0ab390

SHA1
50b12b6202a938df36c6633d0fca45f5cc1a2b78

SHA256
cd027fc2b553b62b9b79a32455c90347a4eb06f6e8e0798bd20205f8d7259155

SHA512
938a81044c76589a3e98c4bb1d9bcd39e3129a97b1761035f0777da28a446e9830f5afa460dc2b2c94b3f35044bbfe015b704a75b7d358ca7b7296d4122c1e37

Download Submit
C:\Windows\SysWOW64\wbeoip.exe

Filesize
252KB

MD5
c68cabfae537f7d96525cb1c41ca131e

SHA1
bdac738bf79945cee8f0dddf994d2a1962e8fc09

SHA256
b765099aef33a4029db6701ebdf6b9cf58fdb61e637e2f18414ae60c1a814a48

SHA512
edcd2c0edcb5e3972dfd9599aeab967436742c5ae8534dee84f99967eebbd29cd809b9e94c5cc1885105755f363c29484fbdee7a2fbcbba82849d762cb7a5af4

Download Submit
C:\Windows\SysWOW64\wcoar.exe

Filesize
251KB

MD5
8ab720aefeb6bc2a4d5b54a558f8c173

SHA1
53215b8fad14644f65d681b460faf02137187f8e

SHA256
9ce6f919562a1d7b5556b673666527a3a2f6c5e0eec7cf5ed8d3f19b53488f06

SHA512
acdbe3272f3d03d0931bde15f84acf759887fe0f585218174472a8feca0be83aa1072fad70ca5721bfd970ef7d515587f27fe366896db5f14f31880aa7c5ca0c

Download Submit
C:\Windows\SysWOW64\wejab.exe

Filesize
252KB

MD5
875a6b4782a083ea4637207a7ca36669

SHA1
3564ea1965402ab844bfa3cf0996cf3e8aeaa42d

SHA256
5125a915f74a6bd03752e8826b4ec813be3cbbe876d6d480a54c32e1d0f0a2ca

SHA512
f7cf9366dfcd338a027cdfa7846abc47d4337556c5414e302a4d290126a94452b0818f55620eeed3a76db48418f49ea0be3816c0c4c4a3f71ad0e1f720d3a28f

Download Submit
C:\Windows\SysWOW64\whqfbq.exe

Filesize
251KB

MD5
6dfd25e6b1034cb25063c1800603229c

SHA1
4ad496c68cc0d07503200e6ec15d9ee2ef2dbe21

SHA256
7566fefa72a1cc5ef628f482258a0ab605b4f1133614f865a40d238420a36265

SHA512
f80962a83e3529ce4cbbd5d417b75629be1d20a40af01e2be87cb4b85ffbf4b536d2adaf3b61cb80c71d4675c35dbaa1080d92395e548637231c21f6882b3167

Download Submit
C:\Windows\SysWOW64\whvhpgwa.exe

Filesize
251KB

MD5
5d86b1a2a495491863fd66e9b24923c7

SHA1
17c04e1894e9af34f4f07b9daf4e1122103dd6c6

SHA256
95e2b61a87c215b86cdd03b1f75f8ac87d68904612c6f96148758827fec75d07

SHA512
bb8a572181f6515e0008c0f14ed723222cf920384a5f605f0b9fc4e8481430e59ffb67c83b8a7be8b54ffb76058cde4867c20ac80efa44533dc26cf70d74e904

Download Submit
C:\Windows\SysWOW64\wifbc.exe

Filesize
252KB

MD5
d48418a710ad1848f7e5529e285faf0a

SHA1
70fa154384e898271c8e80b1e6767086b7dbb44d

SHA256
c70d61a6725794bf287c923c9ba244b90476a9ff372a8cae86a8532ec5ca5a29

SHA512
15010eecfd72fe078a91c9a08c5baf2d30df95354d4d88eb4baea886479d939fba755498233800ca6ba61df7edc2d0a0ebdf14b3158bad146b3dd373256198cb

Download Submit
C:\Windows\SysWOW64\wiumcv.exe

Filesize
252KB

MD5
886b10d3c9a7b6e076a3c6e437798efe

SHA1
783b7c565501eb5cc75aede365eb56956b7bd104

SHA256
48a7aebe57e9383896ea19a8db7e7316f01c65b396a575831db02401b569f279

SHA512
81bc782d87e8203a3037d8df9bf99b2a6f5df3549e357a53fc6ab2d9a3a3086084f835f695d3ec0ab4ddbfab973bc7535fda7e86d78e555adb7ea8faa0bebc35

Download Submit
C:\Windows\SysWOW64\wjolemd.exe

Filesize
252KB

MD5
7ccf59a8a66228ec7f8d166a64019b35

SHA1
e40dbf951347c7b14e6ae63597bfef6aab484dcf

SHA256
99aef5f5f4b172d7322f55e96ece9a4e269de1e7244ff6a46115f8fe01acec3c

SHA512
696f33021f397a187a98563d24751d46ae581b514051400e999c9acb4e735c1dd6467025eaf10b1106f22127d00fc87e37ffc2da92ce10fac1386d188103657d

Download Submit
C:\Windows\SysWOW64\wkcxbnso.exe

Filesize
252KB

MD5
c0dbfa808bcedb8b478725592f432b52

SHA1
cddfa09a52e04b61089b021940c05b8744799dfc

SHA256
252cd4bcc7f7223e3b2a08265764cff8409900b7241254a4648c0ef0dc7719df

SHA512
5aecd23f7c93e4fed02b116dfba5c6afb2171240fd96272d256f0827321529b261a41bbeafc179f28adaa3106d89ef974d033aa0b96b0f79355f9536572124cd

Download Submit
C:\Windows\SysWOW64\wnbeobs.exe

Filesize
252KB

MD5
2a4c384d3a04ffe4ef2c5847ff48293b

SHA1
d0835261bb1b3e4e7080f105b69ac7d611fe9d3b

SHA256
823497027352f1fff4d669a71b27bc6c95d92959966d1cb7b1b59a5f0249f346

SHA512
04e38eb63931dc26b8d96d5ef5760ceb576daac0f1983b57df3ed3c5e46c6dda90c0761ba34f1b41572a405f2c3689d9d0c078109e8db9ae37a9d58fb8ebd3d0

Download Submit
C:\Windows\SysWOW64\wnghvj.exe

Filesize
252KB

MD5
9028342c96dbb41f64c257caf6d1a798

SHA1
830f6ce54a454b2ef9edcddc655b67184ecb87d1

SHA256
5cb14b55566a1ec0f15392759a993857d34dea09662da35565be98ca0464a939

SHA512
c110350440668fcea47bd4925c6cb40ff4ccb50dd27bf6835a8c53766105d0cb9e72f4165b7acdb5f55f2abfaaf52a1e1f382d525076977adc8eaeae3d4ec1b1

Download Submit
C:\Windows\SysWOW64\wnwksng.exe

Filesize
252KB

MD5
690e9e7cbec43491b904a1290c0f80cb

SHA1
bb595f4f9b74dc1737bf4313ee477ce39d364501

SHA256
ff124bdd3e9b8e8d88b7950380ae102dba6e7d40bc063e164604baf9aeb51489

SHA512
b6905009cbed76ab203a92f502002012dea29469fafa4237a818dfe15423f802ffe0a69a3e7b9c4d966b21b4d2de941a1ffd371132f2e7728c59bab162eb51d6

Download Submit
C:\Windows\SysWOW64\wojkj.exe

Filesize
252KB

MD5
a57f4fabc3085630718d1b7276295645

SHA1
9200517daecd79cd867010854d5f714dd4d0a94f

SHA256
afc6c15148f75d8f037d32ce67c89ff4df9e8eb0435c19b70f9e012060635112

SHA512
c2d37469c80fe0cf5bc9b02e0d6b42fab1179b15433b2027dc950cdd17cbe927579bf2a73794cb7d4c61c8d4557eca84defcc0efe3016d76377a48d11c3b17a3

Download Submit
C:\Windows\SysWOW64\wojooto.exe

Filesize
252KB

MD5
218efcfcc92964430f0b16c5ec2ddf38

SHA1
56340a9f6b4cd34a426cf4bc8f1dade379575c0c

SHA256
a9f6031303d3b1ebbd5d26b2382be0567cc58e726c4281b319768efa1ce4bf57

SHA512
3da9033f93fc52dd345ea7fd3fcc425c5b7015f866419add537504a27f7509df6803ce13857e5b678f8a1c63d31986fde764a45b2ecde86a0b3a6fab93327484

Download Submit
C:\Windows\SysWOW64\worcpqtb.exe

Filesize
252KB

MD5
bd3ece62049826df8a7cc3a59d212f2b

SHA1
1b9b8299793c57db2e4e51c14a31ff441cee7dde

SHA256
b6307b77fbd15cae92577422e7cf2b9fd43262208c6d8f616d3e508beb7d5bc3

SHA512
52a91b4c946c4c5ff5012aae8f11e9bf023f78afdfe18b0d8594053b1bb972e34b92d86186825676e0f9e26ba98ee57a33bf410c8fa8337afec0556166e87091

Download Submit
C:\Windows\SysWOW64\woxwylr.exe

Filesize
252KB

MD5
73f45063c7b63a9d6bb963c46b3b2e7f

SHA1
325b9a1157e775827efd643e1337522bd6e08dd2

SHA256
05215279703461738eee5faa24f7e615a5ea4a3fc5350a87bdb039f319fcb61a

SHA512
6ea37340bb2e8e1b5c17567a10c7dcd9dc56e7f72d5abccb02def8076bed3cc9fdf07c1801d2f2f063af8a59f7b626101a3cb7a93ad6f1d0e076c30267e36c52

Download Submit
C:\Windows\SysWOW64\wplftx.exe

Filesize
251KB

MD5
08d500b83f96978d633e408c506e1c07

SHA1
0fd539bbfb2d25b1e26d47b0f29a3541cb083f4a

SHA256
42f8d894d71cfe1cd860245c0fbf5cb241dda8a3443b9783267258321e624bd2

SHA512
6dbc30206a8601279a0304719601bbd35511249cdd515ee05d739e5c94922b6190d343af754cd5749bf54256a09068a56e21c18552f228d2e551de85760bbfc4

Download Submit
C:\Windows\SysWOW64\wrrx.exe

Filesize
252KB

MD5
9f5d5eaa9595c95f2abc1dacdf099df4

SHA1
6c02b00169e09fc496a2460d9565c84fc04c2c60

SHA256
8c8a60adc6a5d8e400cb22e5fad2406a3bbf30181126d5d55006858dbd2f4254

SHA512
edb99a1db9f7e79676cf4a827352c05f8e20186efcf924ec754eee59cacc5030c97f0c63dccffb025e2c14046cd125e4fa63e3dd51a935a23383e9bb3df08b5d

Download Submit
C:\Windows\SysWOW64\wsej.exe

Filesize
252KB

MD5
cacec4c16e67109d566c690017c166cd

SHA1
0a61a5cb35d05225ade04c7d48e8f5ae10f821c1

SHA256
3b4dae2b25821895505a309d333b883b2d117be0faf30499dcd9b7dad4185c36

SHA512
229fe5cd073ee567c7617558908ae0205317ac155c609d3513a3ab6f4a39a7d0f0d651848239b957c06ff2d3d9560fd0097aada5fc90fb9cdea1cbd5a58d8b17

Download Submit
C:\Windows\SysWOW64\wuelycf.exe

Filesize
251KB

MD5
da9fd2f7a76244985d930aef9c53da6f

SHA1
4a352315ea115db9cb28774b9bfd86958a63f564

SHA256
58fafd1e068cd4717597a8dc3f54ffcef8221f25f049959e3c31ce1a4784b098

SHA512
fb1d3f1920a21b4e057d41c65cb7a97fb5149443368d1a3bdc5d3df31b4562b0ea7b62f5adaa732ef52cf3b204934e472cea96c7a321d071a595eb60a7404936

Download Submit
C:\Windows\SysWOW64\wujbptei.exe

Filesize
251KB

MD5
82d98fb882dd9c75c9c1cc2858c4f3e7

SHA1
df56dca0ab604b0db88e89435df675c6d5c47be0

SHA256
daee26bf1e3cb0f55171ec93889aafff280731b7d59afc78e80a261830c765d3

SHA512
668e2fb35802a6561cc5b0bd52cc91d8198506d43335178d2aeac94baf0235fee3c9c0040e699ff9776b4b61438dd672f5537bd1156fbf1feb077e4f674d68b3

Download Submit
C:\Windows\SysWOW64\wukninl.exe

Filesize
251KB

MD5
76fd3f21fc9c3bc3332db8184a9ec01d

SHA1
72f33af60624512e91caaff2db5f9dbc3916f3c4

SHA256
e568362e3871a575af357d2312c145a67474b41f1d38bf1ac96b594eccf06564

SHA512
dfdd6831a6c3ff0689ec70def6d054f003aad4356de7c6954001ed46ea20c78884054784e5807f28080532580bfbb36991e2881e23613b6a12f284d50710c54d

Download Submit
C:\Windows\SysWOW64\wuqdxekho.exe

Filesize
251KB

MD5
2c1c72b39e162c7c51d43fb880cde74d

SHA1
8e6a2d16701bcd4d360678747a237de9617bb546

SHA256
d21cd1658044ef75a2d749b69883f920a4f0cb6110bdf4cdb0e6a316368f9f99

SHA512
7fab77b41df0107390b1ddd778deaa770a2c009d4df55984e9c73d1a750cb0fd22143c8892f70f60b6c46983fd1586c68da69546960ac027f6a895974d41547b

Download Submit
C:\Windows\SysWOW64\wvakth.exe

Filesize
252KB

MD5
f3b550cb90bc72316d856a682ecb83e9

SHA1
4f510b86cb25cb6913b69d39f4eb1ef64794dd2d

SHA256
0fc0aff33a7f09bf637b7b6ebccee32d387d083c9ec551533375a4884e70aa13

SHA512
e6619079ee9afee9f39014c643981002ab6bf9416cd155ecf5f72aaa234d2b8a973693b0a0ef41949fa78755ea1345e62fe172a40f6f196f5b775492f98c2331

Download Submit
C:\Windows\SysWOW64\wvtcmwu.exe

Filesize
252KB

MD5
dba2fb4f7a906ad56123118708843aae

SHA1
6935f876f8860128edb6745cd3e0f6811e630187

SHA256
50737ec3af0420864600a68ac182752ab41c7642fbd68777483486b9b51ae112

SHA512
af5ea82b3dbd549e933d1f177b4537d9e876ea216eb55437a68a81f3dacd0f0eaba98aa5e11ae782a703ec94ef71224ab2dd7a53709405a1765e5ec4d39159cc

Download Submit
C:\Windows\SysWOW64\wwrln.exe

Filesize
251KB

MD5
8a2aef69d2759a09817b097ca05ba9ad

SHA1
3afa94a816dd9dc94d4842ea582b98bab66ef8da

SHA256
f4911ad2ffff22768d0cfedcc9b62d3a213a52af837b020b4db39c6309320274

SHA512
d67b2b61f7dc873b3a8e3a1d4602f357748afc634fd193fb4fad45448d509814d30f2bd21fe624952b133817d7aeb51cdff23cd134dcfd866804dc48b32b34a1

Download Submit
C:\Windows\SysWOW64\wwupxt.exe

Filesize
252KB

MD5
431499df892ab2bd08c2642166a9274f

SHA1
bb8d1c74ac18c3f0ad8757573cb1c8152cad3e9e

SHA256
ba2a6959246a0692d915945d0141d19031a1b8d46c738da099a2434712c23770

SHA512
16b0f433905a6ba2902db1bc9aac560222015c46e58449e14364b804685b65d2b6319b092a5f262004799bccb8cbba96b3d9f38ebf63e02e8a49e9ccfffd97b3

Download Submit
C:\Windows\SysWOW64\wwx.exe

Filesize
252KB

MD5
aea0d2afee349e0828769c1c2f012290

SHA1
eea625bcf8db8e95a3e9b22eeb46ec1b1e1e0d68

SHA256
a0cb852e0a19ad9667f6c99937d0ac5a881260ff077689762ffd883d6cfb3516

SHA512
3f20cb9117e295179ba771843922c330902f4394093b041e8f26762e219ef205c2d840ea5eefe82c19f0010312d110d94bce520b58a43698546e7ce4c88026df

Download Submit
C:\Windows\SysWOW64\wxpegfs.exe

Filesize
252KB

MD5
4a8a6a4b28655e3c1f985d24814e9fb8

SHA1
2b1987b964239eb29f5ae24e574aff0779739ece

SHA256
d8a9f547c741b421a3abf344b948fcde773ae5a9cbf71e31ab253a8df096b79d

SHA512
8a62409048f3e6e73bbb3c0c61690d9e909d071d26c5a9dfc1a0ea6a6b2768b9ea9ef81c993326ceb09d8b1a584fd936e53653cdbe9430806bb558b8fb89285d

Download Submit
C:\Windows\SysWOW64\wyg.exe

Filesize
252KB

MD5
698997e6f17d032e47df3b844f284b98

SHA1
4038b8efb9f3d1ee2231dae4da0878998ba0d9cd

SHA256
5e642488f5903a1da45f7b1821bd8e51f064142b2e268c001dacda0fdfa193e1

SHA512
3d9fddc504da4dc46c9b52b19e13706bc3aba8bdd9ee838ca156e074c6eedf0a85d1fb799f5a792833501f8f663fc62abc7795f185a4dff8ab42aaf3d5674d9d

Download Submit
memory/412-452-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/556-175-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1140-444-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1192-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1292-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-477-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-486-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1388-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1388-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1492-518-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1592-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1768-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1796-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1796-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-355-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1836-287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1864-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1944-387-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2272-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2452-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-436-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2500-428-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-395-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2732-216-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2768-412-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-236-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-502-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3048-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3132-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3152-363-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3280-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3280-309-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3456-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3456-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3476-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3484-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3496-494-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3500-345-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3508-379-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3888-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3912-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4036-411-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4036-420-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4108-469-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4224-371-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4232-478-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4248-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4348-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4348-298-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4484-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4536-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4716-308-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4716-319-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4720-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4720-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4728-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-468-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5008-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5016-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-329-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5048-510-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download