a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
Size

95KB
MD5

cbddeef3d23079bd4e7939c5987eb1ba
SHA1

fd48a656aa8f73f0ae51bc23dac2ddc68b92418c
SHA256

a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad
SHA512

49a84777ee5d389ff04e2a81f5de427cb23bb343e2dfa154b5f1fc8dbb0882c2c52b5397c91738dad060eb3a2e0b6fb32f58136eed52c51540f7a63ee8d86795
SSDEEP

1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMG:yfjxrhzk2nfsWhP7dvavi6vWEbh8XH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wlfxlj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wexfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wjnfnda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whbgn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wuqd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wbmpvvxyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wkls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wjxspag.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whmty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wyechf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wbijki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnsb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wyasxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wwjay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wqoorlq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wdrurqcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wrotsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whknfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wansug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wltts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wlrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wmxgfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wcice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	weakl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wahorydx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wlqrpcyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wxeklta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wldkfpjd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wgrrj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wirhoqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnlec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnemglnb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnipoy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wchkmpdl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wimibkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wbcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wfxf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wppbuph.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whroa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	weucehh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wcvtqg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wutlqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wxhp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wmackw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wrnmubxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wnhcxdfjl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wgvchi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wpnxke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	whhvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wffdj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wgjos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wimpy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wush.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wrtw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wypwblhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wmtuh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wpawac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wafaxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wgsjbty.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wrgpbr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wovmgf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	wvrhbd.exe

Executes dropped EXE 64 IoCs

pid	Process
2972	wlfxlj.exe
4244	wdq.exe
3244	wdawtjpi.exe
2968	wansug.exe
968	wahorydx.exe
3228	wlqrpcyb.exe
4412	whbgn.exe
1372	wurta.exe
1264	wrgpbr.exe
2004	wffdj.exe
2200	wxeklta.exe
4068	wimpy.exe
452	wnipoy.exe
1004	wnsb.exe
3176	wcvtqg.exe
4872	wmvjjhfn.exe
3220	wexfd.exe
2700	wgvglsq.exe
3452	wkqwye.exe
3416	wkls.exe
4324	wyasxp.exe
4544	wuqysprh.exe
228	wjdujju.exe
3948	wkmg.exe
3932	whvtwduxk.exe
4264	wvvffum.exe
2084	wovmgf.exe
1096	wnlec.exe
3836	wapxesx.exe
4884	wgjos.exe
4900	wutlqo.exe
3176	wpx.exe
4952	wltts.exe
1128	wkcial.exe
3156	wfrnvlqu.exe
768	wchkmpdl.exe
4812	wmyybk.exe
3440	wit.exe
4760	wkk.exe
3836	wmtuh.exe
3488	wrnmubxk.exe
2248	wtkpuqc.exe
4752	wjnfnda.exe
4200	wxhp.exe
3396	wuqd.exe
3452	wmcupico.exe
2456	wpawac.exe
4564	wjxspag.exe
3976	wxsaulwg.exe
1228	wnhcxdfjl.exe
3676	wgvchi.exe
4008	wldkfpjd.exe
2908	wtv.exe
4940	wdrurqcd.exe
2272	wssgyit.exe
3132	wgrrj.exe
4388	whmnfvkb.exe
868	wesi.exe
4988	wmxgfx.exe
4216	wiiueat.exe
4672	wcice.exe
4824	wytaffg.exe
4408	wmackw.exe
3632	weakl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wrtw.exe	wirhoqi.exe
File created	C:\Windows\SysWOW64\wkyaro.exe	weucehh.exe
File opened for modification	C:\Windows\SysWOW64\wjlmn.exe	wujrcuc.exe
File created	C:\Windows\SysWOW64\wxsaulwg.exe	wjxspag.exe
File opened for modification	C:\Windows\SysWOW64\wmxgfx.exe	wesi.exe
File opened for modification	C:\Windows\SysWOW64\wqkwtjogq.exe	wyvyab.exe
File opened for modification	C:\Windows\SysWOW64\wmisqo.exe	whmty.exe
File opened for modification	C:\Windows\SysWOW64\wahorydx.exe	wansug.exe
File opened for modification	C:\Windows\SysWOW64\whbgn.exe	wlqrpcyb.exe
File created	C:\Windows\SysWOW64\wsqwfo.exe	wady.exe
File created	C:\Windows\SysWOW64\wfxf.exe	weovqco.exe
File opened for modification	C:\Windows\SysWOW64\wnipoy.exe	wimpy.exe
File created	C:\Windows\SysWOW64\wnemglnb.exe	wafaxt.exe
File created	C:\Windows\SysWOW64\wdawtjpi.exe	wdq.exe
File created	C:\Windows\SysWOW64\wexfd.exe	wmvjjhfn.exe
File created	C:\Windows\SysWOW64\whknfg.exe	wsy.exe
File opened for modification	C:\Windows\SysWOW64\wghgtckn.exe	wjcm.exe
File opened for modification	C:\Windows\SysWOW64\wuqd.exe	wxhp.exe
File created	C:\Windows\SysWOW64\wkir.exe	wlyd.exe
File opened for modification	C:\Windows\SysWOW64\wtv.exe	wldkfpjd.exe
File opened for modification	C:\Windows\SysWOW64\wiiueat.exe	wmxgfx.exe
File opened for modification	C:\Windows\SysWOW64\wcice.exe	wiiueat.exe
File opened for modification	C:\Windows\SysWOW64\wmackw.exe	wytaffg.exe
File opened for modification	C:\Windows\SysWOW64\wnsb.exe	wnipoy.exe
File created	C:\Windows\SysWOW64\wltts.exe	wpx.exe
File opened for modification	C:\Windows\SysWOW64\wfrnvlqu.exe	wkcial.exe
File created	C:\Windows\SysWOW64\wkk.exe	wit.exe
File opened for modification	C:\Windows\SysWOW64\wccl.exe	wlrt.exe
File created	C:\Windows\SysWOW64\wgcym.exe	wpnxke.exe
File opened for modification	C:\Windows\SysWOW64\wkyaro.exe	weucehh.exe
File opened for modification	C:\Windows\SysWOW64\wvpx.exe	wqkwtjogq.exe
File created	C:\Windows\SysWOW64\wypwblhy.exe	whroa.exe
File created	C:\Windows\SysWOW64\wpnxke.exe	wrotsd.exe
File created	C:\Windows\SysWOW64\wsy.exe	wfxf.exe
File opened for modification	C:\Windows\SysWOW64\wuqysprh.exe	wyasxp.exe
File opened for modification	C:\Windows\SysWOW64\whvtwduxk.exe	wkmg.exe
File created	C:\Windows\SysWOW64\wjxspag.exe	wpawac.exe
File created	C:\Windows\SysWOW64\wyechf.exe	wgsjbty.exe
File opened for modification	C:\Windows\SysWOW64\wppbuph.exe	whhvg.exe
File created	C:\Windows\SysWOW64\wmvjjhfn.exe	wcvtqg.exe
File opened for modification	C:\Windows\SysWOW64\wkls.exe	wkqwye.exe
File opened for modification	C:\Windows\SysWOW64\wmtuh.exe	wkk.exe
File created	C:\Windows\SysWOW64\wansug.exe	wdawtjpi.exe
File created	C:\Windows\SysWOW64\wovmgf.exe	wvvffum.exe
File created	C:\Windows\SysWOW64\wjnfnda.exe	wtkpuqc.exe
File opened for modification	C:\Windows\SysWOW64\wujrcuc.exe	wghgtckn.exe
File opened for modification	C:\Windows\SysWOW64\wlfxlj.exe	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
File opened for modification	C:\Windows\SysWOW64\wdq.exe	wlfxlj.exe
File created	C:\Windows\SysWOW64\wyasxp.exe	wkls.exe
File opened for modification	C:\Windows\SysWOW64\wlrt.exe	wvrhbd.exe
File opened for modification	C:\Windows\SysWOW64\wfknslj.exe	wimibkj.exe
File opened for modification	C:\Windows\SysWOW64\wlyd.exe	wqoorlq.exe
File created	C:\Windows\SysWOW64\wlqrpcyb.exe	wahorydx.exe
File created	C:\Windows\SysWOW64\wnipoy.exe	wimpy.exe
File created	C:\Windows\SysWOW64\wesi.exe	whmnfvkb.exe
File opened for modification	C:\Windows\SysWOW64\wnemglnb.exe	wafaxt.exe
File opened for modification	C:\Windows\SysWOW64\wdawtjpi.exe	wdq.exe
File opened for modification	C:\Windows\SysWOW64\wgvglsq.exe	wexfd.exe
File opened for modification	C:\Windows\SysWOW64\whmty.exe	wfgq.exe
File opened for modification	C:\Windows\SysWOW64\wqoorlq.exe	wltwebn.exe
File opened for modification	C:\Windows\SysWOW64\wgrrj.exe	wssgyit.exe
File opened for modification	C:\Windows\SysWOW64\wimpy.exe	wxeklta.exe
File created	C:\Windows\SysWOW64\wkcial.exe	wltts.exe
File created	C:\Windows\SysWOW64\wfrnvlqu.exe	wkcial.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4264	2968	WerFault.exe	102
5008	2200	WerFault.exe	129
3168	3416	WerFault.exe	158
448	4324	WerFault.exe	162
4680	2456	WerFault.exe	244
4856	3676	WerFault.exe	258
5072	2552	WerFault.exe	311
4836	1868	WerFault.exe	319
4368	4548	WerFault.exe	366
4708	3592	WerFault.exe	392
1832	3380	WerFault.exe	418

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2972	3520	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	88
PID 3520 wrote to memory of 2972	3520	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	88
PID 3520 wrote to memory of 2972	3520	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	88
PID 3520 wrote to memory of 2372	3520	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	90
PID 3520 wrote to memory of 2372	3520	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	90
PID 3520 wrote to memory of 2372	3520	a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe	90
PID 2972 wrote to memory of 4244	2972	wlfxlj.exe	94
PID 2972 wrote to memory of 4244	2972	wlfxlj.exe	94
PID 2972 wrote to memory of 4244	2972	wlfxlj.exe	94
PID 2972 wrote to memory of 1868	2972	wlfxlj.exe	95
PID 2972 wrote to memory of 1868	2972	wlfxlj.exe	95
PID 2972 wrote to memory of 1868	2972	wlfxlj.exe	95
PID 4244 wrote to memory of 3244	4244	wdq.exe	99
PID 4244 wrote to memory of 3244	4244	wdq.exe	99
PID 4244 wrote to memory of 3244	4244	wdq.exe	99
PID 4244 wrote to memory of 3232	4244	wdq.exe	100
PID 4244 wrote to memory of 3232	4244	wdq.exe	100
PID 4244 wrote to memory of 3232	4244	wdq.exe	100
PID 3244 wrote to memory of 2968	3244	wdawtjpi.exe	102
PID 3244 wrote to memory of 2968	3244	wdawtjpi.exe	102
PID 3244 wrote to memory of 2968	3244	wdawtjpi.exe	102
PID 3244 wrote to memory of 3908	3244	wdawtjpi.exe	103
PID 3244 wrote to memory of 3908	3244	wdawtjpi.exe	103
PID 3244 wrote to memory of 3908	3244	wdawtjpi.exe	103
PID 2968 wrote to memory of 968	2968	wansug.exe	106
PID 2968 wrote to memory of 968	2968	wansug.exe	106
PID 2968 wrote to memory of 968	2968	wansug.exe	106
PID 2968 wrote to memory of 5036	2968	wansug.exe	107
PID 2968 wrote to memory of 5036	2968	wansug.exe	107
PID 2968 wrote to memory of 5036	2968	wansug.exe	107
PID 968 wrote to memory of 3228	968	wahorydx.exe	112
PID 968 wrote to memory of 3228	968	wahorydx.exe	112
PID 968 wrote to memory of 3228	968	wahorydx.exe	112
PID 968 wrote to memory of 1248	968	wahorydx.exe	113
PID 968 wrote to memory of 1248	968	wahorydx.exe	113
PID 968 wrote to memory of 1248	968	wahorydx.exe	113
PID 3228 wrote to memory of 4412	3228	wlqrpcyb.exe	115
PID 3228 wrote to memory of 4412	3228	wlqrpcyb.exe	115
PID 3228 wrote to memory of 4412	3228	wlqrpcyb.exe	115
PID 3228 wrote to memory of 828	3228	wlqrpcyb.exe	116
PID 3228 wrote to memory of 828	3228	wlqrpcyb.exe	116
PID 3228 wrote to memory of 828	3228	wlqrpcyb.exe	116
PID 4412 wrote to memory of 1372	4412	whbgn.exe	120
PID 4412 wrote to memory of 1372	4412	whbgn.exe	120
PID 4412 wrote to memory of 1372	4412	whbgn.exe	120
PID 4412 wrote to memory of 4432	4412	whbgn.exe	121
PID 4412 wrote to memory of 4432	4412	whbgn.exe	121
PID 4412 wrote to memory of 4432	4412	whbgn.exe	121
PID 1372 wrote to memory of 1264	1372	wurta.exe	123
PID 1372 wrote to memory of 1264	1372	wurta.exe	123
PID 1372 wrote to memory of 1264	1372	wurta.exe	123
PID 1372 wrote to memory of 2248	1372	wurta.exe	124
PID 1372 wrote to memory of 2248	1372	wurta.exe	124
PID 1372 wrote to memory of 2248	1372	wurta.exe	124
PID 1264 wrote to memory of 2004	1264	wrgpbr.exe	126
PID 1264 wrote to memory of 2004	1264	wrgpbr.exe	126
PID 1264 wrote to memory of 2004	1264	wrgpbr.exe	126
PID 1264 wrote to memory of 1908	1264	wrgpbr.exe	127
PID 1264 wrote to memory of 1908	1264	wrgpbr.exe	127
PID 1264 wrote to memory of 1908	1264	wrgpbr.exe	127
PID 2004 wrote to memory of 2200	2004	wffdj.exe	129
PID 2004 wrote to memory of 2200	2004	wffdj.exe	129
PID 2004 wrote to memory of 2200	2004	wffdj.exe	129
PID 2004 wrote to memory of 4368	2004	wffdj.exe	130

C:\Users\Admin\AppData\Local\Temp\a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe
"C:\Users\Admin\AppData\Local\Temp\a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\wlfxlj.exe
  "C:\Windows\system32\wlfxlj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\wdq.exe
    "C:\Windows\system32\wdq.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\wdawtjpi.exe
      "C:\Windows\system32\wdawtjpi.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\SysWOW64\wansug.exe
        
        "C:\Windows\system32\wansug.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\wahorydx.exe
        
        "C:\Windows\system32\wahorydx.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\wlqrpcyb.exe
        
        "C:\Windows\system32\wlqrpcyb.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\whbgn.exe
        
        "C:\Windows\system32\whbgn.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\wurta.exe
        
        "C:\Windows\system32\wurta.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\wrgpbr.exe
        
        "C:\Windows\system32\wrgpbr.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\wffdj.exe
        
        "C:\Windows\system32\wffdj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\wxeklta.exe
        
        "C:\Windows\system32\wxeklta.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\wimpy.exe
        
        "C:\Windows\system32\wimpy.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\wnipoy.exe
        
        "C:\Windows\system32\wnipoy.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\wnsb.exe
        
        "C:\Windows\system32\wnsb.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\wcvtqg.exe
        
        "C:\Windows\system32\wcvtqg.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\wmvjjhfn.exe
        
        "C:\Windows\system32\wmvjjhfn.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\wexfd.exe
        
        "C:\Windows\system32\wexfd.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\wgvglsq.exe
        
        "C:\Windows\system32\wgvglsq.exe"
        19⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\wkqwye.exe
        
        "C:\Windows\system32\wkqwye.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\wkls.exe
        
        "C:\Windows\system32\wkls.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\wyasxp.exe
        
        "C:\Windows\system32\wyasxp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\wuqysprh.exe
        
        "C:\Windows\system32\wuqysprh.exe"
        23⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\wjdujju.exe
        
        "C:\Windows\system32\wjdujju.exe"
        24⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\wkmg.exe
        
        "C:\Windows\system32\wkmg.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\whvtwduxk.exe
        
        "C:\Windows\system32\whvtwduxk.exe"
        26⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\wvvffum.exe
        
        "C:\Windows\system32\wvvffum.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\wovmgf.exe
        
        "C:\Windows\system32\wovmgf.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\wnlec.exe
        
        "C:\Windows\system32\wnlec.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\wapxesx.exe
        
        "C:\Windows\system32\wapxesx.exe"
        30⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\wgjos.exe
        
        "C:\Windows\system32\wgjos.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\wutlqo.exe
        
        "C:\Windows\system32\wutlqo.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\wpx.exe
        
        "C:\Windows\system32\wpx.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\wltts.exe
        
        "C:\Windows\system32\wltts.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\wkcial.exe
        
        "C:\Windows\system32\wkcial.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\wfrnvlqu.exe
        
        "C:\Windows\system32\wfrnvlqu.exe"
        36⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\wchkmpdl.exe
        
        "C:\Windows\system32\wchkmpdl.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\wmyybk.exe
        
        "C:\Windows\system32\wmyybk.exe"
        38⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\wit.exe
        
        "C:\Windows\system32\wit.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\wkk.exe
        
        "C:\Windows\system32\wkk.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\wmtuh.exe
        
        "C:\Windows\system32\wmtuh.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\wrnmubxk.exe
        
        "C:\Windows\system32\wrnmubxk.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\wtkpuqc.exe
        
        "C:\Windows\system32\wtkpuqc.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\wjnfnda.exe
        
        "C:\Windows\system32\wjnfnda.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\wxhp.exe
        
        "C:\Windows\system32\wxhp.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\wuqd.exe
        
        "C:\Windows\system32\wuqd.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\wmcupico.exe
        
        "C:\Windows\system32\wmcupico.exe"
        47⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\wpawac.exe
        
        "C:\Windows\system32\wpawac.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\wjxspag.exe
        
        "C:\Windows\system32\wjxspag.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\wxsaulwg.exe
        
        "C:\Windows\system32\wxsaulwg.exe"
        50⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\wnhcxdfjl.exe
        
        "C:\Windows\system32\wnhcxdfjl.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\wgvchi.exe
        
        "C:\Windows\system32\wgvchi.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\wldkfpjd.exe
        
        "C:\Windows\system32\wldkfpjd.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\wtv.exe
        
        "C:\Windows\system32\wtv.exe"
        54⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\wdrurqcd.exe
        
        "C:\Windows\system32\wdrurqcd.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\wssgyit.exe
        
        "C:\Windows\system32\wssgyit.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wgrrj.exe
        
        "C:\Windows\system32\wgrrj.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\whmnfvkb.exe
        
        "C:\Windows\system32\whmnfvkb.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\wesi.exe
        
        "C:\Windows\system32\wesi.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\wmxgfx.exe
        
        "C:\Windows\system32\wmxgfx.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\wiiueat.exe
        
        "C:\Windows\system32\wiiueat.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\wcice.exe
        
        "C:\Windows\system32\wcice.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\wytaffg.exe
        
        "C:\Windows\system32\wytaffg.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\wmackw.exe
        
        "C:\Windows\system32\wmackw.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\weakl.exe
        
        "C:\Windows\system32\weakl.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\wady.exe
        
        "C:\Windows\system32\wady.exe"
        66⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\wsqwfo.exe
        
        "C:\Windows\system32\wsqwfo.exe"
        67⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\wyvyab.exe
        
        "C:\Windows\system32\wyvyab.exe"
        68⤵
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\wqkwtjogq.exe
        
        "C:\Windows\system32\wqkwtjogq.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\wvpx.exe
        
        "C:\Windows\system32\wvpx.exe"
        70⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\wwittifx.exe
        
        "C:\Windows\system32\wwittifx.exe"
        71⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\wush.exe
        
        "C:\Windows\system32\wush.exe"
        72⤵
        Checks computer location settings
        
        PID:4944
        
        C:\Windows\SysWOW64\wvrhbd.exe
        
        "C:\Windows\system32\wvrhbd.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\wlrt.exe
        
        "C:\Windows\system32\wlrt.exe"
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\wccl.exe
        
        "C:\Windows\system32\wccl.exe"
        75⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\wymyogcr.exe
        
        "C:\Windows\system32\wymyogcr.exe"
        76⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\wfgq.exe
        
        "C:\Windows\system32\wfgq.exe"
        77⤵
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\whmty.exe
        
        "C:\Windows\system32\whmty.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\wmisqo.exe
        
        "C:\Windows\system32\wmisqo.exe"
        79⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\wirhoqi.exe
        
        "C:\Windows\system32\wirhoqi.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\wrtw.exe
        
        "C:\Windows\system32\wrtw.exe"
        81⤵
        Checks computer location settings
        
        PID:3376
        
        C:\Windows\SysWOW64\wkrfhas.exe
        
        "C:\Windows\system32\wkrfhas.exe"
        82⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\wafaxt.exe
        
        "C:\Windows\system32\wafaxt.exe"
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\wnemglnb.exe
        
        "C:\Windows\system32\wnemglnb.exe"
        84⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Windows\SysWOW64\wgsjbty.exe
        
        "C:\Windows\system32\wgsjbty.exe"
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\wyechf.exe
        
        "C:\Windows\system32\wyechf.exe"
        86⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Windows\SysWOW64\wngvt.exe
        
        "C:\Windows\system32\wngvt.exe"
        87⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\whroa.exe
        
        "C:\Windows\system32\whroa.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\wypwblhy.exe
        
        "C:\Windows\system32\wypwblhy.exe"
        89⤵
        Checks computer location settings
        
        PID:2528
        
        C:\Windows\SysWOW64\wvak.exe
        
        "C:\Windows\system32\wvak.exe"
        90⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\wdiqnm.exe
        
        "C:\Windows\system32\wdiqnm.exe"
        91⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\wrotsd.exe
        
        "C:\Windows\system32\wrotsd.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\wpnxke.exe
        
        "C:\Windows\system32\wpnxke.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\wgcym.exe
        
        "C:\Windows\system32\wgcym.exe"
        94⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\wimibkj.exe
        
        "C:\Windows\system32\wimibkj.exe"
        95⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\wfknslj.exe
        
        "C:\Windows\system32\wfknslj.exe"
        96⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\wbijki.exe
        
        "C:\Windows\system32\wbijki.exe"
        97⤵
        Checks computer location settings
        
        PID:1372
        
        C:\Windows\SysWOW64\wbcd.exe
        
        "C:\Windows\system32\wbcd.exe"
        98⤵
        Checks computer location settings
        
        PID:2208
        
        C:\Windows\SysWOW64\wbmpvvxyu.exe
        
        "C:\Windows\system32\wbmpvvxyu.exe"
        99⤵
        Checks computer location settings
        
        PID:3144
        
        C:\Windows\SysWOW64\wcvykplx.exe
        
        "C:\Windows\system32\wcvykplx.exe"
        100⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\wuvgly.exe
        
        "C:\Windows\system32\wuvgly.exe"
        101⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\weovqco.exe
        
        "C:\Windows\system32\weovqco.exe"
        102⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\wfxf.exe
        
        "C:\Windows\system32\wfxf.exe"
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\wsy.exe
        
        "C:\Windows\system32\wsy.exe"
        104⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\whknfg.exe
        
        "C:\Windows\system32\whknfg.exe"
        105⤵
        Checks computer location settings
        
        PID:3132
        
        C:\Windows\SysWOW64\weucehh.exe
        
        "C:\Windows\system32\weucehh.exe"
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\wkyaro.exe
        
        "C:\Windows\system32\wkyaro.exe"
        107⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\wwjay.exe
        
        "C:\Windows\system32\wwjay.exe"
        108⤵
        Checks computer location settings
        
        PID:3824
        
        C:\Windows\SysWOW64\wjcm.exe
        
        "C:\Windows\system32\wjcm.exe"
        109⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wghgtckn.exe
        
        "C:\Windows\system32\wghgtckn.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\wujrcuc.exe
        
        "C:\Windows\system32\wujrcuc.exe"
        111⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\wjlmn.exe
        
        "C:\Windows\system32\wjlmn.exe"
        112⤵
        
        PID:752
        
        C:\Windows\SysWOW64\wltwebn.exe
        
        "C:\Windows\system32\wltwebn.exe"
        113⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\wqoorlq.exe
        
        "C:\Windows\system32\wqoorlq.exe"
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wlyd.exe
        
        "C:\Windows\system32\wlyd.exe"
        115⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\wkir.exe
        
        "C:\Windows\system32\wkir.exe"
        116⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\whhvg.exe
        
        "C:\Windows\system32\whhvg.exe"
        117⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\wppbuph.exe
        
        "C:\Windows\system32\wppbuph.exe"
        118⤵
        Checks computer location settings
        
        PID:1188
        
        C:\Windows\SysWOW64\wujrib.exe
        
        "C:\Windows\system32\wujrib.exe"
        119⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppbuph.exe"
        119⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whhvg.exe"
        118⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkir.exe"
        117⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyd.exe"
        116⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqoorlq.exe"
        115⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltwebn.exe"
        114⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjlmn.exe"
        113⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wujrcuc.exe"
        112⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghgtckn.exe"
        111⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcm.exe"
        110⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjay.exe"
        109⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkyaro.exe"
        108⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weucehh.exe"
        107⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whknfg.exe"
        106⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsy.exe"
        105⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxf.exe"
        104⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weovqco.exe"
        103⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 8
        103⤵
        Program crash
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvgly.exe"
        102⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvykplx.exe"
        101⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbmpvvxyu.exe"
        100⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcd.exe"
        99⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbijki.exe"
        98⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfknslj.exe"
        97⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimibkj.exe"
        96⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcym.exe"
        95⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1432
        95⤵
        Program crash
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnxke.exe"
        94⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrotsd.exe"
        93⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdiqnm.exe"
        92⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvak.exe"
        91⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wypwblhy.exe"
        90⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whroa.exe"
        89⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngvt.exe"
        88⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyechf.exe"
        87⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1432
        87⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsjbty.exe"
        86⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnemglnb.exe"
        85⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafaxt.exe"
        84⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrfhas.exe"
        83⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtw.exe"
        82⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirhoqi.exe"
        81⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmisqo.exe"
        80⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmty.exe"
        79⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgq.exe"
        78⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymyogcr.exe"
        77⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wccl.exe"
        76⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlrt.exe"
        75⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvrhbd.exe"
        74⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wush.exe"
        73⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwittifx.exe"
        72⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1528
        72⤵
        Program crash
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvpx.exe"
        71⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkwtjogq.exe"
        70⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 240
        70⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyvyab.exe"
        69⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqwfo.exe"
        68⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wady.exe"
        67⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weakl.exe"
        66⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmackw.exe"
        65⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wytaffg.exe"
        64⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcice.exe"
        63⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiueat.exe"
        62⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxgfx.exe"
        61⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wesi.exe"
        60⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmnfvkb.exe"
        59⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrrj.exe"
        58⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wssgyit.exe"
        57⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrurqcd.exe"
        56⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtv.exe"
        55⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldkfpjd.exe"
        54⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvchi.exe"
        53⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1088
        53⤵
        Program crash
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhcxdfjl.exe"
        52⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsaulwg.exe"
        51⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxspag.exe"
        50⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpawac.exe"
        49⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 236
        49⤵
        Program crash
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmcupico.exe"
        48⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqd.exe"
        47⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhp.exe"
        46⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnfnda.exe"
        45⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtkpuqc.exe"
        44⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrnmubxk.exe"
        43⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtuh.exe"
        42⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkk.exe"
        41⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wit.exe"
        40⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmyybk.exe"
        39⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchkmpdl.exe"
        38⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrnvlqu.exe"
        37⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcial.exe"
        36⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltts.exe"
        35⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpx.exe"
        34⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutlqo.exe"
        33⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgjos.exe"
        32⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapxesx.exe"
        31⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlec.exe"
        30⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovmgf.exe"
        29⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvffum.exe"
        28⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whvtwduxk.exe"
        27⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmg.exe"
        26⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdujju.exe"
        25⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqysprh.exe"
        24⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyasxp.exe"
        23⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1448
        23⤵
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkls.exe"
        22⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1460
        22⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqwye.exe"
        21⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgvglsq.exe"
        20⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wexfd.exe"
        19⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvjjhfn.exe"
        18⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvtqg.exe"
        17⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsb.exe"
        16⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnipoy.exe"
        15⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wimpy.exe"
        14⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeklta.exe"
        13⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1660
        13⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wffdj.exe"
        12⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrgpbr.exe"
        11⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wurta.exe"
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whbgn.exe"
        9⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqrpcyb.exe"
        8⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahorydx.exe"
        7⤵
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wansug.exe"
        6⤵
        
        PID:5036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1400
        6⤵
        Program crash
        
        PID:4264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdawtjpi.exe"
        5⤵
        
        PID:3908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdq.exe"
      4⤵
      PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfxlj.exe"
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\a38c943daa633de9360c24fc7c5e578e12a2886d15e3a36d2bfa7d9604b7d9ad.exe"
  2⤵
  PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2968 -ip 2968
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2200 -ip 2200
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3416 -ip 3416
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4324 -ip 4324
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2456 -ip 2456
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3676 -ip 3676
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2552 -ip 2552
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1868 -ip 1868
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4548 -ip 4548
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3592 -ip 3592
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3380 -ip 3380
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wahorydx.exe

Filesize
95KB

MD5
309f2d0052bda7321838c6bbc4d85edb

SHA1
69a2c54ae751768e95b0310fbb166d91ac838426

SHA256
c1346afdb54de980a707b7b17166c911654dca8b75db8cbdee88df820b8acc64

SHA512
d6466e3087221de16ee418a5e7b0e3b3582e1178fc29e4142c92e95348251eb2b33208c6caf7a05cc06f4bb13f0bc5dcdc7f46c9c6bd7b803d9c3251d0ffe982

Download Submit
C:\Windows\SysWOW64\wansug.exe

Filesize
95KB

MD5
927f67ef54b7642be231193dae85abbc

SHA1
2a275d145100970eb6611b8ef60234693fb7cc05

SHA256
e9c06a61c43d5330a2644e1012b6ac3fdfa014f7dd01324e4647aa5f4d9dae29

SHA512
42ed40f4685074f1dcc6d27ba78dafa6f7d87d429d1a44c0dd916d30acfe6a83f1861928b6d136297a604cf47299936a80e813f41a1ec568cd1d4233b34bc326

Download Submit
C:\Windows\SysWOW64\wapxesx.exe

Filesize
96KB

MD5
d34f3e6a0ddd6f306dd32c5c93be5301

SHA1
f4dcc2a2448e917d32a69c1c9364fcff7ca73120

SHA256
36a8b6b4fa6d25204bbba163d3c5f6addce288f2a8a4a2be6c64aaf1df759780

SHA512
03cdaffd9f07c3efbcb5b091bb9ab0d623448ab9e5c626bf4bd9b74c80d58d0cc618cf268b0f038861f23260071afe9d2e8730ead0385d3fd4e5954ab547e804

Download Submit
C:\Windows\SysWOW64\wcvtqg.exe

Filesize
95KB

MD5
bae74b2b3b760e94b0467cf8129b2b90

SHA1
a2c51f800245fb6b83b1ae56d218d17ea95178db

SHA256
8c8d06bd2132c09e8cd3ee754c8ec8f7914577aba2d51a023c652ced3e5a6444

SHA512
e6b9bb0d0c1ca8c9b3e4b10425298ee78348c38765b99691545d58493af4dac70cd06e5754bf894da64171f2d99c7d93cdf1d01335bf17c282d8b171069a7095

Download Submit
C:\Windows\SysWOW64\wdawtjpi.exe

Filesize
95KB

MD5
de4b7deeb98c4ccdbd67cd1a4648f468

SHA1
34927d85ce8b83d57e569d3db99aa45fd90ec5c6

SHA256
c8681e065f11b81bf4fcf25c5889d828f5d900ae1672fc20857b4f2b08e720b7

SHA512
5af6b4c48c4f21d074f052a21a9bf949dcd3cdd54d7067c251c28332d5d2a94bc8b7400ad886fa9c7f027e4f07f03fc5f929d86eb696199e474f4cb5ad21e04f

Download Submit
C:\Windows\SysWOW64\wdq.exe

Filesize
95KB

MD5
ba180999e4368c813dcd7beeab232274

SHA1
2fe58415377a7f26e95f8f0a7d667de0068298e6

SHA256
86120063507467b4687c86105da01b34085f846a0b5a2d8c67f2af9c369687fb

SHA512
c668e45d363dfd93dd476884c99d252db3280145c3d089f27588796acfc8d1226d1aa761699638f63df2c785091b50bb22c831fab3aed91fda20a46147aa99b4

Download Submit
C:\Windows\SysWOW64\wexfd.exe

Filesize
95KB

MD5
67081b0f77600996ce62c4c6138c611a

SHA1
127b30ef5365e8b5995520b42d0f42e9df81cff8

SHA256
cb78e707aa595330ae957628063cbdc1a416806e84a42382ccbce25fccf803b8

SHA512
7d11d6e4802dee2bca69b3d35414954493a4040ae89dfa4e896e61e6ddee8d434cf040bd39f5d0fa21459a03f9c77f26b83dd47bb291f46a4d4ca740411fcfea

Download Submit
C:\Windows\SysWOW64\wffdj.exe

Filesize
95KB

MD5
a3dba8f6397837d75205931caf18e8b6

SHA1
0b86016bf8dd8993fd068291a5d80412e9993b58

SHA256
74c41e1fb444c2b223ad09d9de36dbc70decb4710f8adf5e98170f5ca86befe5

SHA512
cf81fff94210b07b7961750d5471e02a102bc7cd4602f4de80d2f3cd48323580bd561c0844a8a16c3f6df65109e2023a875aa9c331ef4ad39c4bd8fc899291ed

Download Submit
C:\Windows\SysWOW64\wgjos.exe

Filesize
96KB

MD5
747d839636516fe9babc81206ad87b10

SHA1
38688dcf3098bcb370cdac3c184a489b59d930fe

SHA256
874904e329fec09ca957efde6bb44ba4b9d0c6f4b89119192070eaf158dc3d81

SHA512
ee9860397c5936e729ba3eac4989d859713add80927ccd1c6ebe55984300ad33650489d09f3c59cd101a4cee423d374a3ee0b1b5cd016afe389b71e8ebf96535

Download Submit
C:\Windows\SysWOW64\wgvglsq.exe

Filesize
95KB

MD5
ade26c838122d9460bb16093a4831c46

SHA1
0778b2c91eb9874ff4febf283a9cab7cb40d83a3

SHA256
7ccff81957d8b1810180795ba4bd6683484725a76e00018a5d411c0e33901f0c

SHA512
443eacd440af5b082d9a777eb2af4466627af16296de24ef890c5657faa3f5d8de5c89c55d98217f0ec6d268ce4d233080062c9e1133a1902a070c146120976b

Download Submit
C:\Windows\SysWOW64\whbgn.exe

Filesize
95KB

MD5
354ada071e12a94dbe1de3396b572878

SHA1
47acee903e869218d9a303f94e90b54f91137eaa

SHA256
80c222563d3f711e4ff080866e7829cb3f6c6955aeeae68aaeef04c5c1324d4d

SHA512
a3d0182cc2a6c1cd5d9028f847b911bbc4f6731481539087b932007277f603622c65972284f76267f294eb22446620c144e9bf45663fc8ae645e46ae134e6bbb

Download Submit
C:\Windows\SysWOW64\whvtwduxk.exe

Filesize
96KB

MD5
14cb619ca19cd65fdbb5293d16682c36

SHA1
388f5030bd25073de088c7bcc52fd0c397d81800

SHA256
398d1dd33d6a8f8e741652251f711e19bd100cac42755116e097f47f7541b18d

SHA512
e15e6aed31fd894497dd390d2b886639a47e150690dc906448fa0c9478b9aa25b03d2fc2f857fc4980b69d89ffe71e10b733a3978d369907983fe4e1762869d7

Download Submit
C:\Windows\SysWOW64\wimpy.exe

Filesize
95KB

MD5
4cf0841b9c917808407a03da1c39a75c

SHA1
18750146fe3957eaa18a90b405575a3c2cb8436a

SHA256
25b310dfc98ab5f4b017ad561c96416081767664232f4e1bb68276f6eec7897d

SHA512
5ef6181d48be3ecca8870b59bbf662a288634cbd424ae86bf6d689514fa3f707998630573f1812b4b49f3da919e23419426e5156e747730f677a924ef15c34ce

Download Submit
C:\Windows\SysWOW64\wjdujju.exe

Filesize
95KB

MD5
9c200624b5a3bb7e9802d9deba4e9678

SHA1
0042b2ab6b151b2e9c0c970253c4cbc04559972c

SHA256
6232e2148b27e22b01c913a6f91e73aa34b51eda7d1c589dfdde04d360ea42b5

SHA512
11227995d9f841db555124da98f96ba6da5c0a6c360ac400c8912e7bde36f0761c664397fc8bbd2994782c27dc3eefc917a553e9455180316e30f83dca9bad69

Download Submit
C:\Windows\SysWOW64\wkls.exe

Filesize
95KB

MD5
1abd16f546aa9a69cc52fe6681102389

SHA1
c8edf8f41da373b8420e565d0b8cdd7ebba831b0

SHA256
a87b339b1ccbb4a592a35b9a3ac5aed7a859a2bd11e64bf5ccd4e3bd5fdb1bac

SHA512
b43c29b9f72da594806a4fb636fd696e1f6a59190aa11db00ade256b25ef8c750ad09d9ebd143af33a47ed0a281fc6ea87a6576f871a3e96766f62d424c0923f

Download Submit
C:\Windows\SysWOW64\wkmg.exe

Filesize
95KB

MD5
df8dd8662145b0225020e4cd3e752fab

SHA1
5a8b964f38b30341898e0ed2e5a1d2d7f572c08b

SHA256
114ce3ebe0462dc898bed50bd0673219ddcb219a1a4fdff0e02f894442040195

SHA512
bd858b9404a5f51905a6eb3d2d656afa8c4742607e2b0275c0cec9362c5e27bdb322afcd516ed106c103b04a35746969887b759d2ec0f33215131411e5413abf

Download Submit
C:\Windows\SysWOW64\wkqwye.exe

Filesize
95KB

MD5
9a0e449616d8aba2d7c7e830821964f4

SHA1
605a634e18319988907b142ae8c161d58d5d8004

SHA256
87d77ce7feee86cd28a17a2571f989d1c8ea418489cb286bcf4f0bb3659af07e

SHA512
ef369b8b3d2b00dd9048efc6b99c74718eaa0c199f10cc14bdc780543bea58f273c201e5333dc5e50b43ba9514cd2634de9d0d8e7c645d04ed2a464a73b90794

Download Submit
C:\Windows\SysWOW64\wlfxlj.exe

Filesize
95KB

MD5
f5af46d1110b4e47ee60348244df64a8

SHA1
3dcf47a591f05b58a241b89f8d2eee64c77dad8d

SHA256
bf7753258f9827a363ddbe0e755d41888e3aa66ef0e81c82fdddf371d780a9d9

SHA512
24e22639ee284a5525457b8e26b423740ecaf5d6711021f80e0dedc2631b3cfeb857439a8676b9bb1f1e9c970be2a4f65c60e6056d8573d7a939da37da186105

Download Submit
C:\Windows\SysWOW64\wlqrpcyb.exe

Filesize
95KB

MD5
05fe4a83f0d5fd11414a619510638b9d

SHA1
d7bb1dd50d9aed50ab9738aabc6f2e8b9df65960

SHA256
6787b7eadc227be726bbca9966ccba669fb1924b908c55e8754543bdc0f4dfe6

SHA512
dcfc97b940deff5d0a8995b57f1d236301fe73b0fefe30902fc59bcd4054166402731a7676962a1d95b234b8bed6f4af8b4cb787a96bef996fc491cb5284ddb9

Download Submit
C:\Windows\SysWOW64\wmvjjhfn.exe

Filesize
95KB

MD5
b04b1a844286d935df75cd807f89f256

SHA1
c49c2173028bda14604990a464e00a5aaee83524

SHA256
c0f092dadbaaf3704bf8268e8fc9f3a2e3b6e0356405096deb9aa4590e51da1d

SHA512
5f4e0f8c527382cf21e3f624e9c9a3d27034e0abe8528f9f6f841b09acde56089fc1aea07ff890d1d2e76b9ac29eede62bbdbeb56269f410e5ec9bd7601d79fb

Download Submit
C:\Windows\SysWOW64\wnipoy.exe

Filesize
95KB

MD5
4085d37a6b0aa5789f06dc1715b34c4e

SHA1
e744fa4fce557279faad04fe6874cbc70548162b

SHA256
e3a7d2a4f7ef1fc9904e008820a85011eb9b43ad5185a0d8e50977211a66b92a

SHA512
775c96f57b3e4ba4637ac35b6f9b47056c9689e5825061a1633ebae3bea1dd9065eef6117881c549fb8ed4f3c07af84a3fd29af077c9f04bbcba74bb2da7a9f3

Download Submit
C:\Windows\SysWOW64\wnlec.exe

Filesize
96KB

MD5
7fb46e1ee96f232fc7a178623bbdf78e

SHA1
9ef4fdf4eb3823d889d03cf0083c38aa278d4469

SHA256
4d6f3782d88a67caeabf38bfdc602163376320721ac0996bb32e01578f869ae3

SHA512
1307abfe135bb1af9217b5a34a069d677c72e3c59a623cb1082af6ad8127b42141c85a0742e8f8f7c0122e94ab923ebb91782ee947de070eeb68ba3c16443958

Download Submit
C:\Windows\SysWOW64\wnsb.exe

Filesize
95KB

MD5
28f66cffeecb195b5ed39e354da54568

SHA1
5ded16363ed7ce63a9c32aa84aef70287d726093

SHA256
2ce40692f74f1eb019fdd68df80e03be0f9fba9913881d6857d418d86824f091

SHA512
d47ed7b1a5222517cc3ebffb1b1cf1fdebfd496f6d1f92856369db66882078a3fb6477bf4cef998bb8cb6da0c3295e8e1fb0884e7ed9ab9cc2ddbb705649f210

Download Submit
C:\Windows\SysWOW64\wovmgf.exe

Filesize
96KB

MD5
c4040135afaa24b1448e48574690d253

SHA1
3972a2593bb9754426712cea663f7d576e977ac1

SHA256
872bc0732089aaca1dc73f9bce564250582342963083075c97fd847784f9318a

SHA512
ff180b0e6815015a65548ce0d356a7c87d5fb38a63e7dd15930451c62547d41096969db688419210ee8965313390c25f346903daf55243a6cd9a38f9eff3aed3

Download Submit
C:\Windows\SysWOW64\wpx.exe

Filesize
96KB

MD5
a8743fd475c5811fe86ce93d7e105c99

SHA1
852cc573a91335b093783145fe7d13b3442f41da

SHA256
0d047c86e1fee4769d046b67491ccc5d471b48f884426d634e15d1a50428ab56

SHA512
09d547d124882c9e36fd59f34856af1c8373543ca38e66f560cc4d7e344a5643cde50004cad7c97541d28f7230b63f4043fc48c5ab0b227e1218a86efcedeb9d

Download Submit
C:\Windows\SysWOW64\wrgpbr.exe

Filesize
95KB

MD5
0ae9706c0e1e74bc89a481eeced09af2

SHA1
7d4080c5d1ca12b8b12e34fc296002326047ad4c

SHA256
ab725193385591b1ffaf40526b1fee8576347a30643763e693f0b6ad4ceca2e5

SHA512
a17209e5688867983b7e7192951fedb51808eeae51702bf1f8348194e672e94d275dbecf8ea95b9911cc14321ab9f22aab53d9802a922fabcbe5bafefcd38b92

Download Submit
C:\Windows\SysWOW64\wuqysprh.exe

Filesize
95KB

MD5
0d543649544448e9c702bc267b589a35

SHA1
5242fe33a403babde5a7fe76a70ae253cc6955cd

SHA256
d92768bac4aa16d70938515440672b8502bf4810708622311c4278dd7d7ace07

SHA512
40f40d8064ddd9a80b58ab334e2a772263c9aa5ccb8a6881b7982982e32ef364eb66e1bde9a10cf86000d049aa1fd8feec8fa4d4390b2ca6c23b8943120f7359

Download Submit
C:\Windows\SysWOW64\wurta.exe

Filesize
95KB

MD5
c4ea78bcc78ac09dac30c2b48dafb667

SHA1
0e9213e6a50a7be34c37171d816e186b5ce87d10

SHA256
7f810008327abcf2f7f3b7778eab4e213144dc48000314e27ebaabe0bac8ea15

SHA512
ce7e1d20b21d26f89c9d2e791a8d2e7dd5cd78010f692c5a3fa235b8982f75ca9d4ebea27bf0325130a4c9c5484e1775356e8fe1f9cfc515607c9a0fb628b8fe

Download Submit
C:\Windows\SysWOW64\wutlqo.exe

Filesize
96KB

MD5
47a6b0f975148af20885a27b3d6f4b91

SHA1
84a1b5e052db216b61d4ca16c839b71b79034ac8

SHA256
7a0d2a2948b4c001e1334fb96afaa6c3647bd051489a574bc0e63849ab424396

SHA512
2e9e19614064847efa9e851347021e1f652caf4125b977d722a5bd1657d4d04660dda137e27f1b99ddfc777be4612822bd42b06fd0cf4853731dc25aa45f2407

Download Submit
C:\Windows\SysWOW64\wvvffum.exe

Filesize
96KB

MD5
0bec48f118f035c85394b0342a561103

SHA1
d52840ca1c2a8f69987837c3f1b7d79988834a79

SHA256
1d52bd7694942cca44f18a6c7c95159d7cd6f00047a20189023e4e20cf42d08c

SHA512
5eb6ea7451bf561f83350cb5fa71b8f9b8382050e80783daa770aa33570c359eecd97753301b0f13d9f2245bf9cc9a154ea3e1e09915de8f5fab57f2d2a29470

Download Submit
C:\Windows\SysWOW64\wxeklta.exe

Filesize
95KB

MD5
ec35cc8800887fa9d342127b4b4714df

SHA1
ebd73cdda2b5465577c5d3605ec693c962b96521

SHA256
bc1dcfb42e60366dba6ee92ad7969ac06440e1fab2d2fc26444f4f06987fd7d4

SHA512
f18e6a42758f6e847806015c749dacfb867d51b32329b4e9a0f40d11f545326eeb15fa5f7b303ea2dc9d01a639700cbb3f946b6089d8de80d809aae8054c6870

Download Submit
C:\Windows\SysWOW64\wyasxp.exe

Filesize
95KB

MD5
cc58d0f907d1a9ba7c176a32a48cc50a

SHA1
2c3c38b635172ff0391afe5242f78c22f6e02617

SHA256
6077e194a52aadb82bb11a4d26fb52802f5c28788de2bab3a2345f22d624d93a

SHA512
8f943ad16655137543daeef3fe974a9822171de8fa0a4e7c75e1950fac700a82cab8203f6208217e6e383702b101fc8475a6381a4ee8dd23db086cd9e9cfabf1

Download Submit
memory/228-243-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/228-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/452-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/452-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/768-381-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/768-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/968-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1004-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1004-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1096-306-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1264-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1264-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1372-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2004-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2004-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-285-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2700-200-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2968-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2972-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3156-373-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-169-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-338-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3220-190-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3220-179-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3228-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3244-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3244-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-222-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-399-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3452-211-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3488-415-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3520-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3520-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3836-317-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3932-275-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3932-265-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3948-264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4068-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4068-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4244-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4264-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4324-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4544-232-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4544-244-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4760-407-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4760-398-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4812-390-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4872-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4884-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4884-328-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-339-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4900-327-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4952-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4952-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download