71565192fdf78016e9096f6dfec6915bedeb5a7b279ca139476e1cf1df97b2df

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe
Size

496KB
MD5

f13cf06f8beb2ca2c3c85531b5723b2c
SHA1

126cb64f21f5a1651d1ba0731d98cd455f98fd86
SHA256

71565192fdf78016e9096f6dfec6915bedeb5a7b279ca139476e1cf1df97b2df
SHA512

084009c84af2230ef8c55a5b9557a27685026dd63f090b6dccc16f53d2f97c5307ddfb664f6534ce76ef425cfe423e4ce4330185a048a8f873b35f03cc5f395f
SSDEEP

12288:aW7X4rzee+qF2d2t4RyKQSAWm4gjJ6qM4+jTCHUmWRFRi:BEeexupyrIU0rD

Score

7^/10

themida

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2064	auncpwuv.exe
2432	ttepmgld.exe
1960	btyqmkzr.exe
2792	fytiahni.exe
1120	pqgymsfy.exe
1708	ytestivj.exe
1324	ftsdisos.exe
2852	nqlitqbz.exe
2368	mimtnklq.exe
560	eixqmqwd.exe
848	vsabtimp.exe
1776	tnwosltb.exe
1992	maijsrnx.exe
2932	msjtuexg.exe
1844	esmrljbb.exe
2296	rbqmweqz.exe
2676	iiqjaszj.exe
2816	kheryxnm.exe
2340	ksqjnjry.exe
1592	hixrgief.exe
1096	givmhydj.exe
2348	cnqmvmsj.exe
2240	hhhsfeif.exe
2868	qnjnjgck.exe
1716	fzhsmpps.exe
2436	pnipcoco.exe
1684	cazfisat.exe
1928	wktnouov.exe
660	zqhydmxr.exe
2536	wszlzxja.exe
872	volieosl.exe
2844	kskgbjok.exe
2948	enpobcwh.exe
2724	astycwzb.exe
2736	qwbtykww.exe
2764	vqjbxugb.exe
2916	vbwtlgkv.exe
1568	rcggpjww.exe
2580	mbwbshlv.exe
1756	tfgobsol.exe
2616	ysaovctt.exe
1676	pclzcurg.exe
272	pkyroksy.exe
696	ephemkzj.exe
2124	mwdwhzit.exe
1552	okfzczxu.exe
2668	voimtsak.exe
2832	tlommrfq.exe
1500	hejjvjfv.exe
1132	urahbedi.exe
1196	xjsxtalg.exe
1696	rllfzcza.exe
2420	gtgxagfg.exe
2556	phguyosc.exe
1284	kgwptmhb.exe
1968	hstvlbxx.exe
1408	qnrxarnp.exe
1880	naodkgdl.exe
1672	cpxnrlwn.exe
2172	ezoljhwl.exe
592	bagynsiv.exe
1072	vkigsueo.exe
3020	njklpnyt.exe
2840	fbnvxfnf.exe

Loads dropped DLL 64 IoCs

pid	Process
2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe
2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe
2064	auncpwuv.exe
2064	auncpwuv.exe
2432	ttepmgld.exe
2432	ttepmgld.exe
1960	btyqmkzr.exe
1960	btyqmkzr.exe
2792	fytiahni.exe
2792	fytiahni.exe
1120	pqgymsfy.exe
1120	pqgymsfy.exe
1708	ytestivj.exe
1708	ytestivj.exe
1324	ftsdisos.exe
1324	ftsdisos.exe
2852	nqlitqbz.exe
2852	nqlitqbz.exe
2368	mimtnklq.exe
2368	mimtnklq.exe
560	eixqmqwd.exe
560	eixqmqwd.exe
848	vsabtimp.exe
848	vsabtimp.exe
1776	tnwosltb.exe
1776	tnwosltb.exe
1992	maijsrnx.exe
1992	maijsrnx.exe
2932	msjtuexg.exe
2932	msjtuexg.exe
1844	esmrljbb.exe
1844	esmrljbb.exe
2296	rbqmweqz.exe
2296	rbqmweqz.exe
2676	iiqjaszj.exe
2676	iiqjaszj.exe
2816	kheryxnm.exe
2816	kheryxnm.exe
2340	ksqjnjry.exe
2340	ksqjnjry.exe
1592	hixrgief.exe
1592	hixrgief.exe
1096	givmhydj.exe
1096	givmhydj.exe
2348	cnqmvmsj.exe
2348	cnqmvmsj.exe
2240	hhhsfeif.exe
2240	hhhsfeif.exe
2868	qnjnjgck.exe
2868	qnjnjgck.exe
1716	fzhsmpps.exe
1716	fzhsmpps.exe
2436	pnipcoco.exe
2436	pnipcoco.exe
1684	cazfisat.exe
1684	cazfisat.exe
1928	wktnouov.exe
1928	wktnouov.exe
660	zqhydmxr.exe
660	zqhydmxr.exe
2536	wszlzxja.exe
2536	wszlzxja.exe
872	volieosl.exe
872	volieosl.exe

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2024-0-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/files/0x000a00000001227d-15.dat	themida
behavioral1/memory/2024-22-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2064-26-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2064-45-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2432-49-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2432-62-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1960-67-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1960-86-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2792-90-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1120-106-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1120-120-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1708-125-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1708-140-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1324-165-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2368-211-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1992-307-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2932-323-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1844-348-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2296-380-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2676-388-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2816-408-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2340-417-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1592-424-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1096-431-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2348-438-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2240-445-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1716-498-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2436-505-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1684-529-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1928-557-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/660-568-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2536-575-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/872-582-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2844-589-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2724-638-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2736-661-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2764-668-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2916-689-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1568-720-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2580-738-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1756-747-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2616-772-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1676-788-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/272-808-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/696-841-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2124-857-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1552-867-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2668-887-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2832-917-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1500-934-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1132-955-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1196-964-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1696-990-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2420-1004-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2556-1012-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1284-1019-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1968-1026-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1408-1033-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1880-1052-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/2172-1086-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/592-1124-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/1072-1125-0x0000000000400000-0x00000000005BB000-memory.dmp	themida
behavioral1/memory/3020-1147-0x0000000000400000-0x00000000005BB000-memory.dmp	themida

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hstvlbxx.exe	kgwptmhb.exe
File created	C:\Windows\SysWOW64\zrkvzuhc.exe	flttwxsd.exe
File opened for modification	C:\Windows\SysWOW64\fzhsmpps.exe	qnjnjgck.exe
File opened for modification	C:\Windows\SysWOW64\ncmolmra.exe	fbnvxfnf.exe
File opened for modification	C:\Windows\SysWOW64\kqcgjwxk.exe	ifbyxnfv.exe
File opened for modification	C:\Windows\SysWOW64\nwncdpji.exe	iztkqtuj.exe
File opened for modification	C:\Windows\SysWOW64\ppzceqxs.exe	kviptyhw.exe
File created	C:\Windows\SysWOW64\tnwosltb.exe	vsabtimp.exe
File opened for modification	C:\Windows\SysWOW64\psrnpxch.exe	ewydhdtb.exe
File created	C:\Windows\SysWOW64\lpcgxoka.exe	earilqxu.exe
File opened for modification	C:\Windows\SysWOW64\gtgxagfg.exe	rllfzcza.exe
File created	C:\Windows\SysWOW64\loverdep.exe	thvomonx.exe
File created	C:\Windows\SysWOW64\zjzzsgpq.exe	fdrexiiq.exe
File opened for modification	C:\Windows\SysWOW64\imvwlnwx.exe	fuvgtroz.exe
File created	C:\Windows\SysWOW64\oordzcnk.exe	jfjjixhe.exe
File created	C:\Windows\SysWOW64\suhorycl.exe	lbivifph.exe
File created	C:\Windows\SysWOW64\gioinfqj.exe	hqnytlgs.exe
File created	C:\Windows\SysWOW64\idfxjnxj.exe	ikenpsns.exe
File created	C:\Windows\SysWOW64\tkmrggoo.exe	ppehobts.exe
File opened for modification	C:\Windows\SysWOW64\wnktotcl.exe	qnojarjc.exe
File created	C:\Windows\SysWOW64\quljkjen.exe	eawjwjpv.exe
File created	C:\Windows\SysWOW64\gqiulvdp.exe	wgrwmsre.exe
File opened for modification	C:\Windows\SysWOW64\ywwwpdtk.exe	zwzlqiew.exe
File opened for modification	C:\Windows\SysWOW64\gdguluzj.exe	xtstfwyk.exe
File created	C:\Windows\SysWOW64\crsibkeq.exe	kygsikrm.exe
File created	C:\Windows\SysWOW64\eevlwktr.exe	crsibkeq.exe
File opened for modification	C:\Windows\SysWOW64\nauygnts.exe	lbgiiigx.exe
File opened for modification	C:\Windows\SysWOW64\ikenpsns.exe	tckmpwin.exe
File opened for modification	C:\Windows\SysWOW64\kviptyhw.exe	gycfaick.exe
File opened for modification	C:\Windows\SysWOW64\ytiltufi.exe	zmkvirkv.exe
File opened for modification	C:\Windows\SysWOW64\xlaugyva.exe	hkoufbim.exe
File created	C:\Windows\SysWOW64\pqnhwgxb.exe	vsxntiij.exe
File opened for modification	C:\Windows\SysWOW64\nuhvgnkq.exe	basnaowp.exe
File opened for modification	C:\Windows\SysWOW64\cazfisat.exe	pnipcoco.exe
File opened for modification	C:\Windows\SysWOW64\fekyrljm.exe	jspgtvqi.exe
File created	C:\Windows\SysWOW64\ttepmgld.exe	auncpwuv.exe
File opened for modification	C:\Windows\SysWOW64\gjudxsur.exe	xovbpceg.exe
File created	C:\Windows\SysWOW64\givmhydj.exe	hixrgief.exe
File opened for modification	C:\Windows\SysWOW64\iiijmnuf.exe	nfdtmuli.exe
File opened for modification	C:\Windows\SysWOW64\iztkqtuj.exe	rhiziaex.exe
File created	C:\Windows\SysWOW64\vlvyqdfl.exe	vwytzvcx.exe
File opened for modification	C:\Windows\SysWOW64\kgfioxhv.exe	mjksqtgt.exe
File created	C:\Windows\SysWOW64\wvpeiiby.exe	zuwrnfpp.exe
File opened for modification	C:\Windows\SysWOW64\plzfwmpo.exe	azuatddg.exe
File opened for modification	C:\Windows\SysWOW64\vsabtimp.exe	eixqmqwd.exe
File opened for modification	C:\Windows\SysWOW64\loverdep.exe	thvomonx.exe
File opened for modification	C:\Windows\SysWOW64\bbxmdxkt.exe	btzokcxo.exe
File created	C:\Windows\SysWOW64\cazfisat.exe	pnipcoco.exe
File created	C:\Windows\SysWOW64\mbwbshlv.exe	rcggpjww.exe
File created	C:\Windows\SysWOW64\kjuhmwkk.exe	yhrhuhnz.exe
File created	C:\Windows\SysWOW64\lbvaseyz.exe	rcwnvmzj.exe
File opened for modification	C:\Windows\SysWOW64\qaijyips.exe	ytiltufi.exe
File created	C:\Windows\SysWOW64\eixqmqwd.exe	mimtnklq.exe
File created	C:\Windows\SysWOW64\rmhzvvlh.exe	uhmzwfse.exe
File opened for modification	C:\Windows\SysWOW64\pemwdwug.exe	vywbizfh.exe
File created	C:\Windows\SysWOW64\krzwvsni.exe	qaijyips.exe
File opened for modification	C:\Windows\SysWOW64\mcncampe.exe	pmgrfsag.exe
File opened for modification	C:\Windows\SysWOW64\pxmyqetm.exe	vvsqlcfk.exe
File opened for modification	C:\Windows\SysWOW64\ydibhyuh.exe	uqpbooiz.exe
File opened for modification	C:\Windows\SysWOW64\qnrxarnp.exe	hstvlbxx.exe
File created	C:\Windows\SysWOW64\nxjygrmh.exe	fekyrljm.exe
File opened for modification	C:\Windows\SysWOW64\idfxjnxj.exe	ikenpsns.exe
File opened for modification	C:\Windows\SysWOW64\rmhzvvlh.exe	uhmzwfse.exe
File opened for modification	C:\Windows\SysWOW64\hkoufbim.exe	vmnhxyvr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe
2064	auncpwuv.exe
2432	ttepmgld.exe
1960	btyqmkzr.exe
2792	fytiahni.exe
1120	pqgymsfy.exe
1708	ytestivj.exe
1324	ftsdisos.exe
2852	nqlitqbz.exe
2368	mimtnklq.exe
560	eixqmqwd.exe
848	vsabtimp.exe
1776	tnwosltb.exe
1992	maijsrnx.exe
2932	msjtuexg.exe
1844	esmrljbb.exe
2296	rbqmweqz.exe
2676	iiqjaszj.exe
2816	kheryxnm.exe
2340	ksqjnjry.exe
1592	hixrgief.exe
1096	givmhydj.exe
2348	cnqmvmsj.exe
2240	hhhsfeif.exe
2868	qnjnjgck.exe
1716	fzhsmpps.exe
2436	pnipcoco.exe
1684	cazfisat.exe
1928	wktnouov.exe
660	zqhydmxr.exe
2536	wszlzxja.exe
872	volieosl.exe
2844	kskgbjok.exe
2948	enpobcwh.exe
2724	astycwzb.exe
2736	qwbtykww.exe
2764	vqjbxugb.exe
2916	vbwtlgkv.exe
1568	rcggpjww.exe
2580	mbwbshlv.exe
1756	tfgobsol.exe
2616	ysaovctt.exe
1676	pclzcurg.exe
272	pkyroksy.exe
696	ephemkzj.exe
2124	mwdwhzit.exe
1552	okfzczxu.exe
2668	voimtsak.exe
2832	tlommrfq.exe
1500	hejjvjfv.exe
1132	urahbedi.exe
1196	xjsxtalg.exe
1696	rllfzcza.exe
2420	gtgxagfg.exe
2556	phguyosc.exe
1284	kgwptmhb.exe
1968	hstvlbxx.exe
1408	qnrxarnp.exe
1880	naodkgdl.exe
1672	cpxnrlwn.exe
2172	ezoljhwl.exe
592	bagynsiv.exe
1072	vkigsueo.exe
3020	njklpnyt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2064	2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2064	2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2064	2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2064	2024	f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2432	2064	auncpwuv.exe	29
PID 2064 wrote to memory of 2432	2064	auncpwuv.exe	29
PID 2064 wrote to memory of 2432	2064	auncpwuv.exe	29
PID 2064 wrote to memory of 2432	2064	auncpwuv.exe	29
PID 2432 wrote to memory of 1960	2432	ttepmgld.exe	30
PID 2432 wrote to memory of 1960	2432	ttepmgld.exe	30
PID 2432 wrote to memory of 1960	2432	ttepmgld.exe	30
PID 2432 wrote to memory of 1960	2432	ttepmgld.exe	30
PID 1960 wrote to memory of 2792	1960	btyqmkzr.exe	31
PID 1960 wrote to memory of 2792	1960	btyqmkzr.exe	31
PID 1960 wrote to memory of 2792	1960	btyqmkzr.exe	31
PID 1960 wrote to memory of 2792	1960	btyqmkzr.exe	31
PID 2792 wrote to memory of 1120	2792	fytiahni.exe	32
PID 2792 wrote to memory of 1120	2792	fytiahni.exe	32
PID 2792 wrote to memory of 1120	2792	fytiahni.exe	32
PID 2792 wrote to memory of 1120	2792	fytiahni.exe	32
PID 1120 wrote to memory of 1708	1120	pqgymsfy.exe	33
PID 1120 wrote to memory of 1708	1120	pqgymsfy.exe	33
PID 1120 wrote to memory of 1708	1120	pqgymsfy.exe	33
PID 1120 wrote to memory of 1708	1120	pqgymsfy.exe	33
PID 1708 wrote to memory of 1324	1708	ytestivj.exe	34
PID 1708 wrote to memory of 1324	1708	ytestivj.exe	34
PID 1708 wrote to memory of 1324	1708	ytestivj.exe	34
PID 1708 wrote to memory of 1324	1708	ytestivj.exe	34
PID 1324 wrote to memory of 2852	1324	ftsdisos.exe	35
PID 1324 wrote to memory of 2852	1324	ftsdisos.exe	35
PID 1324 wrote to memory of 2852	1324	ftsdisos.exe	35
PID 1324 wrote to memory of 2852	1324	ftsdisos.exe	35
PID 2852 wrote to memory of 2368	2852	nqlitqbz.exe	36
PID 2852 wrote to memory of 2368	2852	nqlitqbz.exe	36
PID 2852 wrote to memory of 2368	2852	nqlitqbz.exe	36
PID 2852 wrote to memory of 2368	2852	nqlitqbz.exe	36
PID 2368 wrote to memory of 560	2368	mimtnklq.exe	37
PID 2368 wrote to memory of 560	2368	mimtnklq.exe	37
PID 2368 wrote to memory of 560	2368	mimtnklq.exe	37
PID 2368 wrote to memory of 560	2368	mimtnklq.exe	37
PID 560 wrote to memory of 848	560	eixqmqwd.exe	38
PID 560 wrote to memory of 848	560	eixqmqwd.exe	38
PID 560 wrote to memory of 848	560	eixqmqwd.exe	38
PID 560 wrote to memory of 848	560	eixqmqwd.exe	38
PID 848 wrote to memory of 1776	848	vsabtimp.exe	39
PID 848 wrote to memory of 1776	848	vsabtimp.exe	39
PID 848 wrote to memory of 1776	848	vsabtimp.exe	39
PID 848 wrote to memory of 1776	848	vsabtimp.exe	39
PID 1776 wrote to memory of 1992	1776	tnwosltb.exe	40
PID 1776 wrote to memory of 1992	1776	tnwosltb.exe	40
PID 1776 wrote to memory of 1992	1776	tnwosltb.exe	40
PID 1776 wrote to memory of 1992	1776	tnwosltb.exe	40
PID 1992 wrote to memory of 2932	1992	maijsrnx.exe	41
PID 1992 wrote to memory of 2932	1992	maijsrnx.exe	41
PID 1992 wrote to memory of 2932	1992	maijsrnx.exe	41
PID 1992 wrote to memory of 2932	1992	maijsrnx.exe	41
PID 2932 wrote to memory of 1844	2932	msjtuexg.exe	42
PID 2932 wrote to memory of 1844	2932	msjtuexg.exe	42
PID 2932 wrote to memory of 1844	2932	msjtuexg.exe	42
PID 2932 wrote to memory of 1844	2932	msjtuexg.exe	42
PID 1844 wrote to memory of 2296	1844	esmrljbb.exe	43
PID 1844 wrote to memory of 2296	1844	esmrljbb.exe	43
PID 1844 wrote to memory of 2296	1844	esmrljbb.exe	43
PID 1844 wrote to memory of 2296	1844	esmrljbb.exe	43

C:\Users\Admin\AppData\Local\Temp\f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\auncpwuv.exe
  C:\Windows\system32\auncpwuv.exe 660 "C:\Users\Admin\AppData\Local\Temp\f13cf06f8beb2ca2c3c85531b5723b2c_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\ttepmgld.exe
    C:\Windows\system32\ttepmgld.exe 628 "C:\Windows\SysWOW64\auncpwuv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\btyqmkzr.exe
      C:\Windows\system32\btyqmkzr.exe 636 "C:\Windows\SysWOW64\ttepmgld.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\fytiahni.exe
        
        C:\Windows\system32\fytiahni.exe 624 "C:\Windows\SysWOW64\btyqmkzr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\pqgymsfy.exe
        
        C:\Windows\system32\pqgymsfy.exe 640 "C:\Windows\SysWOW64\fytiahni.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\ytestivj.exe
        
        C:\Windows\system32\ytestivj.exe 644 "C:\Windows\SysWOW64\pqgymsfy.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\ftsdisos.exe
        
        C:\Windows\system32\ftsdisos.exe 648 "C:\Windows\SysWOW64\ytestivj.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\nqlitqbz.exe
        
        C:\Windows\system32\nqlitqbz.exe 632 "C:\Windows\SysWOW64\ftsdisos.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\mimtnklq.exe
        
        C:\Windows\system32\mimtnklq.exe 684 "C:\Windows\SysWOW64\nqlitqbz.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\eixqmqwd.exe
        
        C:\Windows\system32\eixqmqwd.exe 656 "C:\Windows\SysWOW64\mimtnklq.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\vsabtimp.exe
        
        C:\Windows\system32\vsabtimp.exe 664 "C:\Windows\SysWOW64\eixqmqwd.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\tnwosltb.exe
        
        C:\Windows\system32\tnwosltb.exe 652 "C:\Windows\SysWOW64\vsabtimp.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\maijsrnx.exe
        
        C:\Windows\system32\maijsrnx.exe 676 "C:\Windows\SysWOW64\tnwosltb.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\msjtuexg.exe
        
        C:\Windows\system32\msjtuexg.exe 668 "C:\Windows\SysWOW64\maijsrnx.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\esmrljbb.exe
        
        C:\Windows\system32\esmrljbb.exe 708 "C:\Windows\SysWOW64\msjtuexg.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\rbqmweqz.exe
        
        C:\Windows\system32\rbqmweqz.exe 712 "C:\Windows\SysWOW64\esmrljbb.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\iiqjaszj.exe
        
        C:\Windows\system32\iiqjaszj.exe 692 "C:\Windows\SysWOW64\rbqmweqz.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\kheryxnm.exe
        
        C:\Windows\system32\kheryxnm.exe 744 "C:\Windows\SysWOW64\iiqjaszj.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\ksqjnjry.exe
        
        C:\Windows\system32\ksqjnjry.exe 720 "C:\Windows\SysWOW64\kheryxnm.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\hixrgief.exe
        
        C:\Windows\system32\hixrgief.exe 620 "C:\Windows\SysWOW64\ksqjnjry.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\givmhydj.exe
        
        C:\Windows\system32\givmhydj.exe 700 "C:\Windows\SysWOW64\hixrgief.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\cnqmvmsj.exe
        
        C:\Windows\system32\cnqmvmsj.exe 724 "C:\Windows\SysWOW64\givmhydj.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\hhhsfeif.exe
        
        C:\Windows\system32\hhhsfeif.exe 736 "C:\Windows\SysWOW64\cnqmvmsj.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\qnjnjgck.exe
        
        C:\Windows\system32\qnjnjgck.exe 696 "C:\Windows\SysWOW64\hhhsfeif.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\fzhsmpps.exe
        
        C:\Windows\system32\fzhsmpps.exe 680 "C:\Windows\SysWOW64\qnjnjgck.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\pnipcoco.exe
        
        C:\Windows\system32\pnipcoco.exe 764 "C:\Windows\SysWOW64\fzhsmpps.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\SysWOW64\cazfisat.exe
        
        C:\Windows\system32\cazfisat.exe 808 "C:\Windows\SysWOW64\pnipcoco.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\wktnouov.exe
        
        C:\Windows\system32\wktnouov.exe 704 "C:\Windows\SysWOW64\cazfisat.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\zqhydmxr.exe
        
        C:\Windows\system32\zqhydmxr.exe 816 "C:\Windows\SysWOW64\wktnouov.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:660
        
        C:\Windows\SysWOW64\wszlzxja.exe
        
        C:\Windows\system32\wszlzxja.exe 804 "C:\Windows\SysWOW64\zqhydmxr.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\volieosl.exe
        
        C:\Windows\system32\volieosl.exe 772 "C:\Windows\SysWOW64\wszlzxja.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\SysWOW64\kskgbjok.exe
        
        C:\Windows\system32\kskgbjok.exe 776 "C:\Windows\SysWOW64\volieosl.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\enpobcwh.exe
        
        C:\Windows\system32\enpobcwh.exe 740 "C:\Windows\SysWOW64\kskgbjok.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\astycwzb.exe
        
        C:\Windows\system32\astycwzb.exe 688 "C:\Windows\SysWOW64\enpobcwh.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\qwbtykww.exe
        
        C:\Windows\system32\qwbtykww.exe 840 "C:\Windows\SysWOW64\astycwzb.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\vqjbxugb.exe
        
        C:\Windows\system32\vqjbxugb.exe 844 "C:\Windows\SysWOW64\qwbtykww.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\vbwtlgkv.exe
        
        C:\Windows\system32\vbwtlgkv.exe 848 "C:\Windows\SysWOW64\vqjbxugb.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\rcggpjww.exe
        
        C:\Windows\system32\rcggpjww.exe 728 "C:\Windows\SysWOW64\vbwtlgkv.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\mbwbshlv.exe
        
        C:\Windows\system32\mbwbshlv.exe 788 "C:\Windows\SysWOW64\rcggpjww.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\tfgobsol.exe
        
        C:\Windows\system32\tfgobsol.exe 864 "C:\Windows\SysWOW64\mbwbshlv.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\ysaovctt.exe
        
        C:\Windows\system32\ysaovctt.exe 860 "C:\Windows\SysWOW64\tfgobsol.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\pclzcurg.exe
        
        C:\Windows\system32\pclzcurg.exe 732 "C:\Windows\SysWOW64\ysaovctt.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\pkyroksy.exe
        
        C:\Windows\system32\pkyroksy.exe 828 "C:\Windows\SysWOW64\pclzcurg.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:272
        
        C:\Windows\SysWOW64\ephemkzj.exe
        
        C:\Windows\system32\ephemkzj.exe 716 "C:\Windows\SysWOW64\pkyroksy.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:696
        
        C:\Windows\SysWOW64\mwdwhzit.exe
        
        C:\Windows\system32\mwdwhzit.exe 752 "C:\Windows\SysWOW64\ephemkzj.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\okfzczxu.exe
        
        C:\Windows\system32\okfzczxu.exe 888 "C:\Windows\SysWOW64\mwdwhzit.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\voimtsak.exe
        
        C:\Windows\system32\voimtsak.exe 884 "C:\Windows\SysWOW64\okfzczxu.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\tlommrfq.exe
        
        C:\Windows\system32\tlommrfq.exe 756 "C:\Windows\SysWOW64\voimtsak.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\hejjvjfv.exe
        
        C:\Windows\system32\hejjvjfv.exe 768 "C:\Windows\SysWOW64\tlommrfq.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\urahbedi.exe
        
        C:\Windows\system32\urahbedi.exe 900 "C:\Windows\SysWOW64\hejjvjfv.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Windows\SysWOW64\xjsxtalg.exe
        
        C:\Windows\system32\xjsxtalg.exe 908 "C:\Windows\SysWOW64\urahbedi.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\SysWOW64\rllfzcza.exe
        
        C:\Windows\system32\rllfzcza.exe 832 "C:\Windows\SysWOW64\xjsxtalg.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\gtgxagfg.exe
        
        C:\Windows\system32\gtgxagfg.exe 780 "C:\Windows\SysWOW64\rllfzcza.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\phguyosc.exe
        
        C:\Windows\system32\phguyosc.exe 824 "C:\Windows\SysWOW64\gtgxagfg.exe"
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Windows\SysWOW64\kgwptmhb.exe
        
        C:\Windows\system32\kgwptmhb.exe 920 "C:\Windows\SysWOW64\phguyosc.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\hstvlbxx.exe
        
        C:\Windows\system32\hstvlbxx.exe 748 "C:\Windows\SysWOW64\kgwptmhb.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\SysWOW64\qnrxarnp.exe
        
        C:\Windows\system32\qnrxarnp.exe 800 "C:\Windows\SysWOW64\hstvlbxx.exe"
        58⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\SysWOW64\naodkgdl.exe
        
        C:\Windows\system32\naodkgdl.exe 760 "C:\Windows\SysWOW64\qnrxarnp.exe"
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\cpxnrlwn.exe
        
        C:\Windows\system32\cpxnrlwn.exe 792 "C:\Windows\SysWOW64\naodkgdl.exe"
        60⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\ezoljhwl.exe
        
        C:\Windows\system32\ezoljhwl.exe 796 "C:\Windows\SysWOW64\cpxnrlwn.exe"
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\bagynsiv.exe
        
        C:\Windows\system32\bagynsiv.exe 820 "C:\Windows\SysWOW64\ezoljhwl.exe"
        62⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:592
        
        C:\Windows\SysWOW64\vkigsueo.exe
        
        C:\Windows\system32\vkigsueo.exe 784 "C:\Windows\SysWOW64\bagynsiv.exe"
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1072
        
        C:\Windows\SysWOW64\njklpnyt.exe
        
        C:\Windows\system32\njklpnyt.exe 948 "C:\Windows\SysWOW64\vkigsueo.exe"
        64⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\fbnvxfnf.exe
        
        C:\Windows\system32\fbnvxfnf.exe 952 "C:\Windows\SysWOW64\njklpnyt.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\ncmolmra.exe
        
        C:\Windows\system32\ncmolmra.exe 880 "C:\Windows\SysWOW64\fbnvxfnf.exe"
        66⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\wfiynwcq.exe
        
        C:\Windows\system32\wfiynwcq.exe 892 "C:\Windows\SysWOW64\ncmolmra.exe"
        67⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\bzqgeouv.exe
        
        C:\Windows\system32\bzqgeouv.exe 972 "C:\Windows\SysWOW64\wfiynwcq.exe"
        68⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\jspgtvqi.exe
        
        C:\Windows\system32\jspgtvqi.exe 940 "C:\Windows\SysWOW64\bzqgeouv.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\fekyrljm.exe
        
        C:\Windows\system32\fekyrljm.exe 928 "C:\Windows\SysWOW64\jspgtvqi.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\nxjygrmh.exe
        
        C:\Windows\system32\nxjygrmh.exe 876 "C:\Windows\SysWOW64\fekyrljm.exe"
        71⤵
        
        PID:976
        
        C:\Windows\SysWOW64\fagjibxx.exe
        
        C:\Windows\system32\fagjibxx.exe 836 "C:\Windows\SysWOW64\nxjygrmh.exe"
        72⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\uqpbooiz.exe
        
        C:\Windows\system32\uqpbooiz.exe 904 "C:\Windows\SysWOW64\fagjibxx.exe"
        73⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\ydibhyuh.exe
        
        C:\Windows\system32\ydibhyuh.exe 868 "C:\Windows\SysWOW64\uqpbooiz.exe"
        74⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\gzthtwho.exe
        
        C:\Windows\system32\gzthtwho.exe 852 "C:\Windows\SysWOW64\ydibhyuh.exe"
        75⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\fsurnire.exe
        
        C:\Windows\system32\fsurnire.exe 872 "C:\Windows\SysWOW64\gzthtwho.exe"
        76⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\zuwrnfpp.exe
        
        C:\Windows\system32\zuwrnfpp.exe 812 "C:\Windows\SysWOW64\fsurnire.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\wvpeiiby.exe
        
        C:\Windows\system32\wvpeiiby.exe 916 "C:\Windows\SysWOW64\zuwrnfpp.exe"
        78⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\tlnejpof.exe
        
        C:\Windows\system32\tlnejpof.exe 856 "C:\Windows\SysWOW64\wvpeiiby.exe"
        79⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\pmgrfsag.exe
        
        C:\Windows\system32\pmgrfsag.exe 924 "C:\Windows\SysWOW64\tlnejpof.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\mcncampe.exe
        
        C:\Windows\system32\mcncampe.exe 932 "C:\Windows\SysWOW64\pmgrfsag.exe"
        81⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\tckmpwin.exe
        
        C:\Windows\system32\tckmpwin.exe 912 "C:\Windows\SysWOW64\mcncampe.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\ikenpsns.exe
        
        C:\Windows\system32\ikenpsns.exe 936 "C:\Windows\SysWOW64\tckmpwin.exe"
        83⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\idfxjnxj.exe
        
        C:\Windows\system32\idfxjnxj.exe 896 "C:\Windows\SysWOW64\ikenpsns.exe"
        84⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\aosxrkyi.exe
        
        C:\Windows\system32\aosxrkyi.exe 1000 "C:\Windows\SysWOW64\idfxjnxj.exe"
        85⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\ewydhdtb.exe
        
        C:\Windows\system32\ewydhdtb.exe 980 "C:\Windows\SysWOW64\aosxrkyi.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\psrnpxch.exe
        
        C:\Windows\system32\psrnpxch.exe 1044 "C:\Windows\SysWOW64\ewydhdtb.exe"
        87⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\opkladon.exe
        
        C:\Windows\system32\opkladon.exe 956 "C:\Windows\SysWOW64\psrnpxch.exe"
        88⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\fznviwez.exe
        
        C:\Windows\system32\fznviwez.exe 960 "C:\Windows\SysWOW64\opkladon.exe"
        89⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\ifbyxnfv.exe
        
        C:\Windows\system32\ifbyxnfv.exe 968 "C:\Windows\SysWOW64\fznviwez.exe"
        90⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\kqcgjwxk.exe
        
        C:\Windows\system32\kqcgjwxk.exe 976 "C:\Windows\SysWOW64\ifbyxnfv.exe"
        91⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\ockycbzg.exe
        
        C:\Windows\system32\ockycbzg.exe 964 "C:\Windows\SysWOW64\kqcgjwxk.exe"
        92⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\vvsqlcfk.exe
        
        C:\Windows\system32\vvsqlcfk.exe 984 "C:\Windows\SysWOW64\ockycbzg.exe"
        93⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\pxmyqetm.exe
        
        C:\Windows\system32\pxmyqetm.exe 988 "C:\Windows\SysWOW64\vvsqlcfk.exe"
        94⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\zlnbslma.exe
        
        C:\Windows\system32\zlnbslma.exe 992 "C:\Windows\SysWOW64\pxmyqetm.exe"
        95⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\rokmuvwq.exe
        
        C:\Windows\system32\rokmuvwq.exe 996 "C:\Windows\SysWOW64\zlnbslma.exe"
        96⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\ihnobomc.exe
        
        C:\Windows\system32\ihnobomc.exe 944 "C:\Windows\SysWOW64\rokmuvwq.exe"
        97⤵
        
        PID:108
        
        C:\Windows\SysWOW64\xtstfwyk.exe
        
        C:\Windows\system32\xtstfwyk.exe 1004 "C:\Windows\SysWOW64\ihnobomc.exe"
        98⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\gdguluzj.exe
        
        C:\Windows\system32\gdguluzj.exe 1012 "C:\Windows\SysWOW64\xtstfwyk.exe"
        99⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\iyjehvgk.exe
        
        C:\Windows\system32\iyjehvgk.exe 1016 "C:\Windows\SysWOW64\gdguluzj.exe"
        100⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\vdbeglpf.exe
        
        C:\Windows\system32\vdbeglpf.exe 1008 "C:\Windows\SysWOW64\iyjehvgk.exe"
        101⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\nwmpoefa.exe
        
        C:\Windows\system32\nwmpoefa.exe 1036 "C:\Windows\SysWOW64\vdbeglpf.exe"
        102⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\uhmzwfse.exe
        
        C:\Windows\system32\uhmzwfse.exe 1020 "C:\Windows\SysWOW64\nwmpoefa.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\rmhzvvlh.exe
        
        C:\Windows\system32\rmhzvvlh.exe 1032 "C:\Windows\SysWOW64\uhmzwfse.exe"
        104⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\apfuzrfo.exe
        
        C:\Windows\system32\apfuzrfo.exe 1080 "C:\Windows\SysWOW64\rmhzvvlh.exe"
        105⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\uovpupmn.exe
        
        C:\Windows\system32\uovpupmn.exe 1028 "C:\Windows\SysWOW64\apfuzrfo.exe"
        106⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\muunyddx.exe
        
        C:\Windows\system32\muunyddx.exe 1052 "C:\Windows\SysWOW64\uovpupmn.exe"
        107⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\mjksqtgt.exe
        
        C:\Windows\system32\mjksqtgt.exe 1088 "C:\Windows\SysWOW64\muunyddx.exe"
        108⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\kgfioxhv.exe
        
        C:\Windows\system32\kgfioxhv.exe 1040 "C:\Windows\SysWOW64\mjksqtgt.exe"
        109⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\kygsikrm.exe
        
        C:\Windows\system32\kygsikrm.exe 1092 "C:\Windows\SysWOW64\kgfioxhv.exe"
        110⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\crsibkeq.exe
        
        C:\Windows\system32\crsibkeq.exe 1064 "C:\Windows\SysWOW64\kygsikrm.exe"
        111⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\eevlwktr.exe
        
        C:\Windows\system32\eevlwktr.exe 1060 "C:\Windows\SysWOW64\crsibkeq.exe"
        112⤵
        
        PID:688
        
        C:\Windows\SysWOW64\lbgiiigx.exe
        
        C:\Windows\system32\lbgiiigx.exe 1100 "C:\Windows\SysWOW64\eevlwktr.exe"
        113⤵
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\nauygnts.exe
        
        C:\Windows\system32\nauygnts.exe 1056 "C:\Windows\SysWOW64\lbgiiigx.exe"
        114⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\xovbpceg.exe
        
        C:\Windows\system32\xovbpceg.exe 1048 "C:\Windows\SysWOW64\nauygnts.exe"
        115⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\gjudxsur.exe
        
        C:\Windows\system32\gjudxsur.exe 1076 "C:\Windows\SysWOW64\xovbpceg.exe"
        116⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\fuvgtroz.exe
        
        C:\Windows\system32\fuvgtroz.exe 1116 "C:\Windows\SysWOW64\gjudxsur.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\imvwlnwx.exe
        
        C:\Windows\system32\imvwlnwx.exe 1132 "C:\Windows\SysWOW64\fuvgtroz.exe"
        118⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\konexwnm.exe
        
        C:\Windows\system32\konexwnm.exe 1120 "C:\Windows\SysWOW64\imvwlnwx.exe"
        119⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\ppehobts.exe
        
        C:\Windows\system32\ppehobts.exe 1152 "C:\Windows\SysWOW64\konexwnm.exe"
        120⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\tkmrggoo.exe
        
        C:\Windows\system32\tkmrggoo.exe 1124 "C:\Windows\SysWOW64\ppehobts.exe"
        121⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\yhrhuhnz.exe
        
        C:\Windows\system32\yhrhuhnz.exe 1096 "C:\Windows\SysWOW64\tkmrggoo.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\kjuhmwkk.exe
        
        C:\Windows\system32\kjuhmwkk.exe 1192 "C:\Windows\SysWOW64\yhrhuhnz.exe"
        123⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\eikcotaj.exe
        
        C:\Windows\system32\eikcotaj.exe 1148 "C:\Windows\SysWOW64\kjuhmwkk.exe"
        124⤵
        
        PID:564
        
        C:\Windows\SysWOW64\vdzxkqup.exe
        
        C:\Windows\system32\vdzxkqup.exe 1104 "C:\Windows\SysWOW64\eikcotaj.exe"
        125⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\xzczfqai.exe
        
        C:\Windows\system32\xzczfqai.exe 1128 "C:\Windows\SysWOW64\vdzxkqup.exe"
        126⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\rbezffyb.exe
        
        C:\Windows\system32\rbezffyb.exe 1144 "C:\Windows\SysWOW64\xzczfqai.exe"
        127⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\mwjpfygy.exe
        
        C:\Windows\system32\mwjpfygy.exe 1112 "C:\Windows\SysWOW64\rbezffyb.exe"
        128⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\lhtstfaf.exe
        
        C:\Windows\system32\lhtstfaf.exe 1108 "C:\Windows\SysWOW64\mwjpfygy.exe"
        129⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\ffjnwdpx.exe
        
        C:\Windows\system32\ffjnwdpx.exe 1156 "C:\Windows\SysWOW64\lhtstfaf.exe"
        130⤵
        
        PID:584
        
        C:\Windows\SysWOW64\jkenjzew.exe
        
        C:\Windows\system32\jkenjzew.exe 1072 "C:\Windows\SysWOW64\ffjnwdpx.exe"
        131⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\jdnxdmom.exe
        
        C:\Windows\system32\jdnxdmom.exe 1164 "C:\Windows\SysWOW64\jkenjzew.exe"
        132⤵
        
        PID:456
        
        C:\Windows\SysWOW64\qzyvpkat.exe
        
        C:\Windows\system32\qzyvpkat.exe 1084 "C:\Windows\SysWOW64\jdnxdmom.exe"
        133⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\symkmooo.exe
        
        C:\Windows\system32\symkmooo.exe 1196 "C:\Windows\SysWOW64\qzyvpkat.exe"
        134⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\rjoviwiw.exe
        
        C:\Windows\system32\rjoviwiw.exe 1136 "C:\Windows\SysWOW64\symkmooo.exe"
        135⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\earilqxu.exe
        
        C:\Windows\system32\earilqxu.exe 1140 "C:\Windows\SysWOW64\rjoviwiw.exe"
        136⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\lpcgxoka.exe
        
        C:\Windows\system32\lpcgxoka.exe 1160 "C:\Windows\SysWOW64\earilqxu.exe"
        137⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\vopwbabj.exe
        
        C:\Windows\system32\vopwbabj.exe 1208 "C:\Windows\SysWOW64\lpcgxoka.exe"
        138⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\pnfqexqi.exe
        
        C:\Windows\system32\pnfqexqi.exe 1168 "C:\Windows\SysWOW64\vopwbabj.exe"
        139⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\zqubgpax.exe
        
        C:\Windows\system32\zqubgpax.exe 1220 "C:\Windows\SysWOW64\pnfqexqi.exe"
        140⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\nfdtmuli.exe
        
        C:\Windows\system32\nfdtmuli.exe 1172 "C:\Windows\SysWOW64\zqubgpax.exe"
        141⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\iiijmnuf.exe
        
        C:\Windows\system32\iiijmnuf.exe 1180 "C:\Windows\SysWOW64\nfdtmuli.exe"
        142⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\xunoqwgn.exe
        
        C:\Windows\system32\xunoqwgn.exe 1188 "C:\Windows\SysWOW64\iiijmnuf.exe"
        143⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\rsejttve.exe
        
        C:\Windows\system32\rsejttve.exe 1176 "C:\Windows\SysWOW64\xunoqwgn.exe"
        144⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\vbjojmqf.exe
        
        C:\Windows\system32\vbjojmqf.exe 1204 "C:\Windows\SysWOW64\rsejttve.exe"
        145⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\vmnhxyvr.exe
        
        C:\Windows\system32\vmnhxyvr.exe 1184 "C:\Windows\SysWOW64\vbjojmqf.exe"
        146⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\hkoufbim.exe
        
        C:\Windows\system32\hkoufbim.exe 1216 "C:\Windows\SysWOW64\vmnhxyvr.exe"
        147⤵
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\xlaugyva.exe
        
        C:\Windows\system32\xlaugyva.exe 1212 "C:\Windows\SysWOW64\hkoufbim.exe"
        148⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\jcehrsly.exe
        
        C:\Windows\system32\jcehrsly.exe 1200 "C:\Windows\SysWOW64\xlaugyva.exe"
        149⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\bmpkylbk.exe
        
        C:\Windows\system32\bmpkylbk.exe 1224 "C:\Windows\SysWOW64\jcehrsly.exe"
        150⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\vsxntiij.exe
        
        C:\Windows\system32\vsxntiij.exe 1232 "C:\Windows\SysWOW64\bmpkylbk.exe"
        151⤵
        Drops file in System32 directory
        
        PID:472
        
        C:\Windows\SysWOW64\pqnhwgxb.exe
        
        C:\Windows\system32\pqnhwgxb.exe 1244 "C:\Windows\SysWOW64\vsxntiij.exe"
        152⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\ectnzpjj.exe
        
        C:\Windows\system32\ectnzpjj.exe 1228 "C:\Windows\SysWOW64\pqnhwgxb.exe"
        153⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\basnaowp.exe
        
        C:\Windows\system32\basnaowp.exe 1236 "C:\Windows\SysWOW64\ectnzpjj.exe"
        154⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\nuhvgnkq.exe
        
        C:\Windows\system32\nuhvgnkq.exe 1240 "C:\Windows\SysWOW64\basnaowp.exe"
        155⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\uvdfuxer.exe
        
        C:\Windows\system32\uvdfuxer.exe 1288 "C:\Windows\SysWOW64\nuhvgnkq.exe"
        156⤵
        
        PID:580
        
        C:\Windows\SysWOW64\havfunmu.exe
        
        C:\Windows\system32\havfunmu.exe 1248 "C:\Windows\SysWOW64\uvdfuxer.exe"
        157⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\bkpnapao.exe
        
        C:\Windows\system32\bkpnapao.exe 1256 "C:\Windows\SysWOW64\havfunmu.exe"
        158⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\nifqunhn.exe
        
        C:\Windows\system32\nifqunhn.exe 1252 "C:\Windows\SysWOW64\bkpnapao.exe"
        159⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\flttwxsd.exe
        
        C:\Windows\system32\flttwxsd.exe 1272 "C:\Windows\SysWOW64\nifqunhn.exe"
        160⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\zrkvzuhc.exe
        
        C:\Windows\system32\zrkvzuhc.exe 1260 "C:\Windows\SysWOW64\flttwxsd.exe"
        161⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\ubldfwuw.exe
        
        C:\Windows\system32\ubldfwuw.exe 1268 "C:\Windows\SysWOW64\zrkvzuhc.exe"
        162⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\jfjjixhe.exe
        
        C:\Windows\system32\jfjjixhe.exe 1264 "C:\Windows\SysWOW64\ubldfwuw.exe"
        163⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\oordzcnk.exe
        
        C:\Windows\system32\oordzcnk.exe 1276 "C:\Windows\SysWOW64\jfjjixhe.exe"
        164⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\ceawfhgm.exe
        
        C:\Windows\system32\ceawfhgm.exe 1284 "C:\Windows\SysWOW64\oordzcnk.exe"
        165⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\udlteujh.exe
        
        C:\Windows\system32\udlteujh.exe 1296 "C:\Windows\SysWOW64\ceawfhgm.exe"
        166⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\ezjolkhs.exe
        
        C:\Windows\system32\ezjolkhs.exe 1280 "C:\Windows\SysWOW64\udlteujh.exe"
        167⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\thvomonx.exe
        
        C:\Windows\system32\thvomonx.exe 1308 "C:\Windows\SysWOW64\ezjolkhs.exe"
        168⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\loverdep.exe
        
        C:\Windows\system32\loverdep.exe 1292 "C:\Windows\SysWOW64\thvomonx.exe"
        169⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\fxwmxesj.exe
        
        C:\Windows\system32\fxwmxesj.exe 1320 "C:\Windows\SysWOW64\loverdep.exe"
        170⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\ugjmxbxx.exe
        
        C:\Windows\system32\ugjmxbxx.exe 1300 "C:\Windows\SysWOW64\fxwmxesj.exe"
        171⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\oezhaymo.exe
        
        C:\Windows\system32\oezhaymo.exe 1316 "C:\Windows\SysWOW64\ugjmxbxx.exe"
        172⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\bvdudtcm.exe
        
        C:\Windows\system32\bvdudtcm.exe 1304 "C:\Windows\SysWOW64\oezhaymo.exe"
        173⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\pkmmjgnw.exe
        
        C:\Windows\system32\pkmmjgnw.exe 1328 "C:\Windows\SysWOW64\bvdudtcm.exe"
        174⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\zczcwref.exe
        
        C:\Windows\system32\zczcwref.exe 1332 "C:\Windows\SysWOW64\pkmmjgnw.exe"
        175⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\wagcpqru.exe
        
        C:\Windows\system32\wagcpqru.exe 1340 "C:\Windows\SysWOW64\zczcwref.exe"
        176⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\rulspjar.exe
        
        C:\Windows\system32\rulspjar.exe 1344 "C:\Windows\SysWOW64\wagcpqru.exe"
        177⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\fvxpybrv.exe
        
        C:\Windows\system32\fvxpybrv.exe 1372 "C:\Windows\SysWOW64\rulspjar.exe"
        178⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\vhskwdya.exe
        
        C:\Windows\system32\vhskwdya.exe 1360 "C:\Windows\SysWOW64\fvxpybrv.exe"
        179⤵
        
        PID:268
        
        C:\Windows\SysWOW64\hchkcuma.exe
        
        C:\Windows\system32\hchkcuma.exe 1384 "C:\Windows\SysWOW64\vhskwdya.exe"
        180⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\tllxepby.exe
        
        C:\Windows\system32\tllxepby.exe 1356 "C:\Windows\SysWOW64\hchkcuma.exe"
        181⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\ortahnip.exe
        
        C:\Windows\system32\ortahnip.exe 1392 "C:\Windows\SysWOW64\tllxepby.exe"
        182⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\qtuitvaf.exe
        
        C:\Windows\system32\qtuitvaf.exe 1312 "C:\Windows\SysWOW64\ortahnip.exe"
        183⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\ejdsaitp.exe
        
        C:\Windows\system32\ejdsaitp.exe 1396 "C:\Windows\SysWOW64\qtuitvaf.exe"
        184⤵
        
        PID:928
        
        C:\Windows\SysWOW64\rdranhhh.exe
        
        C:\Windows\system32\rdranhhh.exe 1348 "C:\Windows\SysWOW64\ejdsaitp.exe"
        185⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\lbivifph.exe
        
        C:\Windows\system32\lbivifph.exe 1364 "C:\Windows\SysWOW64\rdranhhh.exe"
        186⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\suhorycl.exe
        
        C:\Windows\system32\suhorycl.exe 1324 "C:\Windows\SysWOW64\lbivifph.exe"
        187⤵
        
        PID:752
        
        C:\Windows\SysWOW64\hkqyxlvv.exe
        
        C:\Windows\system32\hkqyxlvv.exe 1336 "C:\Windows\SysWOW64\suhorycl.exe"
        188⤵
        
        PID:784
        
        C:\Windows\SysWOW64\mtztorbb.exe
        
        C:\Windows\system32\mtztorbb.exe 1404 "C:\Windows\SysWOW64\hkqyxlvv.exe"
        189⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\eayrsfkt.exe
        
        C:\Windows\system32\eayrsfkt.exe 1368 "C:\Windows\SysWOW64\mtztorbb.exe"
        190⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\nslgfqcb.exe
        
        C:\Windows\system32\nslgfqcb.exe 1416 "C:\Windows\SysWOW64\eayrsfkt.exe"
        191⤵
        
        PID:368
        
        C:\Windows\SysWOW64\qnojarjc.exe
        
        C:\Windows\system32\qnojarjc.exe 1380 "C:\Windows\SysWOW64\nslgfqcb.exe"
        192⤵
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\wnktotcl.exe
        
        C:\Windows\system32\wnktotcl.exe 1376 "C:\Windows\SysWOW64\qnojarjc.exe"
        193⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\touhkeom.exe
        
        C:\Windows\system32\touhkeom.exe 1388 "C:\Windows\SysWOW64\wnktotcl.exe"
        194⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\yimmuwej.exe
        
        C:\Windows\system32\yimmuwej.exe 1352 "C:\Windows\SysWOW64\touhkeom.exe"
        195⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\tdrcupmo.exe
        
        C:\Windows\system32\tdrcupmo.exe 1424 "C:\Windows\SysWOW64\yimmuwej.exe"
        196⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\hivmnsgi.exe
        
        C:\Windows\system32\hivmnsgi.exe 1400 "C:\Windows\SysWOW64\tdrcupmo.exe"
        197⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\bcacnlxf.exe
        
        C:\Windows\system32\bcacnlxf.exe 1412 "C:\Windows\SysWOW64\hivmnsgi.exe"
        198⤵
        
        PID:900
        
        C:\Windows\SysWOW64\oleppged.exe
        
        C:\Windows\system32\oleppged.exe 1408 "C:\Windows\SysWOW64\bcacnlxf.exe"
        199⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\npquuxvo.exe
        
        C:\Windows\system32\npquuxvo.exe 1428 "C:\Windows\SysWOW64\oleppged.exe"
        200⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\elfpqtpv.exe
        
        C:\Windows\system32\elfpqtpv.exe 1432 "C:\Windows\SysWOW64\npquuxvo.exe"
        201⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\ogdsxjff.exe
        
        C:\Windows\system32\ogdsxjff.exe 1448 "C:\Windows\SysWOW64\elfpqtpv.exe"
        202⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\nznvtqzn.exe
        
        C:\Windows\system32\nznvtqzn.exe 1436 "C:\Windows\SysWOW64\ogdsxjff.exe"
        203⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\pycqdvka.exe
        
        C:\Windows\system32\pycqdvka.exe 1456 "C:\Windows\SysWOW64\nznvtqzn.exe"
        204⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\zqhgpobq.exe
        
        C:\Windows\system32\zqhgpobq.exe 1440 "C:\Windows\SysWOW64\pycqdvka.exe"
        205⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\qxhvucti.exe
        
        C:\Windows\system32\qxhvucti.exe 1472 "C:\Windows\SysWOW64\zqhgpobq.exe"
        206⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\fimaydfi.exe
        
        C:\Windows\system32\fimaydfi.exe 1480 "C:\Windows\SysWOW64\qxhvucti.exe"
        207⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\hepltdlj.exe
        
        C:\Windows\system32\hepltdlj.exe 1464 "C:\Windows\SysWOW64\fimaydfi.exe"
        208⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\rvutxpdz.exe
        
        C:\Windows\system32\rvutxpdz.exe 1420 "C:\Windows\SysWOW64\hepltdlj.exe"
        209⤵
        
        PID:888
        
        C:\Windows\SysWOW64\bjewheon.exe
        
        C:\Windows\system32\bjewheon.exe 1476 "C:\Windows\SysWOW64\rvutxpdz.exe"
        210⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\tnsgioyd.exe
        
        C:\Windows\system32\tnsgioyd.exe 1444 "C:\Windows\SysWOW64\bjewheon.exe"
        211⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cqijqdon.exe
        
        C:\Windows\system32\cqijqdon.exe 1468 "C:\Windows\SysWOW64\tnsgioyd.exe"
        212⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\rcoobmiv.exe
        
        C:\Windows\system32\rcoobmiv.exe 1452 "C:\Windows\SysWOW64\cqijqdon.exe"
        213⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\eawjwjpv.exe
        
        C:\Windows\system32\eawjwjpv.exe 1496 "C:\Windows\SysWOW64\rcoobmiv.exe"
        214⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\quljkjen.exe
        
        C:\Windows\system32\quljkjen.exe 1460 "C:\Windows\SysWOW64\eawjwjpv.exe"
        215⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\sedhcflt.exe
        
        C:\Windows\system32\sedhcflt.exe 1488 "C:\Windows\SysWOW64\quljkjen.exe"
        216⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\usourskd.exe
        
        C:\Windows\system32\usourskd.exe 1484 "C:\Windows\SysWOW64\sedhcflt.exe"
        217⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\wgrwmsre.exe
        
        C:\Windows\system32\wgrwmsre.exe 1508 "C:\Windows\SysWOW64\usourskd.exe"
        218⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\gqiulvdp.exe
        
        C:\Windows\system32\gqiulvdp.exe 1492 "C:\Windows\SysWOW64\wgrwmsre.exe"
        219⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\ipwkjzqs.exe
        
        C:\Windows\system32\ipwkjzqs.exe 1516 "C:\Windows\SysWOW64\gqiulvdp.exe"
        220⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\pmhhuxdr.exe
        
        C:\Windows\system32\pmhhuxdr.exe 1500 "C:\Windows\SysWOW64\ipwkjzqs.exe"
        221⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\jnapazrt.exe
        
        C:\Windows\system32\jnapazrt.exe 1524 "C:\Windows\SysWOW64\pmhhuxdr.exe"
        222⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\rhiziaex.exe
        
        C:\Windows\system32\rhiziaex.exe 1504 "C:\Windows\SysWOW64\jnapazrt.exe"
        223⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\iztkqtuj.exe
        
        C:\Windows\system32\iztkqtuj.exe 1512 "C:\Windows\SysWOW64\rhiziaex.exe"
        224⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\nwncdpji.exe
        
        C:\Windows\system32\nwncdpji.exe 1520 "C:\Windows\SysWOW64\iztkqtuj.exe"
        225⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\pdtnshkm.exe
        
        C:\Windows\system32\pdtnshkm.exe 1532 "C:\Windows\SysWOW64\nwncdpji.exe"
        226⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\tlzsiifg.exe
        
        C:\Windows\system32\tlzsiifg.exe 1528 "C:\Windows\SysWOW64\pdtnshkm.exe"
        227⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\dlmintxw.exe
        
        C:\Windows\system32\dlmintxw.exe 1536 "C:\Windows\SysWOW64\tlzsiifg.exe"
        228⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\axivlwda.exe
        
        C:\Windows\system32\axivlwda.exe 1540 "C:\Windows\SysWOW64\dlmintxw.exe"
        229⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\ukvqluyx.exe
        
        C:\Windows\system32\ukvqluyx.exe 1552 "C:\Windows\SysWOW64\axivlwda.exe"
        230⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\hqnytlgs.exe
        
        C:\Windows\system32\hqnytlgs.exe 1548 "C:\Windows\SysWOW64\ukvqluyx.exe"
        231⤵
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\gioinfqj.exe
        
        C:\Windows\system32\gioinfqj.exe 1544 "C:\Windows\SysWOW64\hqnytlgs.exe"
        232⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\vywbizfh.exe
        
        C:\Windows\system32\vywbizfh.exe 1564 "C:\Windows\SysWOW64\gioinfqj.exe"
        233⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\pemwdwug.exe
        
        C:\Windows\system32\pemwdwug.exe 1560 "C:\Windows\SysWOW64\vywbizfh.exe"
        234⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\zwzlqiew.exe
        
        C:\Windows\system32\zwzlqiew.exe 1572 "C:\Windows\SysWOW64\pemwdwug.exe"
        235⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\ywwwpdtk.exe
        
        C:\Windows\system32\ywwwpdtk.exe 1568 "C:\Windows\SysWOW64\zwzlqiew.exe"
        236⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\ydvtjyop.exe
        
        C:\Windows\system32\ydvtjyop.exe 1556 "C:\Windows\SysWOW64\ywwwpdtk.exe"
        237⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\fdrexiiq.exe
        
        C:\Windows\system32\fdrexiiq.exe 1576 "C:\Windows\SysWOW64\ydvtjyop.exe"
        238⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\zjzzsgpq.exe
        
        C:\Windows\system32\zjzzsgpq.exe 1584 "C:\Windows\SysWOW64\fdrexiiq.exe"
        239⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\btzokcxo.exe
        
        C:\Windows\system32\btzokcxo.exe 1596 "C:\Windows\SysWOW64\zjzzsgpq.exe"
        240⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\bbxmdxkt.exe
        
        C:\Windows\system32\bbxmdxkt.exe 1592 "C:\Windows\SysWOW64\btzokcxo.exe"
        241⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\dwapyxyu.exe
        
        C:\Windows\system32\dwapyxyu.exe 1604 "C:\Windows\SysWOW64\bbxmdxkt.exe"
        242⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\zqtmovum.exe
        
        C:\Windows\system32\zqtmovum.exe 1600 "C:\Windows\SysWOW64\dwapyxyu.exe"
        243⤵
        
        PID:936
        
        C:\Windows\SysWOW64\erbpeaaa.exe
        
        C:\Windows\system32\erbpeaaa.exe 1612 "C:\Windows\SysWOW64\zqtmovum.exe"
        244⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\lryztclb.exe
        
        C:\Windows\system32\lryztclb.exe 1616 "C:\Windows\SysWOW64\erbpeaaa.exe"
        245⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\ckbcavjn.exe
        
        C:\Windows\system32\ckbcavjn.exe 1620 "C:\Windows\SysWOW64\lryztclb.exe"
        246⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\pptkausq.exe
        
        C:\Windows\system32\pptkausq.exe 1580 "C:\Windows\SysWOW64\ckbcavjn.exe"
        247⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\rcwnvmzj.exe
        
        C:\Windows\system32\rcwnvmzj.exe 1672 "C:\Windows\SysWOW64\pptkausq.exe"
        248⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\lbvaseyz.exe
        
        C:\Windows\system32\lbvaseyz.exe 1588 "C:\Windows\SysWOW64\rcwnvmzj.exe"
        249⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\azuatddg.exe
        
        C:\Windows\system32\azuatddg.exe 1632 "C:\Windows\SysWOW64\lbvaseyz.exe"
        250⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\plzfwmpo.exe
        
        C:\Windows\system32\plzfwmpo.exe 1608 "C:\Windows\SysWOW64\azuatddg.exe"
        251⤵
        
        PID:544
        
        C:\Windows\SysWOW64\bjssfpkj.exe
        
        C:\Windows\system32\bjssfpkj.exe 1628 "C:\Windows\SysWOW64\plzfwmpo.exe"
        252⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\vwytzvcx.exe
        
        C:\Windows\system32\vwytzvcx.exe 1624 "C:\Windows\SysWOW64\bjssfpkj.exe"
        253⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\vlvyqdfl.exe
        
        C:\Windows\system32\vlvyqdfl.exe 1648 "C:\Windows\SysWOW64\vwytzvcx.exe"
        254⤵
        
        PID:776
        
        C:\Windows\SysWOW64\kxtdtmzt.exe
        
        C:\Windows\system32\kxtdtmzt.exe 1636 "C:\Windows\SysWOW64\vlvyqdfl.exe"
        255⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\zmkvirkv.exe
        
        C:\Windows\system32\zmkvirkv.exe 1652 "C:\Windows\SysWOW64\kxtdtmzt.exe"
        256⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\ytiltufi.exe
        
        C:\Windows\system32\ytiltufi.exe 1656 "C:\Windows\SysWOW64\zmkvirkv.exe"
        257⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\qaijyips.exe
        
        C:\Windows\system32\qaijyips.exe 1664 "C:\Windows\SysWOW64\ytiltufi.exe"
        258⤵
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\krzwvsni.exe
        
        C:\Windows\system32\krzwvsni.exe 1660 "C:\Windows\SysWOW64\qaijyips.exe"
        259⤵
        
        PID:828
        
        C:\Windows\SysWOW64\ebseaubc.exe
        
        C:\Windows\system32\ebseaubc.exe 1668 "C:\Windows\SysWOW64\krzwvsni.exe"
        260⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\sfztypxb.exe
        
        C:\Windows\system32\sfztypxb.exe 1640 "C:\Windows\SysWOW64\ebseaubc.exe"
        261⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\intuztlg.exe
        
        C:\Windows\system32\intuztlg.exe 1680 "C:\Windows\SysWOW64\sfztypxb.exe"
        262⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\edbeufae.exe
        
        C:\Windows\system32\edbeufae.exe 1644 "C:\Windows\SysWOW64\intuztlg.exe"
        263⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\gnscmbic.exe
        
        C:\Windows\system32\gnscmbic.exe 1692 "C:\Windows\SysWOW64\edbeufae.exe"
        264⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\gycfaick.exe
        
        C:\Windows\system32\gycfaick.exe 1676 "C:\Windows\SysWOW64\gnscmbic.exe"
        265⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\kviptyhw.exe
        
        C:\Windows\system32\kviptyhw.exe 1684 "C:\Windows\SysWOW64\gycfaick.exe"
        266⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\ppzceqxs.exe
        
        C:\Windows\system32\ppzceqxs.exe 1688 "C:\Windows\SysWOW64\kviptyhw.exe"
        267⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\hwzsimgk.exe
        
        C:\Windows\system32\hwzsimgk.exe 1708 "C:\Windows\SysWOW64\ppzceqxs.exe"
        268⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\tnunthvi.exe
        
        C:\Windows\system32\tnunthvi.exe 1696 "C:\Windows\SysWOW64\hwzsimgk.exe"
        269⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\vaxqozcb.exe
        
        C:\Windows\system32\vaxqozcb.exe 1712 "C:\Windows\SysWOW64\tnunthvi.exe"
        270⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\xlxyaquq.exe
        
        C:\Windows\system32\xlxyaquq.exe 1716 "C:\Windows\SysWOW64\vaxqozcb.exe"
        271⤵
        
        PID:672
        
        C:\Windows\SysWOW64\rjotdojp.exe
        
        C:\Windows\system32\rjotdojp.exe 1720 "C:\Windows\SysWOW64\xlxyaquq.exe"
        272⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\ruxvrndx.exe
        
        C:\Windows\system32\ruxvrndx.exe 1700 "C:\Windows\SysWOW64\rjotdojp.exe"
        273⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\nkfomhsn.exe
        
        C:\Windows\system32\nkfomhsn.exe 1724 "C:\Windows\SysWOW64\ruxvrndx.exe"
        274⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\ukcybrlw.exe
        
        C:\Windows\system32\ukcybrlw.exe 1728 "C:\Windows\SysWOW64\nkfomhsn.exe"
        275⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\pnhotktt.exe
        
        C:\Windows\system32\pnhotktt.exe 1744 "C:\Windows\SysWOW64\ukcybrlw.exe"
        276⤵
        
        PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\auncpwuv.exe

Filesize
496KB

MD5
f13cf06f8beb2ca2c3c85531b5723b2c

SHA1
126cb64f21f5a1651d1ba0731d98cd455f98fd86

SHA256
71565192fdf78016e9096f6dfec6915bedeb5a7b279ca139476e1cf1df97b2df

SHA512
084009c84af2230ef8c55a5b9557a27685026dd63f090b6dccc16f53d2f97c5307ddfb664f6534ce76ef425cfe423e4ce4330185a048a8f873b35f03cc5f395f

Download Submit
memory/272-808-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/592-1124-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/660-568-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/696-841-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/872-582-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1072-1125-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1096-431-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1120-106-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1120-121-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1120-120-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1120-119-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/1120-107-0x00000000041F0000-0x00000000041F2000-memory.dmp

Filesize
8KB

Download
memory/1120-115-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1120-117-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1120-118-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/1120-116-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1132-955-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1196-964-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1284-1019-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1324-165-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1408-1033-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1500-934-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1552-867-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1568-720-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1592-424-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1676-788-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1684-529-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1696-990-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1708-129-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/1708-127-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1708-125-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1708-131-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/1708-130-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1708-140-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1708-139-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1708-126-0x00000000041E0000-0x00000000041E2000-memory.dmp

Filesize
8KB

Download
memory/1708-128-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1716-498-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1756-747-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1844-348-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1880-1052-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1928-557-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1960-79-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1960-84-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/1960-80-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/1960-82-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/1960-86-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1960-81-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/1960-83-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1960-67-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1960-85-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/1960-70-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/1960-71-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/1960-69-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/1960-68-0x00000000041D0000-0x00000000041D2000-memory.dmp

Filesize
8KB

Download
memory/1968-1026-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1992-307-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2024-9-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/2024-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2024-1-0x00000000041F0000-0x00000000041F2000-memory.dmp

Filesize
8KB

Download
memory/2024-3-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/2024-2-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2024-6-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2024-7-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/2024-8-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/2024-10-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/2024-14-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2024-22-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2064-28-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2064-32-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2064-27-0x00000000041D0000-0x00000000041D2000-memory.dmp

Filesize
8KB

Download
memory/2064-26-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2064-29-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2064-45-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2064-43-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2064-30-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2064-44-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2064-42-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2064-31-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/2064-41-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/2064-39-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2124-857-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2172-1086-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2240-445-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2296-380-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2340-417-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2348-438-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2368-211-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2420-1004-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2432-59-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2432-49-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2432-50-0x00000000041E0000-0x00000000041E2000-memory.dmp

Filesize
8KB

Download
memory/2432-51-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2432-52-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/2432-61-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2432-63-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2432-62-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2436-505-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2536-575-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2556-1012-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2580-738-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2616-772-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2668-887-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2676-388-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2724-638-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2736-661-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2764-668-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2792-90-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2792-91-0x00000000041F0000-0x00000000041F2000-memory.dmp

Filesize
8KB

Download
memory/2792-99-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2792-100-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/2792-102-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2816-408-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2832-917-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2844-589-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2916-689-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2932-323-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/3020-1147-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download