909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 23:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe
Size

237KB
MD5

de72eaff0635576ed1f01136f7cf5ab1
SHA1

cd7e192cd81d6f579e76425e35a5a3875bbc9b6f
SHA256

909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee
SHA512

4f0e611049f96b747e202fb566d81b5b2ffc70a2c6d76f22207a0540979a706404b2045ad4d64e410cd3d84c0b2b09fcb6900130969ef6342824c80e72c36a77
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVaV:ZY7xh6SZI4z7FSVaV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 58 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqcrdt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	weyafe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfgq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdoijkv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwdi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wewc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxifg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqvmfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wucmftxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	woduywvy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wwqrnid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	womlsy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrewymwx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wermdqy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqumwlv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wptffppa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjmpnx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	woeamatl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wejl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wjhy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wunu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wefplku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbwvtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wiqriu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wbfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wocxx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfxyige.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wpof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wkcarek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnoef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	woe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfcdhfwse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wohpefr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wfqrcrfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wlxp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqjmnk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wrbnmko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wncog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wcxtm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtjgkqjcr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdubm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxdfju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wmoimire.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wtwhr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wxxhyji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wayna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wnnig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wahvht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wqgxvej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wsjhrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdwixk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wprrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wdrkfr.exe

Executes dropped EXE 58 IoCs

pid	Process
260	wlxp.exe
2332	wkcarek.exe
4604	wewc.exe
3152	wxxhyji.exe
4848	wtjgkqjcr.exe
4220	wbwvtl.exe
1804	wocxx.exe
4056	wqjmnk.exe
1996	wfgq.exe
2264	wdwixk.exe
3984	wjhy.exe
1456	wprrq.exe
2024	wdubm.exe
2612	wdoijkv.exe
4480	wrbnmko.exe
3548	wucmftxl.exe
1824	wwdi.exe
2368	wfcdhfwse.exe
3500	wit.exe
4572	wptffppa.exe
4352	wqgxvej.exe
4212	wqcrdt.exe
3772	wfxyige.exe
1824	wunu.exe
1996	wkxs.exe
368	wiqriu.exe
4584	woduywvy.exe
4408	wefplku.exe
5000	wayna.exe
4520	wdrkfr.exe
1924	wsjhrb.exe
3588	wwqrnid.exe
3560	wnoef.exe
3176	weyafe.exe
4280	wnnig.exe
2744	wjmpnx.exe
444	wohpefr.exe
3616	wermdqy.exe
3172	wxifg.exe
1936	wmoimire.exe
1972	wcx.exe
3176	woe.exe
5000	wbfi.exe
3984	wpof.exe
4228	wejl.exe
4908	wqumwlv.exe
4704	womlsy.exe
3252	wahvht.exe
1944	wncog.exe
2076	wcxtm.exe
2436	wxdfju.exe
4244	wfqrcrfx.exe
5068	wqvmfg.exe
1096	woeamatl.exe
3868	wmqm.exe
1524	wtwhr.exe
3776	wrewymwx.exe
1920	wcsfbjb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wpof.exe	wbfi.exe
File created	C:\Windows\SysWOW64\wmqm.exe	woeamatl.exe
File opened for modification	C:\Windows\SysWOW64\wprrq.exe	wjhy.exe
File opened for modification	C:\Windows\SysWOW64\wqcrdt.exe	wqgxvej.exe
File opened for modification	C:\Windows\SysWOW64\wjmpnx.exe	wnnig.exe
File created	C:\Windows\SysWOW64\wcxtm.exe	wncog.exe
File opened for modification	C:\Windows\SysWOW64\wefplku.exe	woduywvy.exe
File opened for modification	C:\Windows\SysWOW64\weyafe.exe	wnoef.exe
File created	C:\Windows\SysWOW64\womlsy.exe	wqumwlv.exe
File opened for modification	C:\Windows\SysWOW64\wwqrnid.exe	wsjhrb.exe
File created	C:\Windows\SysWOW64\wxxhyji.exe	wewc.exe
File created	C:\Windows\SysWOW64\wucmftxl.exe	wrbnmko.exe
File created	C:\Windows\SysWOW64\wwqrnid.exe	wsjhrb.exe
File opened for modification	C:\Windows\SysWOW64\wtwhr.exe	wmqm.exe
File created	C:\Windows\SysWOW64\wqcrdt.exe	wqgxvej.exe
File created	C:\Windows\SysWOW64\woe.exe	wcx.exe
File opened for modification	C:\Windows\SysWOW64\wcxtm.exe	wncog.exe
File created	C:\Windows\SysWOW64\wfcdhfwse.exe	wwdi.exe
File opened for modification	C:\Windows\SysWOW64\wfxyige.exe	wqcrdt.exe
File opened for modification	C:\Windows\SysWOW64\wunu.exe	wfxyige.exe
File opened for modification	C:\Windows\SysWOW64\wxdfju.exe	wcxtm.exe
File created	C:\Windows\SysWOW64\wlxp.exe	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe
File opened for modification	C:\Windows\SysWOW64\wlxp.exe	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe
File created	C:\Windows\SysWOW64\wdoijkv.exe	wdubm.exe
File created	C:\Windows\SysWOW64\wtjgkqjcr.exe	wxxhyji.exe
File opened for modification	C:\Windows\SysWOW64\wdoijkv.exe	wdubm.exe
File created	C:\Windows\SysWOW64\wefplku.exe	woduywvy.exe
File created	C:\Windows\SysWOW64\wfgq.exe	wqjmnk.exe
File opened for modification	C:\Windows\SysWOW64\wpof.exe	wbfi.exe
File opened for modification	C:\Windows\SysWOW64\wohpefr.exe	wjmpnx.exe
File created	C:\Windows\SysWOW64\wqjmnk.exe	wocxx.exe
File created	C:\Windows\SysWOW64\wdwixk.exe	wfgq.exe
File opened for modification	C:\Windows\SysWOW64\wdrkfr.exe	wayna.exe
File created	C:\Windows\SysWOW64\wcx.exe	wmoimire.exe
File opened for modification	C:\Windows\SysWOW64\wejl.exe	wpof.exe
File created	C:\Windows\SysWOW64\wjhy.exe	wdwixk.exe
File created	C:\Windows\SysWOW64\wnoef.exe	wwqrnid.exe
File opened for modification	C:\Windows\SysWOW64\wxifg.exe	wermdqy.exe
File opened for modification	C:\Windows\SysWOW64\wmoimire.exe	wxifg.exe
File opened for modification	C:\Windows\SysWOW64\womlsy.exe	wqumwlv.exe
File created	C:\Windows\SysWOW64\wncog.exe	wahvht.exe
File opened for modification	C:\Windows\SysWOW64\wrewymwx.exe	wtwhr.exe
File created	C:\Windows\SysWOW64\wkcarek.exe	wlxp.exe
File created	C:\Windows\SysWOW64\wdubm.exe	wprrq.exe
File created	C:\Windows\SysWOW64\wjmpnx.exe	wnnig.exe
File created	C:\Windows\SysWOW64\wxifg.exe	wermdqy.exe
File opened for modification	C:\Windows\SysWOW64\wkxs.exe	wunu.exe
File opened for modification	C:\Windows\SysWOW64\wiqriu.exe	wkxs.exe
File opened for modification	C:\Windows\SysWOW64\wayna.exe	wefplku.exe
File created	C:\Windows\SysWOW64\wnnig.exe	weyafe.exe
File opened for modification	C:\Windows\SysWOW64\wbwvtl.exe	wtjgkqjcr.exe
File opened for modification	C:\Windows\SysWOW64\wocxx.exe	wbwvtl.exe
File opened for modification	C:\Windows\SysWOW64\wdubm.exe	wprrq.exe
File opened for modification	C:\Windows\SysWOW64\wnoef.exe	wwqrnid.exe
File created	C:\Windows\SysWOW64\woeamatl.exe	wqvmfg.exe
File opened for modification	C:\Windows\SysWOW64\wqgxvej.exe	wptffppa.exe
File created	C:\Windows\SysWOW64\wunu.exe	wfxyige.exe
File created	C:\Windows\SysWOW64\wewc.exe	wkcarek.exe
File created	C:\Windows\SysWOW64\wocxx.exe	wbwvtl.exe
File created	C:\Windows\SysWOW64\wptffppa.exe	wit.exe
File opened for modification	C:\Windows\SysWOW64\wrbnmko.exe	wdoijkv.exe
File created	C:\Windows\SysWOW64\wunvgmuk.exe	wcsfbjb.exe
File created	C:\Windows\SysWOW64\wwdi.exe	wucmftxl.exe
File created	C:\Windows\SysWOW64\woduywvy.exe	wiqriu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4520	2332	WerFault.exe	95
3816	1804	WerFault.exe	121
2744	2264	WerFault.exe	133
1996	2368	WerFault.exe	159
3920	4584	WerFault.exe	188
3724	4244	WerFault.exe	265
1756	1096	WerFault.exe	273
3720	3868	WerFault.exe	276
5004	1524	WerFault.exe	281
4640	3776	WerFault.exe	286

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 260	4764	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe	91
PID 4764 wrote to memory of 260	4764	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe	91
PID 4764 wrote to memory of 260	4764	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe	91
PID 4764 wrote to memory of 404	4764	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe	93
PID 4764 wrote to memory of 404	4764	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe	93
PID 4764 wrote to memory of 404	4764	909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe	93
PID 260 wrote to memory of 2332	260	wlxp.exe	95
PID 260 wrote to memory of 2332	260	wlxp.exe	95
PID 260 wrote to memory of 2332	260	wlxp.exe	95
PID 260 wrote to memory of 2384	260	wlxp.exe	122
PID 260 wrote to memory of 2384	260	wlxp.exe	122
PID 260 wrote to memory of 2384	260	wlxp.exe	122
PID 2332 wrote to memory of 4604	2332	wkcarek.exe	101
PID 2332 wrote to memory of 4604	2332	wkcarek.exe	101
PID 2332 wrote to memory of 4604	2332	wkcarek.exe	101
PID 2332 wrote to memory of 3800	2332	wkcarek.exe	103
PID 2332 wrote to memory of 3800	2332	wkcarek.exe	103
PID 2332 wrote to memory of 3800	2332	wkcarek.exe	103
PID 4604 wrote to memory of 3152	4604	wewc.exe	106
PID 4604 wrote to memory of 3152	4604	wewc.exe	106
PID 4604 wrote to memory of 3152	4604	wewc.exe	106
PID 4604 wrote to memory of 4744	4604	wewc.exe	107
PID 4604 wrote to memory of 4744	4604	wewc.exe	107
PID 4604 wrote to memory of 4744	4604	wewc.exe	107
PID 3152 wrote to memory of 4848	3152	wxxhyji.exe	113
PID 3152 wrote to memory of 4848	3152	wxxhyji.exe	113
PID 3152 wrote to memory of 4848	3152	wxxhyji.exe	113
PID 3152 wrote to memory of 3620	3152	wxxhyji.exe	114
PID 3152 wrote to memory of 3620	3152	wxxhyji.exe	114
PID 3152 wrote to memory of 3620	3152	wxxhyji.exe	114
PID 4848 wrote to memory of 4220	4848	wtjgkqjcr.exe	117
PID 4848 wrote to memory of 4220	4848	wtjgkqjcr.exe	117
PID 4848 wrote to memory of 4220	4848	wtjgkqjcr.exe	117
PID 4848 wrote to memory of 4524	4848	wtjgkqjcr.exe	118
PID 4848 wrote to memory of 4524	4848	wtjgkqjcr.exe	118
PID 4848 wrote to memory of 4524	4848	wtjgkqjcr.exe	118
PID 4220 wrote to memory of 1804	4220	wbwvtl.exe	121
PID 4220 wrote to memory of 1804	4220	wbwvtl.exe	121
PID 4220 wrote to memory of 1804	4220	wbwvtl.exe	121
PID 4220 wrote to memory of 2384	4220	wbwvtl.exe	122
PID 4220 wrote to memory of 2384	4220	wbwvtl.exe	122
PID 4220 wrote to memory of 2384	4220	wbwvtl.exe	122
PID 1804 wrote to memory of 4056	1804	wocxx.exe	124
PID 1804 wrote to memory of 4056	1804	wocxx.exe	124
PID 1804 wrote to memory of 4056	1804	wocxx.exe	124
PID 1804 wrote to memory of 1708	1804	wocxx.exe	125
PID 1804 wrote to memory of 1708	1804	wocxx.exe	125
PID 1804 wrote to memory of 1708	1804	wocxx.exe	125
PID 4056 wrote to memory of 1996	4056	wqjmnk.exe	129
PID 4056 wrote to memory of 1996	4056	wqjmnk.exe	129
PID 4056 wrote to memory of 1996	4056	wqjmnk.exe	129
PID 4056 wrote to memory of 3944	4056	wqjmnk.exe	130
PID 4056 wrote to memory of 3944	4056	wqjmnk.exe	130
PID 4056 wrote to memory of 3944	4056	wqjmnk.exe	130
PID 1996 wrote to memory of 2264	1996	wfgq.exe	133
PID 1996 wrote to memory of 2264	1996	wfgq.exe	133
PID 1996 wrote to memory of 2264	1996	wfgq.exe	133
PID 1996 wrote to memory of 2684	1996	wfgq.exe	134
PID 1996 wrote to memory of 2684	1996	wfgq.exe	134
PID 1996 wrote to memory of 2684	1996	wfgq.exe	134
PID 2264 wrote to memory of 3984	2264	wdwixk.exe	136
PID 2264 wrote to memory of 3984	2264	wdwixk.exe	136
PID 2264 wrote to memory of 3984	2264	wdwixk.exe	136
PID 2264 wrote to memory of 624	2264	wdwixk.exe	137

C:\Users\Admin\AppData\Local\Temp\909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe
"C:\Users\Admin\AppData\Local\Temp\909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\wlxp.exe
  "C:\Windows\system32\wlxp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:260
- - C:\Windows\SysWOW64\wkcarek.exe
    "C:\Windows\system32\wkcarek.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\wewc.exe
      "C:\Windows\system32\wewc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\wxxhyji.exe
        
        "C:\Windows\system32\wxxhyji.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Windows\SysWOW64\wtjgkqjcr.exe
        
        "C:\Windows\system32\wtjgkqjcr.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\wbwvtl.exe
        
        "C:\Windows\system32\wbwvtl.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\wocxx.exe
        
        "C:\Windows\system32\wocxx.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\wqjmnk.exe
        
        "C:\Windows\system32\wqjmnk.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\wfgq.exe
        
        "C:\Windows\system32\wfgq.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\wdwixk.exe
        
        "C:\Windows\system32\wdwixk.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\wjhy.exe
        
        "C:\Windows\system32\wjhy.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\wprrq.exe
        
        "C:\Windows\system32\wprrq.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\wdubm.exe
        
        "C:\Windows\system32\wdubm.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\wdoijkv.exe
        
        "C:\Windows\system32\wdoijkv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\wrbnmko.exe
        
        "C:\Windows\system32\wrbnmko.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\wucmftxl.exe
        
        "C:\Windows\system32\wucmftxl.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\wwdi.exe
        
        "C:\Windows\system32\wwdi.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\wfcdhfwse.exe
        
        "C:\Windows\system32\wfcdhfwse.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\wit.exe
        
        "C:\Windows\system32\wit.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\wptffppa.exe
        
        "C:\Windows\system32\wptffppa.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\wqgxvej.exe
        
        "C:\Windows\system32\wqgxvej.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\wqcrdt.exe
        
        "C:\Windows\system32\wqcrdt.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\wfxyige.exe
        
        "C:\Windows\system32\wfxyige.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\wunu.exe
        
        "C:\Windows\system32\wunu.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\wkxs.exe
        
        "C:\Windows\system32\wkxs.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\wiqriu.exe
        
        "C:\Windows\system32\wiqriu.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\woduywvy.exe
        
        "C:\Windows\system32\woduywvy.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\wefplku.exe
        
        "C:\Windows\system32\wefplku.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\wayna.exe
        
        "C:\Windows\system32\wayna.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\wdrkfr.exe
        
        "C:\Windows\system32\wdrkfr.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\wsjhrb.exe
        
        "C:\Windows\system32\wsjhrb.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\wwqrnid.exe
        
        "C:\Windows\system32\wwqrnid.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\wnoef.exe
        
        "C:\Windows\system32\wnoef.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\weyafe.exe
        
        "C:\Windows\system32\weyafe.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\wnnig.exe
        
        "C:\Windows\system32\wnnig.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\wjmpnx.exe
        
        "C:\Windows\system32\wjmpnx.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\wohpefr.exe
        
        "C:\Windows\system32\wohpefr.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\wermdqy.exe
        
        "C:\Windows\system32\wermdqy.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\wxifg.exe
        
        "C:\Windows\system32\wxifg.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\wmoimire.exe
        
        "C:\Windows\system32\wmoimire.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wcx.exe
        
        "C:\Windows\system32\wcx.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\woe.exe
        
        "C:\Windows\system32\woe.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\wbfi.exe
        
        "C:\Windows\system32\wbfi.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\wpof.exe
        
        "C:\Windows\system32\wpof.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\wejl.exe
        
        "C:\Windows\system32\wejl.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\wqumwlv.exe
        
        "C:\Windows\system32\wqumwlv.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\womlsy.exe
        
        "C:\Windows\system32\womlsy.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\wahvht.exe
        
        "C:\Windows\system32\wahvht.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\wncog.exe
        
        "C:\Windows\system32\wncog.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wcxtm.exe
        
        "C:\Windows\system32\wcxtm.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\wxdfju.exe
        
        "C:\Windows\system32\wxdfju.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\wfqrcrfx.exe
        
        "C:\Windows\system32\wfqrcrfx.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\wqvmfg.exe
        
        "C:\Windows\system32\wqvmfg.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\woeamatl.exe
        
        "C:\Windows\system32\woeamatl.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\wmqm.exe
        
        "C:\Windows\system32\wmqm.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\wtwhr.exe
        
        "C:\Windows\system32\wtwhr.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\wrewymwx.exe
        
        "C:\Windows\system32\wrewymwx.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\wcsfbjb.exe
        
        "C:\Windows\system32\wcsfbjb.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrewymwx.exe"
        59⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1468
        59⤵
        Program crash
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtwhr.exe"
        58⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1360
        58⤵
        Program crash
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmqm.exe"
        57⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1684
        57⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woeamatl.exe"
        56⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1124
        56⤵
        Program crash
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvmfg.exe"
        55⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqrcrfx.exe"
        54⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1688
        54⤵
        Program crash
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxdfju.exe"
        53⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcxtm.exe"
        52⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wncog.exe"
        51⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wahvht.exe"
        50⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womlsy.exe"
        49⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqumwlv.exe"
        48⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wejl.exe"
        47⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpof.exe"
        46⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfi.exe"
        45⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woe.exe"
        44⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcx.exe"
        43⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoimire.exe"
        42⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxifg.exe"
        41⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wermdqy.exe"
        40⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohpefr.exe"
        39⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjmpnx.exe"
        38⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnnig.exe"
        37⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyafe.exe"
        36⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoef.exe"
        35⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqrnid.exe"
        34⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjhrb.exe"
        33⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdrkfr.exe"
        32⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wayna.exe"
        31⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wefplku.exe"
        30⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woduywvy.exe"
        29⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 116
        29⤵
        Program crash
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiqriu.exe"
        28⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkxs.exe"
        27⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunu.exe"
        26⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxyige.exe"
        25⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqcrdt.exe"
        24⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgxvej.exe"
        23⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptffppa.exe"
        22⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wit.exe"
        21⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfcdhfwse.exe"
        20⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1536
        20⤵
        Program crash
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwdi.exe"
        19⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucmftxl.exe"
        18⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrbnmko.exe"
        17⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdoijkv.exe"
        16⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdubm.exe"
        15⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprrq.exe"
        14⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhy.exe"
        13⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdwixk.exe"
        12⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1460
        12⤵
        Program crash
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgq.exe"
        11⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqjmnk.exe"
        10⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wocxx.exe"
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1448
        9⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbwvtl.exe"
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjgkqjcr.exe"
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxhyji.exe"
        6⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewc.exe"
        5⤵
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcarek.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1064
      4⤵
      Program crash
      PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxp.exe"
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\909733eb574e6b30a85665c93b751221e22b0ae5e9e7178f1c93ee838ee3f4ee.exe"
  2⤵
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2332 -ip 2332
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1804 -ip 1804
1⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2264 -ip 2264
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2368 -ip 2368
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4584 -ip 4584
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4244 -ip 4244
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1096 -ip 1096
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3868 -ip 3868
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1524 -ip 1524
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3776 -ip 3776
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wayna.exe

Filesize
238KB

MD5
74dcd90afd96a9327d5f3f0a35b14307

SHA1
1c5c2dbd034fb07df0f79cbd9df3427ad9754adf

SHA256
87f137f1fec854904a9cff49eba96e4e85dcf6dd10992f4ffb14bf8a413a04cc

SHA512
f1c00bcadd7370f818d49bc4a4bbacbb6ab308f1cdb49891924f583987ac63579db9a29553caa926ea3d64bc52aba9568dd661f2b07adcb042df883a0011421f

Download Submit
C:\Windows\SysWOW64\wbwvtl.exe

Filesize
238KB

MD5
fe5c9da60511d9604caf3ed40513ac05

SHA1
36f5ac78a3767ac1e537a23d581301e76c0a8447

SHA256
1049f5a2bba2353bd970c182c419fa8efa4b2bdaf1e89955ff1425124b11a3cd

SHA512
622b1837596bba7aed44d7c6c2334cc1119bf199f8ddd09fb60870546153f044fdc60d9e453fb20d785e9d30f4f137eb2e240224f58f465e274bb49029b38e3f

Download Submit
C:\Windows\SysWOW64\wdoijkv.exe

Filesize
238KB

MD5
6fb352b4d95846fd81d068bd7ae8f24d

SHA1
cf2f00b6330c4945a7723f53c57372996b39fd9c

SHA256
a1b40f420e5fb2e2c19fdf195f4655243531077b1e0fd71b9bd7aae431716465

SHA512
abde04664e01c18c4e80d66d682c3bbed6b5190c27e8970ed1c224473b209a0b21a0b06d5b38be303cd65e2faf51203c0636dd44492946b735712980b01176d5

Download Submit
C:\Windows\SysWOW64\wdrkfr.exe

Filesize
238KB

MD5
111c6829963949e13ed7d5d363b023a6

SHA1
55e697f0ed0a336e1545ab3173df172fab5517fc

SHA256
dd804e0135e1bb8d7f9adbbed8e775cb06aaad92307fc865ca5cef14fac0e421

SHA512
432a5f2e0fd6c86cb11168021354d6a628a5eb499b76aac63ab423f0bc5ac1fe2f41a5aa210d68733718c91415a09adc2e0c678eec79002b7d497855125fb87f

Download Submit
C:\Windows\SysWOW64\wdubm.exe

Filesize
238KB

MD5
bc253198c2866a4f0a8c6d25f9f8ac67

SHA1
7fc1d2171f63f3bf3d33fecf8d878d273ee86025

SHA256
498653dae315011bef36eee1eefb9881708252de4ac6d0e5d969c19a1a83f6d6

SHA512
dcbb327c8f513bedf34cfdb21a2d0cd4319f032a12674290524e9154ef7da92b2f831098c6c30a5c23aa0fc9f26109bb04664e549e6bad129a8e6256c066fe99

Download Submit
C:\Windows\SysWOW64\wdwixk.exe

Filesize
238KB

MD5
ee2bd47325a700973bf266e71d78d474

SHA1
405cf705966249f3a1972ade17f6f24011cbd2e1

SHA256
52ce0b0c8efe1dc065c5fd652f40903487c36a83863cb27d42cc783624179e1d

SHA512
3a23a6e797725921ad878fff562efdfc9e09314872fe20516ed0d9c8d611eca01b837a3c8edba0921fd5bdfc94b975d75147cd16081f20080c7c954257b9e2f2

Download Submit
C:\Windows\SysWOW64\wefplku.exe

Filesize
238KB

MD5
16121b4d7ce2848b0e45bf75ca7c716a

SHA1
30dfacccf09de946f35fdb6454f6e96da62bf64f

SHA256
9d829ceba87a4dc03848e518cca5865e5ed443780165d5b5044c544a3a839384

SHA512
d38844cd34af9fea72011b4b0a1f8491ac664d0176020d9f777fe349ca1ab70cecd752bbe43b80d671cd441c2588803e3cee7db903d1ac300578f07d76740582

Download Submit
C:\Windows\SysWOW64\wewc.exe

Filesize
237KB

MD5
33c05e6af62d9bf30e43c80f7759c85a

SHA1
253726bccb5c252a36683c95ea32a72a10330244

SHA256
63382a7b407eb498b6e9c68298e4bd67e68c8962dc76724ce6b1b42f428ed8ee

SHA512
e609761ea09e3e94a533c59ab7cbc357839b89eb6a63ec49021c9071e4cddfc401d46366abd4d47367afc2a2907bc759d5654b44c9d19e7abc91127f361dcfcb

Download Submit
C:\Windows\SysWOW64\wfcdhfwse.exe

Filesize
238KB

MD5
767fe7b697eb91d5ff26f0dedc057aaf

SHA1
8a4a46ab8e93410c069ee004a13307c0ed77565b

SHA256
05aa756cde3477c88e6e642159e0674c380f8605ac82b2a988a30fe57fcfe9ac

SHA512
3b1c3e43fd2c70e2c4482592bdfc4fbba17c07e0c5f0f2ff53a360c6f5ac7102f66e55b74f5b9dfddb275965806881cac276056e0d03a36450f5eddbcb682d6b

Download Submit
C:\Windows\SysWOW64\wfgq.exe

Filesize
238KB

MD5
9212b56d31cbea927f0b37e3642d480b

SHA1
a42231eb0f1cd8c90b8d7ec1ac3e31a3d174ef67

SHA256
4dcfc74ffc42e7178014ab389dc9f59440b805a7891717f5e9315035d0a88890

SHA512
f90f1d5118e08b6039ffaace339c5fa01ddcb9879122089de3b42cd67bf94f276cc41fc31aa4ea2c7a1ba90a7ee73f2453da488f650e4a703baa96c8c244ba3d

Download Submit
C:\Windows\SysWOW64\wfxyige.exe

Filesize
238KB

MD5
1f14047ea4551cf349f360f2655dfd31

SHA1
fca4e384bd0ae620ac64037af2ba1ae97cde7cb6

SHA256
e83742fd25ddbffb55b2c11e362e288a21f1920d3a461c3e0099aec11168f00d

SHA512
4c3cff04402392ad478a9bb766e091067f1d5f30b7d4ea52d3073f112e9026437f281e48d5f6eac141f6b64677a8ed57b28fc06072dffde7967e0011f1165923

Download Submit
C:\Windows\SysWOW64\wiqriu.exe

Filesize
238KB

MD5
0180bcc686e6a8718c7efdb07a6df44b

SHA1
2405a0b0aaab6495a666e535a261402e2d47d54e

SHA256
4f2c8191d40df1dc15ece0beedf3ec32a06ddf68d082ecd27a075d9e747da049

SHA512
0b8f6a3b5134027fe53d7028ad1220b95092be172b2c8d9106f017d6c65dbec31103d96b598cef1791a3ef0565d9e28da9d9fa8730e17dac1eded04152cba918

Download Submit
C:\Windows\SysWOW64\wit.exe

Filesize
238KB

MD5
a68361c57fd48bc8d0d23b30ecfbf305

SHA1
071a13eb7b328a5d3d507e7c3b8c2082c5a8dda2

SHA256
33ce7e0aa1ba5623b003b1c1fa4eae9e05c497595c648d4361c14d7669ebed27

SHA512
8842ca5d482525dd261066ee592398f71ae53c5428b6b4ad8d45adebab41ab052092f7ca7de35228430a515875e649d26411c7b387305917f359f3f245b31119

Download Submit
C:\Windows\SysWOW64\wjhy.exe

Filesize
238KB

MD5
b55c42896c904c775d8a018dcc6cc27a

SHA1
b9b1e098df4b4abaab1b50bdd5592f61a5c48fcb

SHA256
ae03390decc1abbda32086e02eaec4815b2bfb40b585acef147f6fa9e4b76de6

SHA512
f25629002ddaf2d44f70bebf5044b63ef88566761a96eedad3893a5037d06154368819a4d39da130a94046f895149c64e186d4d61fb7064fd17d2ac6f58f2370

Download Submit
C:\Windows\SysWOW64\wkcarek.exe

Filesize
237KB

MD5
5ccc4894ba47fb002ab5e86152f88788

SHA1
f2e4d6c2a5717b49785e6c9c12c627274df55789

SHA256
afb2a22a595494af69c36e546c8d1401a274be507c4c9c8f490093bde558ebb6

SHA512
fcff122609744a87e89a0b13f0f04e4a3f9d766122f250d7a3947b486aae6afe44f84e636bbbaa73259ac01c400404fbb47afd67b39310d95e63018654c3a25f

Download Submit
C:\Windows\SysWOW64\wkxs.exe

Filesize
238KB

MD5
c2bf6e4b6c89f9b13f6a5d8311c2310c

SHA1
3b4c43cc0f055871704a15ed71007f8de39e1e9e

SHA256
9f73a7520096fd36c9882f03c14db015bea0e5a69de37959ddc5381a531deb0f

SHA512
9771f7893c88b69834f82402eee1be1714e3c11efeb5cfe89759067fe3c7ff91e82c1c90aa3adac2df6ce3ee2c52b7e1f592e8dd52569383f348e22eb855efb9

Download Submit
C:\Windows\SysWOW64\wlxp.exe

Filesize
237KB

MD5
0e89cf11cf03401ca412c70c2fc4a354

SHA1
305f2ff8784f4d770ff87781a7c62bdd9683e7eb

SHA256
104b9bb67183fd97664aa136e68e1fe9bac230ad2f30bc40bd8972c8a568b911

SHA512
11e09dc85b1599d1e699924a18e5b6cf3c965b6fec0be4c9bd61ede0c7e731f69c7b87e70ff848b7d632a554b4576163390a7ac486981df8d229524bfcbdf3e0

Download Submit
C:\Windows\SysWOW64\wocxx.exe

Filesize
238KB

MD5
116ca8de124ad247356f0ac79100c8bb

SHA1
62816585ca64a3271a260a09029714155e2d56c5

SHA256
be3b27b2e18c618e10770f2b7e56070ffee83a412e55f09d9d8f221a73ac025e

SHA512
288c519a65f31896ac70bed192efe8a23599e6be8ef0019c6a40faf4007b8b429d8033e60a0a00daf95ced77cb6823252b606d770f0af75c2f1be7e8194dea53

Download Submit
C:\Windows\SysWOW64\woduywvy.exe

Filesize
238KB

MD5
eb7f846deb3cb4fc3b88225a3d024c59

SHA1
bde2d8d8e6771a26dc1392a127172ee65ff191f2

SHA256
03071a8555e25cdadd6517a939db34923291cb26cd0ee894f630705722de3c7c

SHA512
505e09315fa6b118c752445db0414da031f19c7435f726e73ef8a893c75c426054cd402afa127c315174928ef1449a36ad75c673c858c311903158d54eba09c4

Download Submit
C:\Windows\SysWOW64\wprrq.exe

Filesize
238KB

MD5
c1b7fc959da47f50d9dfa13b7f89903c

SHA1
1a72396bbe345299e93edefab3f9b0247fc7516f

SHA256
3be1f656ec526b8dbbfac3bd8b56583b29ac80d19f18b5ad14bf122a92d527b6

SHA512
f1284a931f52e9317262e448405ecc0bbf21c57d09ae217b7a8756668471af6ac564f86021fece5da7fed36d45ad140a1d858d646697e0f8dfc9d105c6c9b2d8

Download Submit
C:\Windows\SysWOW64\wptffppa.exe

Filesize
238KB

MD5
84e052199f2591639273655e1dbb4ad9

SHA1
1d7bfdfe49028ddcaa09001cd68f546141dcf03e

SHA256
6cadc19aa05804be6b66c4f6596fa1933bb74177dceddb0728c59e0163694bf6

SHA512
3ad9c010dda1824124d277b73d05bc7b2d07bc23e5ac51ea7371b4a811afdb45fb07309a96bd314a5560a3fda10a88f6172764f36f4b6e9b1dff50dd3a933651

Download Submit
C:\Windows\SysWOW64\wqcrdt.exe

Filesize
238KB

MD5
4d4161eebc5f431ef2bb0ef471a10d4b

SHA1
3adad2f96da4101529b99faa96e0053646fd32cd

SHA256
31b2f6160b38a4af27385f5ac47a95d6b5cd96b4a5f606d294f79e078ee139e5

SHA512
ac5ef4bd6ff73c4daabfff852a132c36b40a0857ab57d83039624315664f3495013871dea606ca989fd4f0ed6eef1c2d51b513099a286b05165d0a578bd52beb

Download Submit
C:\Windows\SysWOW64\wqgxvej.exe

Filesize
238KB

MD5
3b872db1bba6d2c05933763f294b8de6

SHA1
1e7b9f5ea442922dfbb6b71cb52732c3e5844adc

SHA256
d61bfc6a469d987a7f98c7e6bb4327e1166a8eb4755dc1e34cf4584bc1b755d2

SHA512
d1a2829b64d96aa091f38625da16a5d24eced1f9239172984272f3ded845a457987b416487251b3bd80234b964f2cff658908126579c9f7c76dd3987ae826048

Download Submit
C:\Windows\SysWOW64\wqjmnk.exe

Filesize
238KB

MD5
57117d0f5540c208a6d35874cc1251bd

SHA1
39291578e429294dd077e59e53e2b9dd89503896

SHA256
3ea5c8f27e2eb7f670b30ff7283bdcece1619eb8f7d5e5c8d75231f722ce1550

SHA512
fa388dcb1fee97667b84286e18d26eae8411c129eeba79ed09a560910ade99659e3f153e15c7e43c18a256a5a580f30dab994d3ae5796220df08d6abd356f524

Download Submit
C:\Windows\SysWOW64\wrbnmko.exe

Filesize
238KB

MD5
306cc7ebbbf28851ac13052fdd2a33bd

SHA1
250c265cf78b20ecfaba6224c06dc9b39b2d5618

SHA256
2a49a772be07923a31c9eebcac5938686406d36fc513b3f2ee3b4f3fbad9b737

SHA512
87fef58b045d531f7832863c4c841445a467d69260c1045eba33c7e017454fa9e198301c6f2e3ab3e00e5c40851ec42796229a2e10579ea0216eb0ab651756a0

Download Submit
C:\Windows\SysWOW64\wsjhrb.exe

Filesize
238KB

MD5
6dcf21734230ea5ae1483f95b0a4ec32

SHA1
a3e2853d41f596d75df1685c187f966d0d0d452d

SHA256
bdeb119107e805f5c4ccb53e5913e8da64cbeed5e28382f8d552ef571b5ac4f8

SHA512
7af190cff587e99dbaa0c57d86b409c17bb52f9225f3b9954ef5373dd739b5202676247b13c87b7c83af503058d148ad8569ff8af85c92e9a57e7525874a6bde

Download Submit
C:\Windows\SysWOW64\wtjgkqjcr.exe

Filesize
238KB

MD5
f2de7e4edad0d74a6c94a49a3e9d026b

SHA1
2c65b5d150330f910a82600098da9d584c900674

SHA256
b4d30eb07fbbf4c2a5ff07cc3cb9bd6bcb06ce89348456ca1d2efda11f05de63

SHA512
5cbc45e62f22351ab035040583bd4ee158c9143b3427224e9b93f61489b634a75d0a88bb2ea510de4093fd3f71827f81193142374e2093f53fdb287737ef5536

Download Submit
C:\Windows\SysWOW64\wucmftxl.exe

Filesize
238KB

MD5
2ad70fe73caa9e090e48f1baf33086aa

SHA1
d491b8c38f08f17250e1a283855d6a0702890833

SHA256
db4577d41fe6fc2c2a9b8340abe65eb4623dc19507260d40739209c813408bb0

SHA512
20ee760b2f00f2fe96db9a7d732074d1d27cd43236dc4b813c579b358dcb2ee123a1a3b3a58a0c39483cd414c4b84d2823f69fd23b7e439eb1c94b6caa61326e

Download Submit
C:\Windows\SysWOW64\wunu.exe

Filesize
238KB

MD5
623a1f1be04c4554e7c3d990c0f5bd8b

SHA1
e11e6c87ef1f41453aee400984781853c521ada7

SHA256
040ae6e22be8052c7a12f1744d474f54d0edc708b582070cd8c1f62d130e3a2a

SHA512
c162ea3b4c43060e41558a2ce62a56c2b5bda020bdf105d67d8760de5032a77a3f065888a40e9d17a5e87b1a7182be2c6a88dc89dcc817f3da44b4e1210b2722

Download Submit
C:\Windows\SysWOW64\wwdi.exe

Filesize
238KB

MD5
259f2b845beecfc0d0cc2093dd399b08

SHA1
a93ebee85ea757f0818826144b7ee6849235dce5

SHA256
52ca15df4395f6a8c4a052eb2c30a67ce730f67efc2ece595525e8e528779307

SHA512
05a9facce09d414ba453c22515f0734d9caf7edc8658be8f4868b94b800f179b48e08c6c2c791c246a755c1725be774795f6c30cd838d205420d725b084db3fc

Download Submit
C:\Windows\SysWOW64\wwqrnid.exe

Filesize
238KB

MD5
24e9fcc149c2b55465e9b27dc7f6b49c

SHA1
0835ed4b7c78ed03f7e19c2adc8104a1d9493bb1

SHA256
c949ae8cd1b4e7f9315130ed04d0a1512c114a8d720365e0cede7dad40285395

SHA512
0b99208bcc828421ab5703177958e1f4e591fe27ee7eaffb35b180b29fb2855fc1359d5b22e98ec1a8788a0075d78f059dfd6a99665be9597f2b79b9266d365e

Download Submit
C:\Windows\SysWOW64\wxxhyji.exe

Filesize
238KB

MD5
2ac2dbadbaca4cd3852c2468b4ba71c9

SHA1
aa7d2bd08e4ad052ce9b0046d047d7069f927d17

SHA256
08b2c60c55af5ef6b4b77f158e4ded8934afc00cb86f68e45d986a1e4826db53

SHA512
3304cf95cd187fc70a5983c8710a9e7170b413038cdaa903c389b0343c9c12508cf3f33d4e06a3bbc81cf74f1e5862ac2f4975cc7c05119957e5fce23a0291fe

Download Submit
memory/260-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/368-278-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/368-267-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/444-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1096-509-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1096-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1456-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1524-535-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1804-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-183-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-257-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1924-320-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1924-331-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1944-478-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1972-413-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1996-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1996-268-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2024-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2024-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2076-486-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2332-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2368-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-494-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2612-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2744-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3152-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3172-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3176-421-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3252-470-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3500-204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3548-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3560-347-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3588-339-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3616-388-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3772-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3772-247-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3776-543-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3868-527-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3984-120-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3984-437-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4056-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4212-236-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4220-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4228-445-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4244-518-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4280-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4280-355-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4352-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4408-299-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4480-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4520-321-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4520-309-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4572-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4584-288-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4604-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4704-462-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4764-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4764-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4848-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4848-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4908-453-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5000-310-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5000-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5000-298-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5068-510-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download