0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe
Size

24KB
MD5

1ed11cb1914bba9722853fa9226f6d63
SHA1

4a98af6ee72ef9c34afc3434dab568a3dd1388a3
SHA256

0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26
SHA512

df78c296709ab34b4359b39f80e4bdfd115d09e1cf78480046be7fd63722e8c15b7949ff668bc77cd26195de8fedc2e02ea15640078c5b986c51c289a2ff6dc5
SSDEEP

384:xue4QRBnwNhqTBWH7sBmbF7RlEnLYjp0KnjNe1fQuRVmC1he7vvxlL6:xuwrUH7VbF9unMgtXmCe7D6

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 64 IoCs

resource	yara_rule
behavioral2/memory/4284-0-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000900000002351a-5.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4284-10-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023522-18.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1624-20-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023528-29.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2560-31-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1092-33-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0009000000023529-41.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2560-44-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000900000002352b-52.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1440-55-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0009000000023528-63.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4320-66-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000900000002352e-74.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3212-78-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1508-76-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x001400000002352b-86.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/972-88-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1508-90-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023533-98.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/972-101-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000a00000002352e-109.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1228-111-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1912-112-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x001500000002352b-120.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1228-124-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2344-122-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023533-132.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/740-134-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2344-136-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000b00000002352e-144.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4572-146-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/740-148-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x001600000002352b-156.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/872-158-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4572-160-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0009000000023533-168.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/872-171-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000c00000002352e-180.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2900-181-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3948-183-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x001700000002352b-191.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2900-193-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000a000000023533-201.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1840-203-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4996-205-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000d00000002352e-213.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1840-216-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023537-224.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4836-227-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000800000002353a-235.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4456-238-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000e00000002352e-246.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4224-250-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1480-249-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0009000000023537-258.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2348-260-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4224-261-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000900000002353a-270.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2348-271-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000b00000002353b-280.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3772-281-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2824-283-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgxrux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpbr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wphmyiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wusmlsbjy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	whwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wlhco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwfocod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wjoacg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wcylb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wqch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wghlye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wmvhgol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wlkhyywab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wltbodiuy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wnuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wtfghsmb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wjeiu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwauht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wmfweq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wikaco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wfmkcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpdma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wiuxqxr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wxnb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	womgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wtdey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wsgqwfh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wfesxjjfu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvppt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wcwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpvrqnpx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvhmhf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wctpd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpmska.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvsgrriov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wvxjoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wdubm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wddiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wwoxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wlfgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wabbwrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wclctt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wloghc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wkttgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgopbs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wsklya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	whr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wlwpivje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgsfh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wsteft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wjfok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wywspajf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	womtcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	woe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	whljrpbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wysjyl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wtjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wljodltlg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wpci.exe

Executes dropped EXE 64 IoCs

pid	Process
1624	wjeiu.exe
1092	wiuxqxr.exe
2560	wikaco.exe
1440	wumj.exe
4320	wntilslv.exe
3212	wusmlsbjy.exe
1508	wmoei.exe
972	wlfgt.exe
1912	wmvhgol.exe
1228	wllir.exe
2344	wywspajf.exe
740	wpgbgjpk.exe
4572	wpmska.exe
872	wcwd.exe
3948	whwm.exe
2900	wplgod.exe
4996	wqch.exe
1840	wmcxjnu.exe
4836	wxqfmk.exe
4456	whxmakxj.exe
1480	wghlye.exe
4224	wwqsno.exe
2348	wabbwrq.exe
2824	wvsgrriov.exe
3772	wwji.exe
4564	wvxjoa.exe
4456	wwauht.exe
768	wgopbs.exe
2552	wxnb.exe
2532	wxecdq.exe
5100	whljrpbd.exe
2328	wvhmhf.exe
972	wslitea.exe
2704	wgxrux.exe
1472	wgxdm.exe
64	wgd.exe
648	wdubm.exe
4916	wofl.exe
4836	wlkhyywab.exe
1992	wsklya.exe
2424	wpbr.exe
4372	wclctt.exe
3224	wfmkcd.exe
4732	wysjyl.exe
64	wtjo.exe
2800	wtbpfc.exe
3244	waoojk.exe
2520	wdpvrt.exe
5032	whr.exe
528	wlgbfme.exe
3152	wphknv.exe
2264	wlwpivje.exe
4052	wphmyiy.exe
1416	wxrb.exe
5016	wgsfh.exe
2072	wghgtckn.exe
1656	wljodltlg.exe
1692	wloghc.exe
4708	wpu.exe
1652	wlhco.exe
1432	wljnhauu.exe
4588	wpvrqnpx.exe
4528	womtcf.exe
3840	womgu.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wxnb.exe	wgopbs.exe
File created	C:\Windows\SysWOW64\wofl.exe	wdubm.exe
File created	C:\Windows\SysWOW64\wwfocod.exe	wjfok.exe
File created	C:\Windows\SysWOW64\wntilslv.exe	wumj.exe
File created	C:\Windows\SysWOW64\wgsfh.exe	wxrb.exe
File created	C:\Windows\SysWOW64\womgu.exe	womtcf.exe
File opened for modification	C:\Windows\SysWOW64\wcpjci.exe	wkttgw.exe
File created	C:\Windows\SysWOW64\wkttgw.exe	wctpd.exe
File created	C:\Windows\SysWOW64\wghlye.exe	whxmakxj.exe
File opened for modification	C:\Windows\SysWOW64\wpdma.exe	wctbcr.exe
File opened for modification	C:\Windows\SysWOW64\wgxdm.exe	wgxrux.exe
File opened for modification	C:\Windows\SysWOW64\wywspajf.exe	wllir.exe
File created	C:\Windows\SysWOW64\wmvhgol.exe	wlfgt.exe
File opened for modification	C:\Windows\SysWOW64\wabbwrq.exe	wwqsno.exe
File opened for modification	C:\Windows\SysWOW64\wlkhyywab.exe	wofl.exe
File opened for modification	C:\Windows\SysWOW64\wysjyl.exe	wfmkcd.exe
File created	C:\Windows\SysWOW64\wiuxqxr.exe	wjeiu.exe
File opened for modification	C:\Windows\SysWOW64\wslitea.exe	wvhmhf.exe
File created	C:\Windows\SysWOW64\wfmkcd.exe	wclctt.exe
File created	C:\Windows\SysWOW64\wpvrqnpx.exe	wljnhauu.exe
File created	C:\Windows\SysWOW64\wrotov.exe	wkpq.exe
File created	C:\Windows\SysWOW64\wwoxd.exe	wbgu.exe
File opened for modification	C:\Windows\SysWOW64\wlfgt.exe	wmoei.exe
File created	C:\Windows\SysWOW64\wgxrux.exe	wslitea.exe
File created	C:\Windows\SysWOW64\wddiy.exe	wtdey.exe
File opened for modification	C:\Windows\SysWOW64\wmvhgol.exe	wlfgt.exe
File created	C:\Windows\SysWOW64\womtcf.exe	wpvrqnpx.exe
File opened for modification	C:\Windows\SysWOW64\womtcf.exe	wpvrqnpx.exe
File opened for modification	C:\Windows\SysWOW64\wumj.exe	wikaco.exe
File opened for modification	C:\Windows\SysWOW64\wgxrux.exe	wslitea.exe
File opened for modification	C:\Windows\SysWOW64\wtbpfc.exe	wtjo.exe
File opened for modification	C:\Windows\SysWOW64\wkttgw.exe	wctpd.exe
File opened for modification	C:\Windows\SysWOW64\wvhmhf.exe	whljrpbd.exe
File opened for modification	C:\Windows\SysWOW64\wgsfh.exe	wxrb.exe
File created	C:\Windows\SysWOW64\wpu.exe	wloghc.exe
File opened for modification	C:\Windows\SysWOW64\whxmakxj.exe	wxqfmk.exe
File created	C:\Windows\SysWOW64\wslitea.exe	wvhmhf.exe
File opened for modification	C:\Windows\SysWOW64\wphknv.exe	wlgbfme.exe
File opened for modification	C:\Windows\SysWOW64\woe.exe	wfesxjjfu.exe
File opened for modification	C:\Windows\SysWOW64\wnuj.exe	wwplhlwu.exe
File opened for modification	C:\Windows\SysWOW64\wvwokbxn.exe	wowkjai.exe
File created	C:\Windows\SysWOW64\wqch.exe	wplgod.exe
File created	C:\Windows\SysWOW64\whxmakxj.exe	wxqfmk.exe
File created	C:\Windows\SysWOW64\wctpd.exe	wtukdur.exe
File opened for modification	C:\Windows\SysWOW64\wvsgrriov.exe	wabbwrq.exe
File opened for modification	C:\Windows\SysWOW64\wwoxd.exe	wbgu.exe
File created	C:\Windows\SysWOW64\wtjo.exe	wysjyl.exe
File opened for modification	C:\Windows\SysWOW64\whr.exe	wdpvrt.exe
File created	C:\Windows\SysWOW64\wghgtckn.exe	wgsfh.exe
File opened for modification	C:\Windows\SysWOW64\wljodltlg.exe	wghgtckn.exe
File opened for modification	C:\Windows\SysWOW64\wjeiu.exe	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe
File opened for modification	C:\Windows\SysWOW64\wvxjoa.exe	wwji.exe
File created	C:\Windows\SysWOW64\wxnb.exe	wgopbs.exe
File created	C:\Windows\SysWOW64\wysjyl.exe	wfmkcd.exe
File created	C:\Windows\SysWOW64\wtdey.exe	womgu.exe
File created	C:\Windows\SysWOW64\wpci.exe	wddiy.exe
File opened for modification	C:\Windows\SysWOW64\wpci.exe	wddiy.exe
File created	C:\Windows\SysWOW64\wsteft.exe	wouvv.exe
File opened for modification	C:\Windows\SysWOW64\wltbodiuy.exe	wsteft.exe
File created	C:\Windows\SysWOW64\wcpjci.exe	wkttgw.exe
File opened for modification	C:\Windows\SysWOW64\wpvrqnpx.exe	wljnhauu.exe
File opened for modification	C:\Windows\SysWOW64\wusmlsbjy.exe	wntilslv.exe
File created	C:\Windows\SysWOW64\wdpvrt.exe	waoojk.exe
File created	C:\Windows\SysWOW64\whr.exe	wdpvrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
3672	4284	WerFault.exe	87
1296	4224	WerFault.exe	165
3220	4564	WerFault.exe	179
3224	4456	WerFault.exe	182
528	4456	WerFault.exe	182
3152	4372	WerFault.exe	233
2108	2520	WerFault.exe	253
4872	528	WerFault.exe	261
2292	3152	WerFault.exe	264
2340	2072	WerFault.exe	283
2560	4528	WerFault.exe	306
4288	3048	WerFault.exe	353
5080	1884	WerFault.exe	397

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 1624	4284	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe	90
PID 4284 wrote to memory of 1624	4284	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe	90
PID 4284 wrote to memory of 1624	4284	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe	90
PID 4284 wrote to memory of 4528	4284	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe	92
PID 4284 wrote to memory of 4528	4284	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe	92
PID 4284 wrote to memory of 4528	4284	0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe	92
PID 1624 wrote to memory of 1092	1624	wjeiu.exe	99
PID 1624 wrote to memory of 1092	1624	wjeiu.exe	99
PID 1624 wrote to memory of 1092	1624	wjeiu.exe	99
PID 1624 wrote to memory of 1540	1624	wjeiu.exe	100
PID 1624 wrote to memory of 1540	1624	wjeiu.exe	100
PID 1624 wrote to memory of 1540	1624	wjeiu.exe	100
PID 1092 wrote to memory of 2560	1092	wiuxqxr.exe	102
PID 1092 wrote to memory of 2560	1092	wiuxqxr.exe	102
PID 1092 wrote to memory of 2560	1092	wiuxqxr.exe	102
PID 1092 wrote to memory of 2768	1092	wiuxqxr.exe	103
PID 1092 wrote to memory of 2768	1092	wiuxqxr.exe	103
PID 1092 wrote to memory of 2768	1092	wiuxqxr.exe	103
PID 2560 wrote to memory of 1440	2560	wikaco.exe	107
PID 2560 wrote to memory of 1440	2560	wikaco.exe	107
PID 2560 wrote to memory of 1440	2560	wikaco.exe	107
PID 2560 wrote to memory of 5032	2560	wikaco.exe	108
PID 2560 wrote to memory of 5032	2560	wikaco.exe	108
PID 2560 wrote to memory of 5032	2560	wikaco.exe	108
PID 1440 wrote to memory of 4320	1440	wumj.exe	110
PID 1440 wrote to memory of 4320	1440	wumj.exe	110
PID 1440 wrote to memory of 4320	1440	wumj.exe	110
PID 1440 wrote to memory of 5080	1440	wumj.exe	111
PID 1440 wrote to memory of 5080	1440	wumj.exe	111
PID 1440 wrote to memory of 5080	1440	wumj.exe	111
PID 4320 wrote to memory of 3212	4320	wntilslv.exe	115
PID 4320 wrote to memory of 3212	4320	wntilslv.exe	115
PID 4320 wrote to memory of 3212	4320	wntilslv.exe	115
PID 4320 wrote to memory of 4592	4320	wntilslv.exe	116
PID 4320 wrote to memory of 4592	4320	wntilslv.exe	116
PID 4320 wrote to memory of 4592	4320	wntilslv.exe	116
PID 3212 wrote to memory of 1508	3212	wusmlsbjy.exe	118
PID 3212 wrote to memory of 1508	3212	wusmlsbjy.exe	118
PID 3212 wrote to memory of 1508	3212	wusmlsbjy.exe	118
PID 3212 wrote to memory of 4528	3212	wusmlsbjy.exe	119
PID 3212 wrote to memory of 4528	3212	wusmlsbjy.exe	119
PID 3212 wrote to memory of 4528	3212	wusmlsbjy.exe	119
PID 1508 wrote to memory of 972	1508	wmoei.exe	121
PID 1508 wrote to memory of 972	1508	wmoei.exe	121
PID 1508 wrote to memory of 972	1508	wmoei.exe	121
PID 1508 wrote to memory of 4472	1508	wmoei.exe	122
PID 1508 wrote to memory of 4472	1508	wmoei.exe	122
PID 1508 wrote to memory of 4472	1508	wmoei.exe	122
PID 972 wrote to memory of 1912	972	wlfgt.exe	124
PID 972 wrote to memory of 1912	972	wlfgt.exe	124
PID 972 wrote to memory of 1912	972	wlfgt.exe	124
PID 972 wrote to memory of 1640	972	wlfgt.exe	125
PID 972 wrote to memory of 1640	972	wlfgt.exe	125
PID 972 wrote to memory of 1640	972	wlfgt.exe	125
PID 1912 wrote to memory of 1228	1912	wmvhgol.exe	127
PID 1912 wrote to memory of 1228	1912	wmvhgol.exe	127
PID 1912 wrote to memory of 1228	1912	wmvhgol.exe	127
PID 1912 wrote to memory of 4940	1912	wmvhgol.exe	128
PID 1912 wrote to memory of 4940	1912	wmvhgol.exe	128
PID 1912 wrote to memory of 4940	1912	wmvhgol.exe	128
PID 1228 wrote to memory of 2344	1228	wllir.exe	130
PID 1228 wrote to memory of 2344	1228	wllir.exe	130
PID 1228 wrote to memory of 2344	1228	wllir.exe	130
PID 1228 wrote to memory of 464	1228	wllir.exe	131

C:\Users\Admin\AppData\Local\Temp\0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe
"C:\Users\Admin\AppData\Local\Temp\0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\wjeiu.exe
  "C:\Windows\system32\wjeiu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\wiuxqxr.exe
    "C:\Windows\system32\wiuxqxr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\wikaco.exe
      "C:\Windows\system32\wikaco.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\wumj.exe
        
        "C:\Windows\system32\wumj.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\SysWOW64\wntilslv.exe
        
        "C:\Windows\system32\wntilslv.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\wusmlsbjy.exe
        
        "C:\Windows\system32\wusmlsbjy.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\wmoei.exe
        
        "C:\Windows\system32\wmoei.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\wlfgt.exe
        
        "C:\Windows\system32\wlfgt.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\wmvhgol.exe
        
        "C:\Windows\system32\wmvhgol.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\wllir.exe
        
        "C:\Windows\system32\wllir.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\wywspajf.exe
        
        "C:\Windows\system32\wywspajf.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\wpgbgjpk.exe
        
        "C:\Windows\system32\wpgbgjpk.exe"
        13⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\wpmska.exe
        
        "C:\Windows\system32\wpmska.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\wcwd.exe
        
        "C:\Windows\system32\wcwd.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\whwm.exe
        
        "C:\Windows\system32\whwm.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\wplgod.exe
        
        "C:\Windows\system32\wplgod.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\wqch.exe
        
        "C:\Windows\system32\wqch.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\wmcxjnu.exe
        
        "C:\Windows\system32\wmcxjnu.exe"
        19⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\wxqfmk.exe
        
        "C:\Windows\system32\wxqfmk.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\whxmakxj.exe
        
        "C:\Windows\system32\whxmakxj.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\wghlye.exe
        
        "C:\Windows\system32\wghlye.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\wwqsno.exe
        
        "C:\Windows\system32\wwqsno.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\wabbwrq.exe
        
        "C:\Windows\system32\wabbwrq.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\wvsgrriov.exe
        
        "C:\Windows\system32\wvsgrriov.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\wwji.exe
        
        "C:\Windows\system32\wwji.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\wvxjoa.exe
        
        "C:\Windows\system32\wvxjoa.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\wwauht.exe
        
        "C:\Windows\system32\wwauht.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\wgopbs.exe
        
        "C:\Windows\system32\wgopbs.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\wxnb.exe
        
        "C:\Windows\system32\wxnb.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\wxecdq.exe
        
        "C:\Windows\system32\wxecdq.exe"
        31⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\whljrpbd.exe
        
        "C:\Windows\system32\whljrpbd.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\wvhmhf.exe
        
        "C:\Windows\system32\wvhmhf.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\wslitea.exe
        
        "C:\Windows\system32\wslitea.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\wgxrux.exe
        
        "C:\Windows\system32\wgxrux.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\wgxdm.exe
        
        "C:\Windows\system32\wgxdm.exe"
        36⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\wgd.exe
        
        "C:\Windows\system32\wgd.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\wdubm.exe
        
        "C:\Windows\system32\wdubm.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\wofl.exe
        
        "C:\Windows\system32\wofl.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\wlkhyywab.exe
        
        "C:\Windows\system32\wlkhyywab.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\wsklya.exe
        
        "C:\Windows\system32\wsklya.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\wpbr.exe
        
        "C:\Windows\system32\wpbr.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\wclctt.exe
        
        "C:\Windows\system32\wclctt.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\wfmkcd.exe
        
        "C:\Windows\system32\wfmkcd.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\wysjyl.exe
        
        "C:\Windows\system32\wysjyl.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\wtjo.exe
        
        "C:\Windows\system32\wtjo.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\wtbpfc.exe
        
        "C:\Windows\system32\wtbpfc.exe"
        47⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\waoojk.exe
        
        "C:\Windows\system32\waoojk.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\wdpvrt.exe
        
        "C:\Windows\system32\wdpvrt.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\whr.exe
        
        "C:\Windows\system32\whr.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\wlgbfme.exe
        
        "C:\Windows\system32\wlgbfme.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\wphknv.exe
        
        "C:\Windows\system32\wphknv.exe"
        52⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\wlwpivje.exe
        
        "C:\Windows\system32\wlwpivje.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\wphmyiy.exe
        
        "C:\Windows\system32\wphmyiy.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\wxrb.exe
        
        "C:\Windows\system32\wxrb.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\wgsfh.exe
        
        "C:\Windows\system32\wgsfh.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\wghgtckn.exe
        
        "C:\Windows\system32\wghgtckn.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\wljodltlg.exe
        
        "C:\Windows\system32\wljodltlg.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\wloghc.exe
        
        "C:\Windows\system32\wloghc.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\wpu.exe
        
        "C:\Windows\system32\wpu.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\wlhco.exe
        
        "C:\Windows\system32\wlhco.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\wljnhauu.exe
        
        "C:\Windows\system32\wljnhauu.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wpvrqnpx.exe
        
        "C:\Windows\system32\wpvrqnpx.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\womtcf.exe
        
        "C:\Windows\system32\womtcf.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\womgu.exe
        
        "C:\Windows\system32\womgu.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\wtdey.exe
        
        "C:\Windows\system32\wtdey.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\wddiy.exe
        
        "C:\Windows\system32\wddiy.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wpci.exe
        
        "C:\Windows\system32\wpci.exe"
        68⤵
        Checks computer location settings
        
        PID:5032
        
        C:\Windows\SysWOW64\wgts.exe
        
        "C:\Windows\system32\wgts.exe"
        69⤵
        Checks computer location settings
        
        PID:3224
        
        C:\Windows\SysWOW64\wouvv.exe
        
        "C:\Windows\system32\wouvv.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wsteft.exe
        
        "C:\Windows\system32\wsteft.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\wltbodiuy.exe
        
        "C:\Windows\system32\wltbodiuy.exe"
        72⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Windows\SysWOW64\wsgqwfh.exe
        
        "C:\Windows\system32\wsgqwfh.exe"
        73⤵
        Checks computer location settings
        
        PID:3932
        
        C:\Windows\SysWOW64\wbgu.exe
        
        "C:\Windows\system32\wbgu.exe"
        74⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\wwoxd.exe
        
        "C:\Windows\system32\wwoxd.exe"
        75⤵
        Checks computer location settings
        
        PID:1000
        
        C:\Windows\SysWOW64\wfesxjjfu.exe
        
        "C:\Windows\system32\wfesxjjfu.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\woe.exe
        
        "C:\Windows\system32\woe.exe"
        77⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Windows\SysWOW64\wwplhlwu.exe
        
        "C:\Windows\system32\wwplhlwu.exe"
        78⤵
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\wnuj.exe
        
        "C:\Windows\system32\wnuj.exe"
        79⤵
        Checks computer location settings
        
        PID:3048
        
        C:\Windows\SysWOW64\wjfok.exe
        
        "C:\Windows\system32\wjfok.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\wwfocod.exe
        
        "C:\Windows\system32\wwfocod.exe"
        81⤵
        Checks computer location settings
        
        PID:872
        
        C:\Windows\SysWOW64\wjoacg.exe
        
        "C:\Windows\system32\wjoacg.exe"
        82⤵
        Checks computer location settings
        
        PID:3772
        
        C:\Windows\SysWOW64\wmfweq.exe
        
        "C:\Windows\system32\wmfweq.exe"
        83⤵
        Checks computer location settings
        
        PID:620
        
        C:\Windows\SysWOW64\wovyphbp.exe
        
        "C:\Windows\system32\wovyphbp.exe"
        84⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\wowkjai.exe
        
        "C:\Windows\system32\wowkjai.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\wvwokbxn.exe
        
        "C:\Windows\system32\wvwokbxn.exe"
        86⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\whsviy.exe
        
        "C:\Windows\system32\whsviy.exe"
        87⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\wtfghsmb.exe
        
        "C:\Windows\system32\wtfghsmb.exe"
        88⤵
        Checks computer location settings
        
        PID:4692
        
        C:\Windows\SysWOW64\wctbcr.exe
        
        "C:\Windows\system32\wctbcr.exe"
        89⤵
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\wpdma.exe
        
        "C:\Windows\system32\wpdma.exe"
        90⤵
        Checks computer location settings
        
        PID:3140
        
        C:\Windows\SysWOW64\wtukdur.exe
        
        "C:\Windows\system32\wtukdur.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wctpd.exe
        
        "C:\Windows\system32\wctpd.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\wkttgw.exe
        
        "C:\Windows\system32\wkttgw.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\wcpjci.exe
        
        "C:\Windows\system32\wcpjci.exe"
        94⤵
        
        PID:336
        
        C:\Windows\SysWOW64\wcylb.exe
        
        "C:\Windows\system32\wcylb.exe"
        95⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\SysWOW64\wvppt.exe
        
        "C:\Windows\system32\wvppt.exe"
        96⤵
        Checks computer location settings
        
        PID:3768
        
        C:\Windows\SysWOW64\wkpq.exe
        
        "C:\Windows\system32\wkpq.exe"
        97⤵
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvppt.exe"
        97⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcylb.exe"
        96⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcpjci.exe"
        95⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkttgw.exe"
        94⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1636
        94⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctpd.exe"
        93⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtukdur.exe"
        92⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdma.exe"
        91⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctbcr.exe"
        90⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtfghsmb.exe"
        89⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whsviy.exe"
        88⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvwokbxn.exe"
        87⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wowkjai.exe"
        86⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovyphbp.exe"
        85⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfweq.exe"
        84⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjoacg.exe"
        83⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwfocod.exe"
        82⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjfok.exe"
        81⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuj.exe"
        80⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1340
        80⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwplhlwu.exe"
        79⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woe.exe"
        78⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfesxjjfu.exe"
        77⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwoxd.exe"
        76⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgu.exe"
        75⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgqwfh.exe"
        74⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wltbodiuy.exe"
        73⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsteft.exe"
        72⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wouvv.exe"
        71⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgts.exe"
        70⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpci.exe"
        69⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddiy.exe"
        68⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtdey.exe"
        67⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womgu.exe"
        66⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womtcf.exe"
        65⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1640
        65⤵
        Program crash
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvrqnpx.exe"
        64⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljnhauu.exe"
        63⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhco.exe"
        62⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpu.exe"
        61⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wloghc.exe"
        60⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljodltlg.exe"
        59⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghgtckn.exe"
        58⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1536
        58⤵
        Program crash
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsfh.exe"
        57⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrb.exe"
        56⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphmyiy.exe"
        55⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwpivje.exe"
        54⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphknv.exe"
        53⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1364
        53⤵
        Program crash
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlgbfme.exe"
        52⤵
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1672
        52⤵
        Program crash
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whr.exe"
        51⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdpvrt.exe"
        50⤵
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1448
        50⤵
        Program crash
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waoojk.exe"
        49⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtbpfc.exe"
        48⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtjo.exe"
        47⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysjyl.exe"
        46⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmkcd.exe"
        45⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclctt.exe"
        44⤵
        
        PID:460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1444
        44⤵
        Program crash
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpbr.exe"
        43⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsklya.exe"
        42⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlkhyywab.exe"
        41⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofl.exe"
        40⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdubm.exe"
        39⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgd.exe"
        38⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxdm.exe"
        37⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgxrux.exe"
        36⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wslitea.exe"
        35⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhmhf.exe"
        34⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whljrpbd.exe"
        33⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxecdq.exe"
        32⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxnb.exe"
        31⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgopbs.exe"
        30⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwauht.exe"
        29⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1536
        29⤵
        Program crash
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1476
        29⤵
        Program crash
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxjoa.exe"
        28⤵
        
        PID:320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1536
        28⤵
        Program crash
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwji.exe"
        27⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvsgrriov.exe"
        26⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wabbwrq.exe"
        25⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwqsno.exe"
        24⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1680
        24⤵
        Program crash
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wghlye.exe"
        23⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxmakxj.exe"
        22⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxqfmk.exe"
        21⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmcxjnu.exe"
        20⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqch.exe"
        19⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplgod.exe"
        18⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwm.exe"
        17⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwd.exe"
        16⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpmska.exe"
        15⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpgbgjpk.exe"
        14⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywspajf.exe"
        13⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllir.exe"
        12⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmvhgol.exe"
        11⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfgt.exe"
        10⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmoei.exe"
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusmlsbjy.exe"
        8⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntilslv.exe"
        7⤵
        
        PID:4592
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumj.exe"
        6⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikaco.exe"
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiuxqxr.exe"
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjeiu.exe"
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\0bdf0999475e6c88c97212f21aa51c655b3be722c6f5e899b33c0f86ed685f26.exe"
  2⤵
  PID:4528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1676
  2⤵
  - Program crash
  PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4284 -ip 4284
1⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4224 -ip 4224
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4564 -ip 4564
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4456 -ip 4456
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4456 -ip 4456
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 4372
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2520 -ip 2520
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 528 -ip 528
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3152 -ip 3152
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2072 -ip 2072
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4528 -ip 4528
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3048 -ip 3048
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1884 -ip 1884
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wabbwrq.exe

Filesize
24KB

MD5
312cf8aa1eb719d2688e3ed71e1c2424

SHA1
f42a19987f1e691192cc7dfc966fabb37771b532

SHA256
e85e0e7c54e2cac17d319f822260507d1d6705f74348860ba5018cd680177a3f

SHA512
5bf365cf40a881270f532ebd502632383465447079850f6073d95013968e0d6af0f6a639d1c407266ee7b476860a99ee79bfcc73182f07ca30b8a8efbcdc5f5f

Download Submit
C:\Windows\SysWOW64\wcwd.exe

Filesize
24KB

MD5
c4f10b4bbf7885966220d2a54eac1d9d

SHA1
7738dd9f6974b06dba6030f04a2ef5818d72dcc1

SHA256
bca0173b41c565942eed89c2b59f20577173aed217b0fd75c6be6a11c720dd5e

SHA512
bbdd7decdac01a1302702313d178dd3f0ba0678cf3ae8e8676a678a90ae0b4ef113561fcd51ebd57c7a4027eb82ff36f5c01280f99c27f5e4579ae8376a442c1

Download Submit
C:\Windows\SysWOW64\wghlye.exe

Filesize
24KB

MD5
07278415de8fd4151386445b9d30388b

SHA1
97176b874356149f6ddba772f4ae4882d4840bf4

SHA256
dbae0b6e12805406da88e69e29416d0fe82db81c849252a0d72235498ad047be

SHA512
33a2a397b283397f882439c3257d042d839ca8733c30b3f804e1b8f37dd2004b3076e9adef7a7771ce13408dd6a52fa1e28a711d24419a41b6424d15c75c4251

Download Submit
C:\Windows\SysWOW64\wgopbs.exe

Filesize
24KB

MD5
a4a3eb395ddb82d91d0418b1e037ab8d

SHA1
6d834241b6dcc809c1b237486b58c5007c2efa50

SHA256
c626d519150dbaf745adc5c276f8627649b17163e9729df9e28feea0ea1e5473

SHA512
229767781e658d32ac059ba0c4efcfafe3cc7fa52cda8329ef2c25cc40e09a119dec563a6a36e33ba9efbfce4e025b0c386cfca040890477790713f8792ae4e5

Download Submit
C:\Windows\SysWOW64\whljrpbd.exe

Filesize
24KB

MD5
4af3cbba9cd19ae12ca344481f1eb776

SHA1
2f063b30c16c45635bd8b9405b3348325b3e20e9

SHA256
8c906c2bf32d745915d95deab45cda81391f6fe98f261429f74dae39e035bf20

SHA512
1b1404933b90b8e5f77dc8e4446579ea774edea1f7cb34031595075c38782ac08fc49ff15bac286c18e35a472a19dea888ebe0803f0400a73914b74aaad20390

Download Submit
C:\Windows\SysWOW64\whwm.exe

Filesize
24KB

MD5
bacfc80c8667a8ebf7c444109e0e8604

SHA1
593248b0524368dd66d47671b2f0bce88e1fd7db

SHA256
11130df8b3a9977a73841d99319edf1aff73daad63ade990674ae9e77b3123e9

SHA512
b7d2d166994ff78dff8b402a1852e3ef75fd50bffd9252092399b8b3226a5fdb30a1e638e86c63fccff43278ab5857fe34d0fc7301f7e0845c1005eb61ed13b2

Download Submit
C:\Windows\SysWOW64\whxmakxj.exe

Filesize
24KB

MD5
d921e5ecc68a1b8c9cd4defa400e9ef2

SHA1
29454e6a6545bd91a87e6c0a40045473fdf4711b

SHA256
5dd9f9138e74f51bb9a24880cd26bd52244a058eb5bdb6d1d1b7d698025d9e21

SHA512
2cc6e36ed4d525b65d489b4b8f7ee22414f05be962b0fc3e9aefacb53d644e3875129e076f2d5a5888636a6cf7ab10890f21a8682764e58349f1718fbad4adc4

Download Submit
C:\Windows\SysWOW64\wikaco.exe

Filesize
24KB

MD5
cf12d2a09ebad389ac4e31915ae01218

SHA1
e1e4baa536fd21eb8f0fc61319c2e23c94b1a4c0

SHA256
6407f4a1c0ee4ca75dc7d28b9222bec27fe5b48931452ba600f6e38913a854b7

SHA512
f678671e37f777d539648aa9a26633833e32f6345e5faebd21c869780c42d388c90cd015f22345a5ba44231f3fedcf14b4face1b7a0c8ef881a5c1a6fa0051a2

Download Submit
C:\Windows\SysWOW64\wiuxqxr.exe

Filesize
24KB

MD5
a4013baaf1ea47cd13f914f5a59b46bc

SHA1
a0407d41b38b397ebc0df25fadfba35a2617df2e

SHA256
a5922ff4e123b69692f2653275a1a0288f250319b843a2c472cb916e0208ef3b

SHA512
dd505f96e87bd8330313e2a0890a860bf86494e01e8360b86b4c2c68d0fba36989235b8a03775780d9544e3c42b71798663ca1ff13183cb5cde7c6dec780f5bf

Download Submit
C:\Windows\SysWOW64\wjeiu.exe

Filesize
24KB

MD5
559bc1968d9918b252fa9de8ea1bd042

SHA1
44b3b422b81a334666872be76446984d37a63529

SHA256
4927a984b9d00fe450861e97ea37a96297f8746e44e8d4c3b65dd12cde7005a0

SHA512
c8c299236866022cd5fa037728eef0d579a93a40d476ff3e3f6e9a04143f6b387488ee5e7b99d039b4ff86eacd4e88d532135e7009b43550b78ac8fa5ce2010a

Download Submit
C:\Windows\SysWOW64\wlfgt.exe

Filesize
24KB

MD5
4d56bfa6d53cb6db7204693e073bbab5

SHA1
33820952996090752c0915f06cec1dce43866ba1

SHA256
f3eefd5a9feb4334fdd5b1ab49c468113ad1974d9401657b86679e8bc460010f

SHA512
34428aa1d8ae0469101ce8840ea3bce96921c25ac865ffe6124faa1ecb75929560694cf608649c2f7f988eee5e62b9f57ead3fb369d567564fc9f6b6866f176a

Download Submit
C:\Windows\SysWOW64\wllir.exe

Filesize
24KB

MD5
04bdcb0d1e7b0918e0f9531b23dead68

SHA1
fe0f6b5b24e54e7ec645797e83499a8933b8fb28

SHA256
5be623b84b28389fc5ea6dd20528b05fa60bdc15e2c29bf93de4ef7b55046fc3

SHA512
1ec87a16217bb74c641c03edba8b3e52ea4f480085efa098bb4da62d9bf598d503730093f351c66d583eb5399fe1156e32d92ea3865938e450fd4cf471782f23

Download Submit
C:\Windows\SysWOW64\wmcxjnu.exe

Filesize
24KB

MD5
0f117debd4b3c1311b66a30210ac2c68

SHA1
5f0c9bc4ac533e2afcaab8a5ab2fbbf85fee2fa0

SHA256
383693cd7df67c69fbb4a6b0ac9fc9b7bdc1f3becf7b9d340416f5d84e3df416

SHA512
47770cab3a7ba15160995ad0b73f9484641bbfdb2c9fa85881e49acff4e0d751b46804deb0fa85e4613cb0861141cc7187537f2b3486ad271290d21dd65fb037

Download Submit
C:\Windows\SysWOW64\wmoei.exe

Filesize
24KB

MD5
a4d1f2ebcfcc2051592d87e7676979c9

SHA1
d540db6a0637f48b0ba6e5ab9434a390c76192f4

SHA256
be86e92b649452aa6f89874470b3a33a845d078531de4ec13ec82f37652fe08c

SHA512
f2fb5a0ae0e3faf02ce07e6aa63998b1bfc285388fed9b9c2483b9061c35af3794590d906185e1c4c48d37552ab701b1c1baf0169daa83a800389f05eecb291b

Download Submit
C:\Windows\SysWOW64\wmvhgol.exe

Filesize
24KB

MD5
2a8d6b67affe360b71a46aa4f8450c01

SHA1
d5ccd41d37bb3d9fcf982e6d4fefa0f4c3a8f477

SHA256
69a23c266b40abea9fe2c7142107812f41037e8d9100db19d103344c6c4a4989

SHA512
9ca18907339a8c84547736dde46f9cac7f3c9135666797e11dfcea037d71fe79798b74d72d139e6b042ddc8635b03f127001413782d66bd1d8dc8e4d4d2b1acf

Download Submit
C:\Windows\SysWOW64\wntilslv.exe

Filesize
24KB

MD5
95d78ea588403e6f28e89f2f72a82778

SHA1
7da54c56870da75725d6ccb1c97dba4e3024bfed

SHA256
99df17754ad8f93502f9e13cdf2e6dc19d3f85aedb67e94f76d9370420da9d9d

SHA512
ed8c24513734a422f4e2b8e494247e232334920449e4e8a65090758a611d3ec9c86160deaf3fcb29d704f56f09a5a0378d84aa537a2311bb3d4649c6030b7581

Download Submit
C:\Windows\SysWOW64\wpgbgjpk.exe

Filesize
24KB

MD5
988743172f97542f8ad8bd576d8ea49a

SHA1
084dbe7cd460a1e303807bc3b04e6bc7c1498a98

SHA256
b19ef66b606dff66bd7ad465fc0f8857729215c6d195d8b7624f6ba12d362a9c

SHA512
fbd5109e9532981ba8f24c1bbe6e38236f4bcb904aba307e08596dd2ddb5e46aef822caa7895c5f7ae493c7e8dfd9f831b03590de33727a8b5d7024dcf70399a

Download Submit
C:\Windows\SysWOW64\wplgod.exe

Filesize
24KB

MD5
7d568f8c33e308ba937eb167bfde36cc

SHA1
c17a9d7ecb42d53ac92e9875d19e36c8994844ea

SHA256
8e99b5a327d8e02844eccf2c7d9a0cae83472719f9eaf35cc9457ae618dd727b

SHA512
41e41b52fa374ce92314fa95116a13d5c0b66a9fe9cc4e3390b1c941b5c409074b1060fba498decb890da3143e5ba12cb2ac0aa63fd2a2c887ff0728c1b0c973

Download Submit
C:\Windows\SysWOW64\wpmska.exe

Filesize
24KB

MD5
8749c93f3e49afb161e93e9d275e1af7

SHA1
ba18b415bd21ba13d8ce9c74c5a72b2f951ad41d

SHA256
93bd716c94fe9d15a6006519713536fd86905d2bcb1b7767f493d57e2c825733

SHA512
2717796cb7f16777f37e37c73518565d1123e63db327084d88fb84908c251b1d066600e672b886fdf096effad676549f960f00aa1e72b328abcf9373e84a99f6

Download Submit
C:\Windows\SysWOW64\wqch.exe

Filesize
24KB

MD5
61ac3ecfdaae07df1b29d149f8e690d5

SHA1
dfb2a0b84355daddd405a14aefbe7353972d6334

SHA256
f472eb9eb9a31daf460f097d9a49451956077a6894f8c71c3dc30424a3724718

SHA512
acc81c040eda31141cd90a1b866adeb88334e6220830a1ce8213b1e82cc1dcef726f36b4b5724258460b9207f54e281b22db5e7855f26cfd1f5f623bcbe5e047

Download Submit
C:\Windows\SysWOW64\wumj.exe

Filesize
24KB

MD5
98c7e9f51e376a67aba53bf2b69ee9b6

SHA1
8d5231c00e21f7f534fee26a397b2a18b5fb4cb7

SHA256
355ffd5e7a7c8e902ce9501ecac48d64f72726f09e8a108e52fa4b90c0b897f6

SHA512
b35cd2c64b0612fe134732fad8e6d678ba98b9f07f161aa116017cd487c3ff94020fd1a141f8af8609ce56925d75e5c28f21ce89efeb53b799ccccc4c50427c5

Download Submit
C:\Windows\SysWOW64\wusmlsbjy.exe

Filesize
24KB

MD5
8314f3995653c517d53b700f90ac87cc

SHA1
d2f127829f71d8555d487a55c74fea519555b12d

SHA256
a848b82459e97f123699d0141b1437697edb5298e6e161af7fa9b59ccaeb723e

SHA512
db3ebf1e5f74f40d88284616ee632b1cb211b5b34ac2b96cef14eb79cb1bbe5d066a89402817cb47bda29df5b7ca9bbb7ca04a32694fafffb6090720922f91ce

Download Submit
C:\Windows\SysWOW64\wvhmhf.exe

Filesize
24KB

MD5
3bfb0a77ba0843a44b00f41229f59b67

SHA1
6ece7e3adb40031aefcbdb7b42f062e9494660c7

SHA256
0b6a853bc5072a62cdc393963bc48d5eea6bc036eb81567fa33c891fa9d342a1

SHA512
2532c3de7930ae709dacade50e2acc623838545823b44a2da0bdd1667ae3a465842ad669ee3b7d8bb17bc3644e9ccd7eb07a45068616429788dd23c084d2731b

Download Submit
C:\Windows\SysWOW64\wvsgrriov.exe

Filesize
24KB

MD5
cbbfc5142b0d7e2cd3d702f1c49366e6

SHA1
b30e9af839f79c20ea42d72c8026bfe1d5ba79f9

SHA256
f9ec4e24aa80b658b8a1a35bae9b3023386afc877530f2ed14df61b826f9ee06

SHA512
3fc1c06fc33b55c7a46f5600295e22d597bed35fc9c8cedaf4ddfa7e0a6f33d680fe992785ad3063df86f9583c87cecc069ab71fbd6de1201cb9bb60fb04c663

Download Submit
C:\Windows\SysWOW64\wvxjoa.exe

Filesize
24KB

MD5
8c6ba1e51a43c45948a6509f623bd0cb

SHA1
0144fbe27a515ef99b1a2c0f7282dadd22bb5b57

SHA256
b0284c7c22a42fe6e9f0e7446eef37ae94a2fb0e2fface923edae2a2afd9d1f1

SHA512
297d03cc069816a3b889a6d86bf57d7f839867e5f079ed3eacc277093a8609958ddcf9d7d48dfd18bd8dc95a3b6510a770818f148cfc8b05d90449a10045a401

Download Submit
C:\Windows\SysWOW64\wwauht.exe

Filesize
24KB

MD5
c9bc097720d56f6f9ff318c166402574

SHA1
17a53163b266295b218c70d87f1a8a9d60e45033

SHA256
67463fa582b0981fff01c497fe785320de78f58dee24ca424e1dc41297727997

SHA512
c447e79282bfff59a63e9ddede89197a02a2164c16d580ffc35da2840e5e0d9c662adf50f106b8078ee344b18d9e74e2a41ffa3d60b9dae523b4d3ceaf6db4a3

Download Submit
C:\Windows\SysWOW64\wwji.exe

Filesize
24KB

MD5
e596b7f6ff0fee8a8d6c3d2458ed350b

SHA1
f756d1410ae6318033419fa896ffaa35e09f057d

SHA256
5895cb54a834ba7c180c1b64e8e65122059e86b6a77e5e939bc8b59e2694f41b

SHA512
343a0209c493a0b2bb99c78e9cdc8c88b835fe2dff11ccf18f327dc7c0a3a2d507a8971783e21ced84dc52f9841c9a77375f21c078b65e40d81d64749c8de8a0

Download Submit
C:\Windows\SysWOW64\wwqsno.exe

Filesize
24KB

MD5
3e35012f27374d290da1cff301068f69

SHA1
807bbcd06e3b38f172553dbc69bab661ee134e24

SHA256
e5b60befe2b6af438d0d78f982060e4709a605b3d226333f2a323d2486fa4cea

SHA512
35423e834cada1cd08594d83800a7a6109ba77501b7afa66cb6a3067388fd7ee9cb980cc0dcbbc10858d1e6d16801ba58de4b038f4e144ad8f7725825cc7d2cd

Download Submit
C:\Windows\SysWOW64\wxecdq.exe

Filesize
24KB

MD5
ec2bd5a071349a4640ea06881eb63400

SHA1
f6435382a4a90aa9fdbb5d630be503c51b5ae13c

SHA256
44d7e736786f3572cfd7dca121717ecbc7ea9d12088e2fcb769a48c0e7f5471c

SHA512
59a764e35070f4545f48442e0ea1ba2d456671b3afd4026c1e2c1fd0319b9ab3417417772a8c1b19de8ba98bd896422430382932c92b6caec405d6349946bed5

Download Submit
C:\Windows\SysWOW64\wxnb.exe

Filesize
24KB

MD5
3009c79e20937137055cfa669bd36f3e

SHA1
e43628cc9c5ffd256bfb8600c34a7a00159f62ba

SHA256
433eec8c86210a9aa66eb34c5bc16a3eff2bb47d5ebaaef5f0ba732009806c63

SHA512
0e43a9314b95dbd58f43e8687cfe1ae354c8046ec43aa1d4aea3feadbfc5dd303a16386fd68b731213255ba6b86a63b447eed031405de9ef5446b515700200ce

Download Submit
C:\Windows\SysWOW64\wxqfmk.exe

Filesize
24KB

MD5
c08bffbcbff20b2a9b79482033fafc69

SHA1
ebe4cfc46724eb1350c2a2ea187af617800b2f63

SHA256
d5fe0953b080b1d0b4a8f5e104d803c5f111827a8d79b369a6d9d41086722b48

SHA512
34decdd9799feb17f6aae079294616e276c310bedea334a9e7bba23cc8792b41b1ed60d8d9dae3127bc6793c649aa9fa716a74e824fde7e3965079360b6f3db5

Download Submit
C:\Windows\SysWOW64\wywspajf.exe

Filesize
24KB

MD5
4dc0735d2d647d69f8dd8dfc72f67dbf

SHA1
11775019f1e5843bc891f7033e09222d43edbb17

SHA256
46f46c5c4000c5eff05001d09ab633d7703ea273121969044c1dda05d75aabf3

SHA512
38cda1e16cf0d2f14f0947ac688962a4915d1629cc21d287cf14bc3e8b02f4902675b1b1c593340e96af8b9e9c951eab7e0dfb41a73167a17cad185a77d7a1aa

Download Submit
memory/64-397-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/64-406-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/64-489-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/528-533-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/648-415-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/740-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/740-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/768-314-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/768-325-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/804-662-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/804-672-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/872-171-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/872-158-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-380-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-101-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/972-368-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1000-758-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1092-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1228-111-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1228-124-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1416-571-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1416-560-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1432-636-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1440-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1472-388-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1472-398-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1480-249-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1508-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1508-90-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1624-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1652-627-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1652-615-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1656-598-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-597-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-607-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-216-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-203-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1912-112-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-731-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-721-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1992-432-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1992-444-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2072-579-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2072-589-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2108-682-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2264-552-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-370-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2344-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2344-122-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2348-271-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2348-260-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2424-442-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2424-453-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2520-515-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2532-349-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2552-336-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2552-324-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2560-44-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2560-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-389-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2704-378-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2800-498-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2824-283-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2900-193-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2900-181-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2904-711-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3152-532-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3152-542-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3212-78-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-471-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-701-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-461-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-690-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3244-506-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3396-749-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3772-281-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3772-294-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3800-768-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3840-663-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3932-740-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3932-729-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3948-183-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4052-561-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4052-550-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4104-778-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4104-766-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4132-777-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4180-720-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4180-709-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4224-250-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4224-261-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4284-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4284-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4320-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4372-462-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4456-238-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4528-644-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4528-654-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4564-304-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4572-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4588-646-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4708-617-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4732-470-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4732-480-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4836-227-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4836-434-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4916-424-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4996-205-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5016-581-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5016-569-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5032-524-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5032-680-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5032-514-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5032-692-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5100-347-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5100-360-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download