9e61f86a378552b9a27b543568b5629220bd19c355480e71d33be2643031162a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6be7e447b67246bfa7ba01c46215db0N.exe
Size

94KB
MD5

d6be7e447b67246bfa7ba01c46215db0
SHA1

324a86adfd230b788a3ff83744b4d88e243b2c0b
SHA256

9e61f86a378552b9a27b543568b5629220bd19c355480e71d33be2643031162a
SHA512

9b3337c4074e2537f1ef1728d6d92ccf6b019e7066d3be8db538d96e4b856f0df87b0d4f93265c2e23684a50ad1112d1ecc35bbb0fbeb5bab47f32c0558295ed
SSDEEP

1536:BYUb5NE3yZIp+6HO5J4ggpMFSvIKEu0dX4j2dAck9:BYUb5QoJ4g+FXb

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 32 IoCs

pid	Process
2980	wycko.exe
2540	wwvceps.exe
1080	wafev.exe
1252	waqf.exe
1980	wsmkspvvq.exe
2928	wnlwpkc.exe
1548	wri.exe
992	wuaabxo.exe
400	wakt.exe
2812	wplitknt.exe
2028	wstjgrfq.exe
1704	wbyixpdx.exe
1920	wkfxxi.exe
2128	wxytru.exe
408	wuhnum.exe
2688	wwxqledx.exe
2096	wglein.exe
1052	waqvgp.exe
2568	wjnjhr.exe
2012	wcnivq.exe
2016	whrqbnev.exe
1996	wcutagnd.exe
2848	wqafrpqf.exe
2532	wri.exe
1404	wlefp.exe
2836	wngsmf.exe
2932	wcwvulise.exe
2972	whirgimu.exe
2540	wtb.exe
2312	wlxlrrdxj.exe
2156	wniej.exe
3028	wufmqlswo.exe

Loads dropped DLL 64 IoCs

pid	Process
2408	d6be7e447b67246bfa7ba01c46215db0N.exe
2408	d6be7e447b67246bfa7ba01c46215db0N.exe
2408	d6be7e447b67246bfa7ba01c46215db0N.exe
2408	d6be7e447b67246bfa7ba01c46215db0N.exe
2980	wycko.exe
2980	wycko.exe
2980	wycko.exe
2980	wycko.exe
2540	wwvceps.exe
2540	wwvceps.exe
2540	wwvceps.exe
2540	wwvceps.exe
1080	wafev.exe
1080	wafev.exe
1080	wafev.exe
1080	wafev.exe
1252	waqf.exe
1252	waqf.exe
1252	waqf.exe
1252	waqf.exe
1980	wsmkspvvq.exe
1980	wsmkspvvq.exe
1980	wsmkspvvq.exe
1980	wsmkspvvq.exe
2928	wnlwpkc.exe
2928	wnlwpkc.exe
2928	wnlwpkc.exe
2928	wnlwpkc.exe
1548	wri.exe
1548	wri.exe
1548	wri.exe
1548	wri.exe
992	wuaabxo.exe
992	wuaabxo.exe
992	wuaabxo.exe
992	wuaabxo.exe
400	wakt.exe
400	wakt.exe
400	wakt.exe
400	wakt.exe
2812	wplitknt.exe
2812	wplitknt.exe
2812	wplitknt.exe
2812	wplitknt.exe
2028	wstjgrfq.exe
2028	wstjgrfq.exe
2028	wstjgrfq.exe
2028	wstjgrfq.exe
1704	wbyixpdx.exe
1704	wbyixpdx.exe
1704	wbyixpdx.exe
1704	wbyixpdx.exe
1920	wkfxxi.exe
1920	wkfxxi.exe
1920	wkfxxi.exe
1920	wkfxxi.exe
2128	wxytru.exe
2128	wxytru.exe
2128	wxytru.exe
2128	wxytru.exe
408	wuhnum.exe
408	wuhnum.exe
408	wuhnum.exe
408	wuhnum.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wuhnum.exe	wxytru.exe
File created	C:\Windows\SysWOW64\whrqbnev.exe	wcnivq.exe
File opened for modification	C:\Windows\SysWOW64\whirgimu.exe	wcwvulise.exe
File created	C:\Windows\SysWOW64\watdv.exe	wufmqlswo.exe
File opened for modification	C:\Windows\SysWOW64\wafev.exe	wwvceps.exe
File created	C:\Windows\SysWOW64\wnlwpkc.exe	wsmkspvvq.exe
File created	C:\Windows\SysWOW64\wri.exe	wnlwpkc.exe
File opened for modification	C:\Windows\SysWOW64\wjnjhr.exe	waqvgp.exe
File created	C:\Windows\SysWOW64\wlefp.exe	wri.exe
File created	C:\Windows\SysWOW64\wycko.exe	d6be7e447b67246bfa7ba01c46215db0N.exe
File created	C:\Windows\SysWOW64\wniej.exe	wlxlrrdxj.exe
File created	C:\Windows\SysWOW64\wakt.exe	wuaabxo.exe
File created	C:\Windows\SysWOW64\waqvgp.exe	wglein.exe
File opened for modification	C:\Windows\SysWOW64\wqafrpqf.exe	wcutagnd.exe
File created	C:\Windows\SysWOW64\wcwvulise.exe	wngsmf.exe
File opened for modification	C:\Windows\SysWOW64\wcwvulise.exe	wngsmf.exe
File created	C:\Windows\SysWOW64\wtb.exe	whirgimu.exe
File created	C:\Windows\SysWOW64\waqf.exe	wafev.exe
File opened for modification	C:\Windows\SysWOW64\waqf.exe	wafev.exe
File created	C:\Windows\SysWOW64\wcnivq.exe	wjnjhr.exe
File created	C:\Windows\SysWOW64\wlxlrrdxj.exe	wtb.exe
File created	C:\Windows\SysWOW64\wwxqledx.exe	wuhnum.exe
File opened for modification	C:\Windows\SysWOW64\wtb.exe	whirgimu.exe
File opened for modification	C:\Windows\SysWOW64\wniej.exe	wlxlrrdxj.exe
File opened for modification	C:\Windows\SysWOW64\wsmkspvvq.exe	waqf.exe
File opened for modification	C:\Windows\SysWOW64\wuaabxo.exe	wri.exe
File created	C:\Windows\SysWOW64\wplitknt.exe	wakt.exe
File created	C:\Windows\SysWOW64\wbyixpdx.exe	wstjgrfq.exe
File created	C:\Windows\SysWOW64\wkfxxi.exe	wbyixpdx.exe
File created	C:\Windows\SysWOW64\wqafrpqf.exe	wcutagnd.exe
File created	C:\Windows\SysWOW64\wufmqlswo.exe	wniej.exe
File opened for modification	C:\Windows\SysWOW64\wycko.exe	d6be7e447b67246bfa7ba01c46215db0N.exe
File created	C:\Windows\SysWOW64\wstjgrfq.exe	wplitknt.exe
File opened for modification	C:\Windows\SysWOW64\wri.exe	wqafrpqf.exe
File created	C:\Windows\SysWOW64\wngsmf.exe	wlefp.exe
File created	C:\Windows\SysWOW64\wri.exe	wqafrpqf.exe
File opened for modification	C:\Windows\SysWOW64\wufmqlswo.exe	wniej.exe
File opened for modification	C:\Windows\SysWOW64\wri.exe	wnlwpkc.exe
File opened for modification	C:\Windows\SysWOW64\wkfxxi.exe	wbyixpdx.exe
File created	C:\Windows\SysWOW64\wxytru.exe	wkfxxi.exe
File opened for modification	C:\Windows\SysWOW64\wglein.exe	wwxqledx.exe
File created	C:\Windows\SysWOW64\wwvceps.exe	wycko.exe
File created	C:\Windows\SysWOW64\wafev.exe	wwvceps.exe
File opened for modification	C:\Windows\SysWOW64\wcnivq.exe	wjnjhr.exe
File opened for modification	C:\Windows\SysWOW64\whrqbnev.exe	wcnivq.exe
File opened for modification	C:\Windows\SysWOW64\wcutagnd.exe	whrqbnev.exe
File opened for modification	C:\Windows\SysWOW64\wlefp.exe	wri.exe
File opened for modification	C:\Windows\SysWOW64\wbyixpdx.exe	wstjgrfq.exe
File opened for modification	C:\Windows\SysWOW64\wwxqledx.exe	wuhnum.exe
File created	C:\Windows\SysWOW64\wjnjhr.exe	waqvgp.exe
File opened for modification	C:\Windows\SysWOW64\wuhnum.exe	wxytru.exe
File created	C:\Windows\SysWOW64\wglein.exe	wwxqledx.exe
File opened for modification	C:\Windows\SysWOW64\wnlwpkc.exe	wsmkspvvq.exe
File created	C:\Windows\SysWOW64\wuaabxo.exe	wri.exe
File opened for modification	C:\Windows\SysWOW64\wakt.exe	wuaabxo.exe
File opened for modification	C:\Windows\SysWOW64\wplitknt.exe	wakt.exe
File opened for modification	C:\Windows\SysWOW64\wstjgrfq.exe	wplitknt.exe
File opened for modification	C:\Windows\SysWOW64\wxytru.exe	wkfxxi.exe
File opened for modification	C:\Windows\SysWOW64\waqvgp.exe	wglein.exe
File created	C:\Windows\SysWOW64\wcutagnd.exe	whrqbnev.exe
File created	C:\Windows\SysWOW64\whirgimu.exe	wcwvulise.exe
File opened for modification	C:\Windows\SysWOW64\wwvceps.exe	wycko.exe
File created	C:\Windows\SysWOW64\wsmkspvvq.exe	waqf.exe
File opened for modification	C:\Windows\SysWOW64\wngsmf.exe	wlefp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	2688	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnlwpkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wufmqlswo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wakt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6be7e447b67246bfa7ba01c46215db0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcutagnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqafrpqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wycko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwvceps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuaabxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbyixpdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wglein.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlxlrrdxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmkspvvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwxqledx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcwvulise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whirgimu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waqvgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplitknt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wstjgrfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcnivq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wngsmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuhnum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjnjhr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wafev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whrqbnev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxytru.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkfxxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waqf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2980	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	28
PID 2408 wrote to memory of 2980	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	28
PID 2408 wrote to memory of 2980	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	28
PID 2408 wrote to memory of 2980	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	28
PID 2408 wrote to memory of 2596	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	30
PID 2408 wrote to memory of 2596	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	30
PID 2408 wrote to memory of 2596	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	30
PID 2408 wrote to memory of 2596	2408	d6be7e447b67246bfa7ba01c46215db0N.exe	30
PID 2980 wrote to memory of 2540	2980	wycko.exe	32
PID 2980 wrote to memory of 2540	2980	wycko.exe	32
PID 2980 wrote to memory of 2540	2980	wycko.exe	32
PID 2980 wrote to memory of 2540	2980	wycko.exe	32
PID 2980 wrote to memory of 1652	2980	wycko.exe	33
PID 2980 wrote to memory of 1652	2980	wycko.exe	33
PID 2980 wrote to memory of 1652	2980	wycko.exe	33
PID 2980 wrote to memory of 1652	2980	wycko.exe	33
PID 2540 wrote to memory of 1080	2540	wwvceps.exe	35
PID 2540 wrote to memory of 1080	2540	wwvceps.exe	35
PID 2540 wrote to memory of 1080	2540	wwvceps.exe	35
PID 2540 wrote to memory of 1080	2540	wwvceps.exe	35
PID 2540 wrote to memory of 2016	2540	wwvceps.exe	36
PID 2540 wrote to memory of 2016	2540	wwvceps.exe	36
PID 2540 wrote to memory of 2016	2540	wwvceps.exe	36
PID 2540 wrote to memory of 2016	2540	wwvceps.exe	36
PID 1080 wrote to memory of 1252	1080	wafev.exe	38
PID 1080 wrote to memory of 1252	1080	wafev.exe	38
PID 1080 wrote to memory of 1252	1080	wafev.exe	38
PID 1080 wrote to memory of 1252	1080	wafev.exe	38
PID 1080 wrote to memory of 2292	1080	wafev.exe	39
PID 1080 wrote to memory of 2292	1080	wafev.exe	39
PID 1080 wrote to memory of 2292	1080	wafev.exe	39
PID 1080 wrote to memory of 2292	1080	wafev.exe	39
PID 1252 wrote to memory of 1980	1252	waqf.exe	41
PID 1252 wrote to memory of 1980	1252	waqf.exe	41
PID 1252 wrote to memory of 1980	1252	waqf.exe	41
PID 1252 wrote to memory of 1980	1252	waqf.exe	41
PID 1252 wrote to memory of 2704	1252	waqf.exe	42
PID 1252 wrote to memory of 2704	1252	waqf.exe	42
PID 1252 wrote to memory of 2704	1252	waqf.exe	42
PID 1252 wrote to memory of 2704	1252	waqf.exe	42
PID 1980 wrote to memory of 2928	1980	wsmkspvvq.exe	44
PID 1980 wrote to memory of 2928	1980	wsmkspvvq.exe	44
PID 1980 wrote to memory of 2928	1980	wsmkspvvq.exe	44
PID 1980 wrote to memory of 2928	1980	wsmkspvvq.exe	44
PID 1980 wrote to memory of 2348	1980	wsmkspvvq.exe	45
PID 1980 wrote to memory of 2348	1980	wsmkspvvq.exe	45
PID 1980 wrote to memory of 2348	1980	wsmkspvvq.exe	45
PID 1980 wrote to memory of 2348	1980	wsmkspvvq.exe	45
PID 2928 wrote to memory of 1548	2928	wnlwpkc.exe	47
PID 2928 wrote to memory of 1548	2928	wnlwpkc.exe	47
PID 2928 wrote to memory of 1548	2928	wnlwpkc.exe	47
PID 2928 wrote to memory of 1548	2928	wnlwpkc.exe	47
PID 2928 wrote to memory of 896	2928	wnlwpkc.exe	48
PID 2928 wrote to memory of 896	2928	wnlwpkc.exe	48
PID 2928 wrote to memory of 896	2928	wnlwpkc.exe	48
PID 2928 wrote to memory of 896	2928	wnlwpkc.exe	48
PID 1548 wrote to memory of 992	1548	wri.exe	50
PID 1548 wrote to memory of 992	1548	wri.exe	50
PID 1548 wrote to memory of 992	1548	wri.exe	50
PID 1548 wrote to memory of 992	1548	wri.exe	50
PID 1548 wrote to memory of 1912	1548	wri.exe	51
PID 1548 wrote to memory of 1912	1548	wri.exe	51
PID 1548 wrote to memory of 1912	1548	wri.exe	51
PID 1548 wrote to memory of 1912	1548	wri.exe	51

C:\Users\Admin\AppData\Local\Temp\d6be7e447b67246bfa7ba01c46215db0N.exe
"C:\Users\Admin\AppData\Local\Temp\d6be7e447b67246bfa7ba01c46215db0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\wycko.exe
  "C:\Windows\system32\wycko.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\wwvceps.exe
    "C:\Windows\system32\wwvceps.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\wafev.exe
      "C:\Windows\system32\wafev.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\SysWOW64\waqf.exe
        
        "C:\Windows\system32\waqf.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\SysWOW64\wsmkspvvq.exe
        
        "C:\Windows\system32\wsmkspvvq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\wnlwpkc.exe
        
        "C:\Windows\system32\wnlwpkc.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\wri.exe
        
        "C:\Windows\system32\wri.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\wuaabxo.exe
        
        "C:\Windows\system32\wuaabxo.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\wakt.exe
        
        "C:\Windows\system32\wakt.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\wplitknt.exe
        
        "C:\Windows\system32\wplitknt.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wstjgrfq.exe
        
        "C:\Windows\system32\wstjgrfq.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\wbyixpdx.exe
        
        "C:\Windows\system32\wbyixpdx.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\wkfxxi.exe
        
        "C:\Windows\system32\wkfxxi.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\wxytru.exe
        
        "C:\Windows\system32\wxytru.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\wuhnum.exe
        
        "C:\Windows\system32\wuhnum.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\wwxqledx.exe
        
        "C:\Windows\system32\wwxqledx.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\wglein.exe
        
        "C:\Windows\system32\wglein.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\waqvgp.exe
        
        "C:\Windows\system32\waqvgp.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\wjnjhr.exe
        
        "C:\Windows\system32\wjnjhr.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\wcnivq.exe
        
        "C:\Windows\system32\wcnivq.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\whrqbnev.exe
        
        "C:\Windows\system32\whrqbnev.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\wcutagnd.exe
        
        "C:\Windows\system32\wcutagnd.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\wqafrpqf.exe
        
        "C:\Windows\system32\wqafrpqf.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\wri.exe
        
        "C:\Windows\system32\wri.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\wlefp.exe
        
        "C:\Windows\system32\wlefp.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\wngsmf.exe
        
        "C:\Windows\system32\wngsmf.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\wcwvulise.exe
        
        "C:\Windows\system32\wcwvulise.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\whirgimu.exe
        
        "C:\Windows\system32\whirgimu.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\wtb.exe
        
        "C:\Windows\system32\wtb.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\wlxlrrdxj.exe
        
        "C:\Windows\system32\wlxlrrdxj.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\wniej.exe
        
        "C:\Windows\system32\wniej.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\wufmqlswo.exe
        
        "C:\Windows\system32\wufmqlswo.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wniej.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxlrrdxj.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtb.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whirgimu.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwvulise.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wngsmf.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlefp.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wri.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqafrpqf.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcutagnd.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whrqbnev.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcnivq.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjnjhr.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqvgp.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglein.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwxqledx.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 808
        18⤵
        Program crash
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhnum.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxytru.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfxxi.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbyixpdx.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wstjgrfq.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplitknt.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wakt.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuaabxo.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wri.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlwpkc.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmkspvvq.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waqf.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wafev.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwvceps.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wycko.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\d6be7e447b67246bfa7ba01c46215db0N.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NC5GXZB7.txt

Filesize
99B

MD5
25395e98c2fb0fa1de8e82414fb83f94

SHA1
721a05df8d156b439d182555291b9418c5b0cc4f

SHA256
632e41bec2d2a208ee1057cce9520d70424a66f3df5b22349c2a6ebb95c39c4e

SHA512
1c2962809a8e43462bf2bc92fa3e8a9d26b8b0275d4461e229c60565ab7ee4e5c98d9ea757635f2b9bbdda8a2ba066a106a7294a48662b9d4a2568e95a10821d

Download Submit
\Windows\SysWOW64\wafev.exe

Filesize
94KB

MD5
c3f047234eb082efbc68cfc1b4348664

SHA1
01284b7122ddf8933241ae229b8d43767b6be8bc

SHA256
bafd31cb4a9bd92fed30f719eb4f2043fda55e41fa51a0c8fec4af49956ed84d

SHA512
8afdf6e00171cf6b7245f914ebdb83a4d09a551a18228c8e12b2e43d3b3f8a0d63e77ea83d893808e58ce029316c79b3bf33bad9182fed7294f697168bcaba69

Download Submit
\Windows\SysWOW64\wakt.exe

Filesize
94KB

MD5
5b9265445a744e2575a23c74d6330c6c

SHA1
5cced4a41878365fcbd6480d1ab7064103d3ce15

SHA256
e3fedd387ac59fd8e14d2bffe4d07ddb44f03d66041a6da43b622d926e4aae7a

SHA512
801a90ed253ba464aa5bb5e3ded0ce89d60be9ba8fddb68c1a4db73031490bffe2466f0e85e70eb7c913d08820b8c9c795e2fccbba6e97fecf83745274aa1901

Download Submit
\Windows\SysWOW64\waqf.exe

Filesize
94KB

MD5
15a97aab01c4f038edac0efe255149ea

SHA1
f0ac5e94f1a4a962808fb76f62f4a37463744a53

SHA256
48300fc88ad6c93873ecd585827346429bad15ef26ee180be61c11546e11f35d

SHA512
82f11a96326605ae33219316af5f91ec0124ca60d7ff5fa1e4ffd2356b36c4e14434d6b939beaf78513e04bfaccb338278950b0506423595e38a6ed831aeea25

Download Submit
\Windows\SysWOW64\wnlwpkc.exe

Filesize
94KB

MD5
3dbf8196d95fd83d686626a475a4617f

SHA1
5e1cc741bee9275444d17227246f94dceaafdf41

SHA256
47f209f382e33c9c22d12105dc9965f2507798f967d4982bc8d631f6fb9d4a01

SHA512
a2ed5b8a78b494f513cfe547c8be62d15999d044cb821ddaa18251af889cb6d6598560ed7ab4eb06ba3c09dc4c84d014891b5bbcdf9d8bd73aa6359092d377e8

Download Submit
\Windows\SysWOW64\wplitknt.exe

Filesize
94KB

MD5
cf0bf778c012656a726d201287ef3330

SHA1
7aaa9b62bd59dae99ff48b90c82c3f386aa5c30f

SHA256
6cb1439b1939677cc0d8b245223332de2b7deab30f6d71cf747da1337cf952ef

SHA512
8b9599f59c5b46fc74a277c794552ce6f23b604d3696c47d4da43b2ba551466ecb68fef11f20a63900d24a472314c8e0eedff92134237fa2cb1727d2347ee640

Download Submit
\Windows\SysWOW64\wri.exe

Filesize
94KB

MD5
863c602753c22a7059fccc76b71dbb4b

SHA1
b9a473dd039ac34b56a8730a7bd63ce651c0ed86

SHA256
342c15de3a43d25020e062fe34e9a101a5afd760572022bfd424bcec429292c7

SHA512
e7319ef486da4d6555f9a9c7f472c72c57d939a555e08f314557ddd2769911f2263d41162f5bf036b9d4e77c08ecbea211c01833f362cdda33a0119da994059f

Download Submit
\Windows\SysWOW64\wsmkspvvq.exe

Filesize
94KB

MD5
c8380638a63433f835dbd7c93282d755

SHA1
1cf3868532726f8ab02ef7a4f3263cf2eed86dce

SHA256
41a293051e716e13fbfd30dd9de8b67b2652ea296ce7c3706f2cad065e411736

SHA512
078a170894c8748e79e0814c367348f0f4380b1772d11b2b7aec84f6dae5337875cd133097d262ff5864c1265e81754a828dc7b66966c347bf72f09b9d274031

Download Submit
\Windows\SysWOW64\wstjgrfq.exe

Filesize
94KB

MD5
694c9aadd9b6c4cc9a7d3cbb2d3122d8

SHA1
8ad836bd09b845f935796a48a3b97690caa3f373

SHA256
a8cb1604258d4d7461aec374813aa93bb21bf15e5e8fa7a8ca7c4755099472cb

SHA512
c14387b27b130eb1d8f9c62c77578673f7f8462731d3978eb9bc34167183673a4bcd693f2892ea26b62c6cc6b6b56a5ba7c46c6e890346c01b10253821bcd719

Download Submit
\Windows\SysWOW64\wuaabxo.exe

Filesize
94KB

MD5
c9a44b5de33a2c53dd5fe510707c652b

SHA1
09b8fe33f94680d545796dcdd95fe45b4dff56bf

SHA256
2c3818e20baf8b4ea74c1e68a017e86dc99f115716bfd78137c45c5b657679df

SHA512
6763f8e8f1149b2d2e172d5a1843d805f376631effdce40bd74a73aad6a75abe7ff9960d791c8bf197f00de8a2fa47245ee8a5cc6a8774e13aa5a899b7358571

Download Submit
\Windows\SysWOW64\wwvceps.exe

Filesize
94KB

MD5
489fc9470ff55a9562ec83712c67a24e

SHA1
0703913474bf0026a879479fb40e45969239913b

SHA256
3899f755c62b2c3b04e251735e61bd65c19445681277b381e6ec2cc5b6479a76

SHA512
8172ce3d9b0e2d7acaf6ded4d7964aabeebe1a482924bc6c4ec861da392fee01e870a5df645fe336bac23d4f8d177000caa870444e420a81968bf4e443585eac

Download Submit
\Windows\SysWOW64\wycko.exe

Filesize
94KB

MD5
ed3021ab4f072d9ac3a51a42a9538068

SHA1
33d15654963f1cf97eb55096650609188cfd9c6e

SHA256
ff747101abdf3c91136059142e596e2c7d55bcf332690dcae140bf198edf8b2e

SHA512
ecc713b5081e237b59ba3cced5a95237f3083ab8c01cc9765dd6834b1cf02807cf6f4d2ca1812e038842d20e87f5b25ce8c75ea781e94867707953abbdd23742

Download Submit
memory/400-210-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/400-207-0x0000000003710000-0x0000000003727000-memory.dmp

Filesize
92KB

Download
memory/408-294-0x0000000004120000-0x0000000004137000-memory.dmp

Filesize
92KB

Download
memory/408-293-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/408-297-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/408-295-0x0000000004120000-0x0000000004137000-memory.dmp

Filesize
92KB

Download
memory/992-183-0x0000000003220000-0x0000000003237000-memory.dmp

Filesize
92KB

Download
memory/992-169-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/992-184-0x0000000003220000-0x0000000003237000-memory.dmp

Filesize
92KB

Download
memory/992-190-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1052-337-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1052-321-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1052-334-0x00000000034F0000-0x0000000003507000-memory.dmp

Filesize
92KB

Download
memory/1052-333-0x00000000034F0000-0x0000000003507000-memory.dmp

Filesize
92KB

Download
memory/1052-332-0x00000000034F0000-0x0000000003507000-memory.dmp

Filesize
92KB

Download
memory/1080-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1080-85-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/1080-86-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/1252-106-0x0000000003B00000-0x0000000003B17000-memory.dmp

Filesize
92KB

Download
memory/1252-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1252-100-0x0000000003B00000-0x0000000003B17000-memory.dmp

Filesize
92KB

Download
memory/1404-439-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1404-426-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1548-170-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-253-0x0000000003270000-0x0000000003287000-memory.dmp

Filesize
92KB

Download
memory/1704-252-0x0000000003270000-0x0000000003287000-memory.dmp

Filesize
92KB

Download
memory/1704-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-268-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-266-0x0000000004080000-0x0000000004097000-memory.dmp

Filesize
92KB

Download
memory/1980-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-120-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1980-126-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1980-127-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1996-395-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1996-396-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-367-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/2012-364-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/2012-366-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/2012-365-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/2012-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-368-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-381-0x0000000001DC0000-0x0000000001DD7000-memory.dmp

Filesize
92KB

Download
memory/2016-382-0x0000000001DC0000-0x0000000001DD7000-memory.dmp

Filesize
92KB

Download
memory/2016-383-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2028-238-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/2028-237-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/2028-240-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2096-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-281-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-280-0x0000000004140000-0x0000000004157000-memory.dmp

Filesize
92KB

Download
memory/2128-267-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2408-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2408-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2408-11-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2408-12-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2408-20-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2408-19-0x0000000004050000-0x0000000004067000-memory.dmp

Filesize
92KB

Download
memory/2532-427-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2532-423-0x0000000003C50000-0x0000000003C67000-memory.dmp

Filesize
92KB

Download
memory/2532-425-0x0000000004270000-0x0000000004287000-memory.dmp

Filesize
92KB

Download
memory/2532-424-0x0000000004270000-0x0000000004287000-memory.dmp

Filesize
92KB

Download
memory/2540-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-64-0x0000000003D20000-0x0000000003D37000-memory.dmp

Filesize
92KB

Download
memory/2540-66-0x0000000003D30000-0x0000000003D47000-memory.dmp

Filesize
92KB

Download
memory/2540-65-0x0000000003D30000-0x0000000003D47000-memory.dmp

Filesize
92KB

Download
memory/2568-351-0x0000000003520000-0x0000000003537000-memory.dmp

Filesize
92KB

Download
memory/2568-350-0x0000000003520000-0x0000000003537000-memory.dmp

Filesize
92KB

Download
memory/2568-349-0x0000000003520000-0x0000000003537000-memory.dmp

Filesize
92KB

Download
memory/2568-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2688-296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2688-309-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2812-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2836-453-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2836-452-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/2836-447-0x0000000003E70000-0x0000000003E87000-memory.dmp

Filesize
92KB

Download
memory/2848-411-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2848-405-0x0000000003EB0000-0x0000000003EC7000-memory.dmp

Filesize
92KB

Download
memory/2848-409-0x0000000003EB0000-0x0000000003EC7000-memory.dmp

Filesize
92KB

Download
memory/2848-410-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2928-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2928-141-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2928-149-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2928-148-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2928-140-0x0000000003A60000-0x0000000003A77000-memory.dmp

Filesize
92KB

Download
memory/2932-468-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-466-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/2932-467-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/2932-465-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/2980-43-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2980-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2980-41-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2980-44-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2980-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2980-42-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download