2f55a3a6b8d9eeaea4f7bed369f2fb9e72477fdeb901d2c9b5f185fcc9732731

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe
Size

262KB
MD5

1735ef391c40c29bad38520b706df86e
SHA1

fe12512458c6c8372e6e1979694c56818c0de72c
SHA256

2f55a3a6b8d9eeaea4f7bed369f2fb9e72477fdeb901d2c9b5f185fcc9732731
SHA512

200a7e7cb268c17916106487837cda86d61a3365807155232977293d4a39ab9e7eab7e2dd4b4376349f18b921ac5f983abc00972b8729ca6bcebb23b433d5c1f
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpEL:ZY7xh6SZI4z7FSVpE

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxoysg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wkmcbw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdhxo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wrkfxio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wgr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	woo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wyfhgh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wckjvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdxhtfwxc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wtpc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wvobdl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqnibd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsqrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wtuapcqlv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wamoivun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wusbqbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wpwmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqwlaomrn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wweowiur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwptpsko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wxuio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wmcxjnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wkjfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wijttalw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wpsijlb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wgntk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wiumyui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	weefm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwnlqd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wlfglbxb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wfocyd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnmltl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wtqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wfihoojf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wldd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	waetyys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnblndxmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wasm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wlyhfwcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wqxhqrh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsdq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wwiat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wsbnrypk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wisqocgpt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wvgwv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wiamrgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wysuqk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wvvhpni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wbditsgql.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wcbdud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wnodgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wplcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wegnkt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wkfu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wdklvayum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wfni.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wfvkwiek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wjrlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	whjrvmthj.exe

Executes dropped EXE 64 IoCs

pid	Process
2444	wcbdud.exe
716	wqxhqrh.exe
2956	wdhxo.exe
3472	whytme.exe
4732	wnodgl.exe
728	wjxgoou.exe
3332	wckjvs.exe
2096	wmcxjnu.exe
2052	wsdq.exe
3248	wwywlwj.exe
244	wnmltl.exe
1948	wkjfe.exe
3372	wijttalw.exe
5112	wdxhtfwxc.exe
3100	wtpc.exe
2892	wje.exe
2716	wdre.exe
4592	wplcf.exe
4472	wfni.exe
3236	wiamrgi.exe
716	wfvkwiek.exe
2792	wqnibd.exe
4252	wvobdl.exe
3952	wldd.exe
5004	wjrlx.exe
5096	wusbqbk.exe
1656	wysuqk.exe
2444	wxhc.exe
4516	wwiat.exe
3956	wmwod.exe
4276	wsbnrypk.exe
1688	wpwmv.exe
1956	wsqrs.exe
4824	woawa.exe
4840	wtqf.exe
2936	wvvhpni.exe
3964	wfihoojf.exe
1608	wqwlaomrn.exe
2104	wtuapcqlv.exe
216	wiumyui.exe
2688	wnblndxmt.exe
2916	waetyys.exe
3316	wpsijlb.exe
1076	wwptpsko.exe
460	whjrvmthj.exe
4132	wlfglbxb.exe
3132	wrkfxio.exe
2200	wsgbu.exe
1008	wxuio.exe
3312	wic.exe
2528	wbditsgql.exe
3956	wisqocgpt.exe
1860	wkfu.exe
3540	wyfhgh.exe
4924	wigwyigo.exe
5088	wmsbiw.exe
3604	wasm.exe
1944	wfuf.exe
3096	wegnkt.exe
2616	wxjpfx.exe
2688	wfocyd.exe
3092	wvgwv.exe
2896	wgr.exe
3188	weefm.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wwywlwj.exe	wsdq.exe
File created	C:\Windows\SysWOW64\wdre.exe	wje.exe
File created	C:\Windows\SysWOW64\wpsijlb.exe	waetyys.exe
File opened for modification	C:\Windows\SysWOW64\wlfglbxb.exe	whjrvmthj.exe
File created	C:\Windows\SysWOW64\wxhc.exe	wysuqk.exe
File created	C:\Windows\SysWOW64\wvgwv.exe	wfocyd.exe
File created	C:\Windows\SysWOW64\wwnlqd.exe	wdklvayum.exe
File created	C:\Windows\SysWOW64\wgntk.exe	wnyi.exe
File opened for modification	C:\Windows\SysWOW64\wdre.exe	wje.exe
File created	C:\Windows\SysWOW64\wpwmv.exe	wsbnrypk.exe
File opened for modification	C:\Windows\SysWOW64\wasm.exe	wmsbiw.exe
File opened for modification	C:\Windows\SysWOW64\wsdq.exe	wmcxjnu.exe
File opened for modification	C:\Windows\SysWOW64\wpwmv.exe	wsbnrypk.exe
File created	C:\Windows\SysWOW64\wqwlaomrn.exe	wfihoojf.exe
File created	C:\Windows\SysWOW64\wiumyui.exe	wtuapcqlv.exe
File opened for modification	C:\Windows\SysWOW64\wweowiur.exe	wllpsnl.exe
File opened for modification	C:\Windows\SysWOW64\wgntk.exe	wnyi.exe
File opened for modification	C:\Windows\SysWOW64\wnmltl.exe	wwywlwj.exe
File created	C:\Windows\SysWOW64\wkmcbw.exe	wamoivun.exe
File opened for modification	C:\Windows\SysWOW64\whytme.exe	wdhxo.exe
File created	C:\Windows\SysWOW64\wfihoojf.exe	wvvhpni.exe
File opened for modification	C:\Windows\SysWOW64\wrkfxio.exe	wlfglbxb.exe
File created	C:\Windows\SysWOW64\wmsbiw.exe	wigwyigo.exe
File opened for modification	C:\Windows\SysWOW64\wfocyd.exe	wxjpfx.exe
File created	C:\Windows\SysWOW64\wbfiyjn.exe	wruibh.exe
File opened for modification	C:\Windows\SysWOW64\wie.exe	wgntk.exe
File created	C:\Windows\SysWOW64\whytme.exe	wdhxo.exe
File opened for modification	C:\Windows\SysWOW64\wnodgl.exe	whytme.exe
File opened for modification	C:\Windows\SysWOW64\wsbnrypk.exe	wmwod.exe
File created	C:\Windows\SysWOW64\wnblndxmt.exe	wiumyui.exe
File created	C:\Windows\SysWOW64\wsdq.exe	wmcxjnu.exe
File opened for modification	C:\Windows\SysWOW64\wwywlwj.exe	wsdq.exe
File opened for modification	C:\Windows\SysWOW64\wwiat.exe	wxhc.exe
File created	C:\Windows\SysWOW64\wti.exe	weefm.exe
File created	C:\Windows\SysWOW64\wllpsnl.exe	wti.exe
File opened for modification	C:\Windows\SysWOW64\whjrvmthj.exe	wwptpsko.exe
File opened for modification	C:\Windows\SysWOW64\wegnkt.exe	wfuf.exe
File created	C:\Windows\SysWOW64\woawa.exe	wsqrs.exe
File opened for modification	C:\Windows\SysWOW64\wfuf.exe	wasm.exe
File created	C:\Windows\SysWOW64\wtuapcqlv.exe	wqwlaomrn.exe
File opened for modification	C:\Windows\SysWOW64\wiumyui.exe	wtuapcqlv.exe
File opened for modification	C:\Windows\SysWOW64\waetyys.exe	wnblndxmt.exe
File created	C:\Windows\SysWOW64\whjrvmthj.exe	wwptpsko.exe
File created	C:\Windows\SysWOW64\wsgbu.exe	wrkfxio.exe
File created	C:\Windows\SysWOW64\wbditsgql.exe	wic.exe
File created	C:\Windows\SysWOW64\wigwyigo.exe	wyfhgh.exe
File opened for modification	C:\Windows\SysWOW64\wdklvayum.exe	wbfiyjn.exe
File opened for modification	C:\Windows\SysWOW64\wkmcbw.exe	wamoivun.exe
File created	C:\Windows\SysWOW64\wdhxo.exe	wqxhqrh.exe
File created	C:\Windows\SysWOW64\wqnibd.exe	wfvkwiek.exe
File opened for modification	C:\Windows\SysWOW64\wldd.exe	wvobdl.exe
File opened for modification	C:\Windows\SysWOW64\wusbqbk.exe	wjrlx.exe
File created	C:\Windows\SysWOW64\wisqocgpt.exe	wbditsgql.exe
File opened for modification	C:\Windows\SysWOW64\wgr.exe	wvgwv.exe
File created	C:\Windows\SysWOW64\wdxhtfwxc.exe	wijttalw.exe
File created	C:\Windows\SysWOW64\wfvkwiek.exe	wiamrgi.exe
File created	C:\Windows\SysWOW64\wjrlx.exe	wldd.exe
File opened for modification	C:\Windows\SysWOW64\wqwlaomrn.exe	wfihoojf.exe
File opened for modification	C:\Windows\SysWOW64\wxjpfx.exe	wegnkt.exe
File created	C:\Windows\SysWOW64\wgr.exe	wvgwv.exe
File opened for modification	C:\Windows\SysWOW64\wnyi.exe	wkmcbw.exe
File created	C:\Windows\SysWOW64\wckjvs.exe	wjxgoou.exe
File created	C:\Windows\SysWOW64\waetyys.exe	wnblndxmt.exe
File created	C:\Windows\SysWOW64\wwptpsko.exe	wpsijlb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
3628	2444	WerFault.exe	84
3020	2956	WerFault.exe	94
1644	3372	WerFault.exe	128
1820	3372	WerFault.exe	128
4852	2716	WerFault.exe	148
824	716	WerFault.exe	164
3948	2792	WerFault.exe	167
1584	4252	WerFault.exe	172
4212	4276	WerFault.exe	200
1260	2916	WerFault.exe	235
3992	4924	WerFault.exe	276
4392	4924	WerFault.exe	276
3420	1944	WerFault.exe	289
2384	3188	WerFault.exe	309
2768	5008	WerFault.exe	317
3340	1936	WerFault.exe	352

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsbiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtuapcqlv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whjrvmthj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfocyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbfiyjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegnkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcbdud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnodgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wijttalw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whytme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfvkwiek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrkfxio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqnibd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnblndxmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxuio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wysuqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsgbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbditsgql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpwmv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdklvayum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjxgoou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmcxjnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiumyui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2444	3592	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe	84
PID 3592 wrote to memory of 2444	3592	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe	84
PID 3592 wrote to memory of 2444	3592	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe	84
PID 3592 wrote to memory of 4992	3592	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe	86
PID 3592 wrote to memory of 4992	3592	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe	86
PID 3592 wrote to memory of 4992	3592	1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe	86
PID 2444 wrote to memory of 716	2444	wcbdud.exe	88
PID 2444 wrote to memory of 716	2444	wcbdud.exe	88
PID 2444 wrote to memory of 716	2444	wcbdud.exe	88
PID 2444 wrote to memory of 1876	2444	wcbdud.exe	89
PID 2444 wrote to memory of 1876	2444	wcbdud.exe	89
PID 2444 wrote to memory of 1876	2444	wcbdud.exe	89
PID 716 wrote to memory of 2956	716	wqxhqrh.exe	94
PID 716 wrote to memory of 2956	716	wqxhqrh.exe	94
PID 716 wrote to memory of 2956	716	wqxhqrh.exe	94
PID 716 wrote to memory of 2428	716	wqxhqrh.exe	95
PID 716 wrote to memory of 2428	716	wqxhqrh.exe	95
PID 716 wrote to memory of 2428	716	wqxhqrh.exe	95
PID 2956 wrote to memory of 3472	2956	wdhxo.exe	97
PID 2956 wrote to memory of 3472	2956	wdhxo.exe	97
PID 2956 wrote to memory of 3472	2956	wdhxo.exe	97
PID 2956 wrote to memory of 1428	2956	wdhxo.exe	98
PID 2956 wrote to memory of 1428	2956	wdhxo.exe	98
PID 2956 wrote to memory of 1428	2956	wdhxo.exe	98
PID 3472 wrote to memory of 4732	3472	whytme.exe	102
PID 3472 wrote to memory of 4732	3472	whytme.exe	102
PID 3472 wrote to memory of 4732	3472	whytme.exe	102
PID 3472 wrote to memory of 2620	3472	whytme.exe	103
PID 3472 wrote to memory of 2620	3472	whytme.exe	103
PID 3472 wrote to memory of 2620	3472	whytme.exe	103
PID 4732 wrote to memory of 728	4732	wnodgl.exe	107
PID 4732 wrote to memory of 728	4732	wnodgl.exe	107
PID 4732 wrote to memory of 728	4732	wnodgl.exe	107
PID 4732 wrote to memory of 3788	4732	wnodgl.exe	108
PID 4732 wrote to memory of 3788	4732	wnodgl.exe	108
PID 4732 wrote to memory of 3788	4732	wnodgl.exe	108
PID 728 wrote to memory of 3332	728	wjxgoou.exe	110
PID 728 wrote to memory of 3332	728	wjxgoou.exe	110
PID 728 wrote to memory of 3332	728	wjxgoou.exe	110
PID 728 wrote to memory of 1076	728	wjxgoou.exe	111
PID 728 wrote to memory of 1076	728	wjxgoou.exe	111
PID 728 wrote to memory of 1076	728	wjxgoou.exe	111
PID 3332 wrote to memory of 2096	3332	wckjvs.exe	113
PID 3332 wrote to memory of 2096	3332	wckjvs.exe	113
PID 3332 wrote to memory of 2096	3332	wckjvs.exe	113
PID 3332 wrote to memory of 1376	3332	wckjvs.exe	114
PID 3332 wrote to memory of 1376	3332	wckjvs.exe	114
PID 3332 wrote to memory of 1376	3332	wckjvs.exe	114
PID 2096 wrote to memory of 2052	2096	wmcxjnu.exe	116
PID 2096 wrote to memory of 2052	2096	wmcxjnu.exe	116
PID 2096 wrote to memory of 2052	2096	wmcxjnu.exe	116
PID 2096 wrote to memory of 2196	2096	wmcxjnu.exe	117
PID 2096 wrote to memory of 2196	2096	wmcxjnu.exe	117
PID 2096 wrote to memory of 2196	2096	wmcxjnu.exe	117
PID 2052 wrote to memory of 3248	2052	wsdq.exe	119
PID 2052 wrote to memory of 3248	2052	wsdq.exe	119
PID 2052 wrote to memory of 3248	2052	wsdq.exe	119
PID 2052 wrote to memory of 1140	2052	wsdq.exe	120
PID 2052 wrote to memory of 1140	2052	wsdq.exe	120
PID 2052 wrote to memory of 1140	2052	wsdq.exe	120
PID 3248 wrote to memory of 244	3248	wwywlwj.exe	122
PID 3248 wrote to memory of 244	3248	wwywlwj.exe	122
PID 3248 wrote to memory of 244	3248	wwywlwj.exe	122
PID 3248 wrote to memory of 2120	3248	wwywlwj.exe	123

C:\Users\Admin\AppData\Local\Temp\1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\wcbdud.exe
  "C:\Windows\system32\wcbdud.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\wqxhqrh.exe
    "C:\Windows\system32\wqxhqrh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\SysWOW64\wdhxo.exe
      "C:\Windows\system32\wdhxo.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\whytme.exe
        
        "C:\Windows\system32\whytme.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\wnodgl.exe
        
        "C:\Windows\system32\wnodgl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\wjxgoou.exe
        
        "C:\Windows\system32\wjxgoou.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\wckjvs.exe
        
        "C:\Windows\system32\wckjvs.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\wmcxjnu.exe
        
        "C:\Windows\system32\wmcxjnu.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\wsdq.exe
        
        "C:\Windows\system32\wsdq.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\wwywlwj.exe
        
        "C:\Windows\system32\wwywlwj.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\wnmltl.exe
        
        "C:\Windows\system32\wnmltl.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\wkjfe.exe
        
        "C:\Windows\system32\wkjfe.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\wijttalw.exe
        
        "C:\Windows\system32\wijttalw.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\wdxhtfwxc.exe
        
        "C:\Windows\system32\wdxhtfwxc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\wtpc.exe
        
        "C:\Windows\system32\wtpc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\wje.exe
        
        "C:\Windows\system32\wje.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\wdre.exe
        
        "C:\Windows\system32\wdre.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\wplcf.exe
        
        "C:\Windows\system32\wplcf.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\wfni.exe
        
        "C:\Windows\system32\wfni.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\wiamrgi.exe
        
        "C:\Windows\system32\wiamrgi.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\wfvkwiek.exe
        
        "C:\Windows\system32\wfvkwiek.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\wqnibd.exe
        
        "C:\Windows\system32\wqnibd.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\wvobdl.exe
        
        "C:\Windows\system32\wvobdl.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\wldd.exe
        
        "C:\Windows\system32\wldd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\wjrlx.exe
        
        "C:\Windows\system32\wjrlx.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\wusbqbk.exe
        
        "C:\Windows\system32\wusbqbk.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\wysuqk.exe
        
        "C:\Windows\system32\wysuqk.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\wxhc.exe
        
        "C:\Windows\system32\wxhc.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\wwiat.exe
        
        "C:\Windows\system32\wwiat.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\wmwod.exe
        
        "C:\Windows\system32\wmwod.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\wsbnrypk.exe
        
        "C:\Windows\system32\wsbnrypk.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\wpwmv.exe
        
        "C:\Windows\system32\wpwmv.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\wsqrs.exe
        
        "C:\Windows\system32\wsqrs.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\woawa.exe
        
        "C:\Windows\system32\woawa.exe"
        35⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\wtqf.exe
        
        "C:\Windows\system32\wtqf.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\wvvhpni.exe
        
        "C:\Windows\system32\wvvhpni.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wfihoojf.exe
        
        "C:\Windows\system32\wfihoojf.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\wqwlaomrn.exe
        
        "C:\Windows\system32\wqwlaomrn.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\wtuapcqlv.exe
        
        "C:\Windows\system32\wtuapcqlv.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\wiumyui.exe
        
        "C:\Windows\system32\wiumyui.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\wnblndxmt.exe
        
        "C:\Windows\system32\wnblndxmt.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\waetyys.exe
        
        "C:\Windows\system32\waetyys.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\wpsijlb.exe
        
        "C:\Windows\system32\wpsijlb.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\wwptpsko.exe
        
        "C:\Windows\system32\wwptpsko.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\whjrvmthj.exe
        
        "C:\Windows\system32\whjrvmthj.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\wlfglbxb.exe
        
        "C:\Windows\system32\wlfglbxb.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\wrkfxio.exe
        
        "C:\Windows\system32\wrkfxio.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\wsgbu.exe
        
        "C:\Windows\system32\wsgbu.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\wxuio.exe
        
        "C:\Windows\system32\wxuio.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\wic.exe
        
        "C:\Windows\system32\wic.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\wbditsgql.exe
        
        "C:\Windows\system32\wbditsgql.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\wisqocgpt.exe
        
        "C:\Windows\system32\wisqocgpt.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\wkfu.exe
        
        "C:\Windows\system32\wkfu.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\wyfhgh.exe
        
        "C:\Windows\system32\wyfhgh.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\wigwyigo.exe
        
        "C:\Windows\system32\wigwyigo.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\wmsbiw.exe
        
        "C:\Windows\system32\wmsbiw.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\wasm.exe
        
        "C:\Windows\system32\wasm.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\wfuf.exe
        
        "C:\Windows\system32\wfuf.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\wegnkt.exe
        
        "C:\Windows\system32\wegnkt.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\wxjpfx.exe
        
        "C:\Windows\system32\wxjpfx.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\wfocyd.exe
        
        "C:\Windows\system32\wfocyd.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\wvgwv.exe
        
        "C:\Windows\system32\wvgwv.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\wgr.exe
        
        "C:\Windows\system32\wgr.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\weefm.exe
        
        "C:\Windows\system32\weefm.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\wti.exe
        
        "C:\Windows\system32\wti.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\wllpsnl.exe
        
        "C:\Windows\system32\wllpsnl.exe"
        67⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\wweowiur.exe
        
        "C:\Windows\system32\wweowiur.exe"
        68⤵
        Checks computer location settings
        
        PID:736
        
        C:\Windows\SysWOW64\woo.exe
        
        "C:\Windows\system32\woo.exe"
        69⤵
        Checks computer location settings
        
        PID:692
        
        C:\Windows\SysWOW64\wruibh.exe
        
        "C:\Windows\system32\wruibh.exe"
        70⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\wbfiyjn.exe
        
        "C:\Windows\system32\wbfiyjn.exe"
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\wdklvayum.exe
        
        "C:\Windows\system32\wdklvayum.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\wwnlqd.exe
        
        "C:\Windows\system32\wwnlqd.exe"
        73⤵
        Checks computer location settings
        
        PID:940
        
        C:\Windows\SysWOW64\wlyhfwcm.exe
        
        "C:\Windows\system32\wlyhfwcm.exe"
        74⤵
        Checks computer location settings
        
        PID:4064
        
        C:\Windows\SysWOW64\wxmb.exe
        
        "C:\Windows\system32\wxmb.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\wxoysg.exe
        
        "C:\Windows\system32\wxoysg.exe"
        76⤵
        Checks computer location settings
        
        PID:8
        
        C:\Windows\SysWOW64\wamoivun.exe
        
        "C:\Windows\system32\wamoivun.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\wkmcbw.exe
        
        "C:\Windows\system32\wkmcbw.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wnyi.exe
        
        "C:\Windows\system32\wnyi.exe"
        79⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\wgntk.exe
        
        "C:\Windows\system32\wgntk.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\wie.exe
        
        "C:\Windows\system32\wie.exe"
        81⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\wxhlpsl.exe
        
        "C:\Windows\system32\wxhlpsl.exe"
        82⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wie.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgntk.exe"
        81⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyi.exe"
        80⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmcbw.exe"
        79⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1396
        79⤵
        Program crash
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamoivun.exe"
        78⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxoysg.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmb.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlyhfwcm.exe"
        75⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnlqd.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdklvayum.exe"
        73⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfiyjn.exe"
        72⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruibh.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woo.exe"
        70⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wweowiur.exe"
        69⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllpsnl.exe"
        68⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1656
        68⤵
        Program crash
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wti.exe"
        67⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weefm.exe"
        66⤵
        
        PID:460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1676
        66⤵
        Program crash
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgr.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgwv.exe"
        64⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfocyd.exe"
        63⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxjpfx.exe"
        62⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wegnkt.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuf.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1588
        60⤵
        Program crash
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wasm.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmsbiw.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wigwyigo.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 116
        57⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1536
        57⤵
        Program crash
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyfhgh.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkfu.exe"
        55⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisqocgpt.exe"
        54⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbditsgql.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wic.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuio.exe"
        51⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgbu.exe"
        50⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkfxio.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfglbxb.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whjrvmthj.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptpsko.exe"
        46⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpsijlb.exe"
        45⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waetyys.exe"
        44⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1568
        44⤵
        Program crash
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnblndxmt.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiumyui.exe"
        42⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtuapcqlv.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqwlaomrn.exe"
        40⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfihoojf.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvhpni.exe"
        38⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqf.exe"
        37⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woawa.exe"
        36⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsqrs.exe"
        35⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpwmv.exe"
        34⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsbnrypk.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 116
        33⤵
        Program crash
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwod.exe"
        32⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwiat.exe"
        31⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxhc.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wysuqk.exe"
        29⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wusbqbk.exe"
        28⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrlx.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldd.exe"
        26⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvobdl.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1352
        25⤵
        Program crash
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqnibd.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1560
        24⤵
        Program crash
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfvkwiek.exe"
        23⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1336
        23⤵
        Program crash
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiamrgi.exe"
        22⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfni.exe"
        21⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wplcf.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdre.exe"
        19⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1340
        19⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wje.exe"
        18⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtpc.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxhtfwxc.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijttalw.exe"
        15⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 116
        15⤵
        Program crash
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1536
        15⤵
        Program crash
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjfe.exe"
        14⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnmltl.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwywlwj.exe"
        12⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsdq.exe"
        11⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmcxjnu.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckjvs.exe"
        9⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjxgoou.exe"
        8⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnodgl.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whytme.exe"
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdhxo.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1656
        5⤵
        Program crash
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqxhqrh.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcbdud.exe"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1544
    3⤵
    - Program crash
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1735ef391c40c29bad38520b706df86e_JaffaCakes118.exe"
  2⤵
  PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2444 -ip 2444
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2956 -ip 2956
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3372 -ip 3372
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3372 -ip 3372
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2716 -ip 2716
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 716 -ip 716
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2792 -ip 2792
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4252 -ip 4252
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4276 -ip 4276
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2916 -ip 2916
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4924 -ip 4924
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4924 -ip 4924
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1944 -ip 1944
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3188 -ip 3188
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5008 -ip 5008
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1936 -ip 1936
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Windows\SysWOW64\wcbdud.exe

Filesize
262KB

MD5
cd00d9f15c7eb6ad595138595272e33e

SHA1
674ea3d532d6c10f8b955b79277dd9e656d3ff00

SHA256
c7470592ad329b3ddb80706191f02cfadaf85694c9a359ef863bb507de6e808d

SHA512
d0b9d9039ba7a26f72008d62ab3d49e3c8fdf78fbe68559a98e7681368ff964c680e1449044dcc7863767490aa7f5202396706ae528a41e4b8ae0374630aaf09

Download Submit
C:\Windows\SysWOW64\wckjvs.exe

Filesize
262KB

MD5
06b14c543cd2d335c733b64102fb8a2e

SHA1
ad5f4700f6d63415fb4568db7896772b8b594369

SHA256
d19be7c73d1150ae66bebbbe1e1646e20923bd2ce391a0fdb7f3eac82e9cf7b2

SHA512
0b88f960b6ff59ac12390ab3614cbd8be4e8da271b62cb109622a879b8452049ffe9128db99e6d16da6f58e1e72f71b094dc704f8c4853e5c2e986c6f9a68e14

Download Submit
C:\Windows\SysWOW64\wdhxo.exe

Filesize
262KB

MD5
9bcd34b5246dc04963685d241d458938

SHA1
53cdfad84840511311dda181e437b993c3758517

SHA256
70be00bd1c3e7288b104474b36e4943f5505436383d1e006de48c209ba0ba63f

SHA512
5336f0d453091df0a6a992b52eba771ca0f190a1687b2506a38436e50f6a269a15a6707f95e2c4e4d89047cabb3f7cfa7b9f624e60fba808e0267d795a3427e3

Download Submit
C:\Windows\SysWOW64\wdre.exe

Filesize
263KB

MD5
05bfd2d657ff8586f7cee0563936f9f3

SHA1
ae5bc7615b43dc9ccf622a27db8306ee9f5c7f55

SHA256
4310d8a59ed041c8f1869a82ce95229aec2e15a8a4644e6099558977211bf90e

SHA512
431cf09a55df66ed588f3f6c44bdc04108daf0ad4cc95404d553764c5c0b912b92e50256cf8c16a4409eda4f0ba7219c28a5c12827d8387ec6e00cf8c85dce32

Download Submit
C:\Windows\SysWOW64\wdxhtfwxc.exe

Filesize
263KB

MD5
5791b9be327e29743b61cb5ef4ddb934

SHA1
bd34e00867b4a6f22eef825737edefc8edd04a86

SHA256
e62fea8018576c957fe39d7e539d630ed38e0c831cd1f6343d3444ba7ceef2a2

SHA512
23a361d0135dde6d2acedc03e72ceb0b775b50d1764218c017b639cd7d394bb5a3cb9e5e525c3c58c8723e8ad912e4f24a972557a44b2e3081361978cd0b9a57

Download Submit
C:\Windows\SysWOW64\wfni.exe

Filesize
263KB

MD5
dabac5bf25da13f3671ed4c7c2fbfaf5

SHA1
2b050ba1cfffe8075f92eeb61069d334201cf1ea

SHA256
a6b7a87cd6ec4c45e05a75eedbaa9657ac06762ed4eaadd268dd02489c138087

SHA512
ddae5a5f3f9821d582982b203b72bfb1143a35ffe8c1dbbc2290c0f71ffbe9d7d349aebb7cf84798eb8a7800bc0a16b45a00796479fe1f6e304ecce8f6319f9b

Download Submit
C:\Windows\SysWOW64\wfvkwiek.exe

Filesize
263KB

MD5
fbafb9827a23e710602a8cde6b999366

SHA1
d62eec2bd71e368cc07775848927337aeca05e87

SHA256
1361ee9efa803ee3a37127b6c3c4df3092b0750ebc53ca074cffccae6179c547

SHA512
85279ac80e8ea64d2f62a3f609e581b10d87b793af2f5ad4ad6daf3a504b4e7b4b31eb528d1b0672f90dfb13cf0e31bb451529db5ba36b17529d5a890eeddaa4

Download Submit
C:\Windows\SysWOW64\whytme.exe

Filesize
262KB

MD5
2ef4dd7d6e8eb1822b300ede6362b04c

SHA1
deddd38046b3c5ac774f1845b48f9aad12fe3497

SHA256
e0e400a5822f76a278d766384d9408d6604b469f935ac097b38950c81f322808

SHA512
5c03249987c872a9b5cc32442a1083edcf24b0cc954cd827529c45b75d3567133a5879f163628b283dcb55c3dc779db50d39784aeecd13703f3ac1ae464447af

Download Submit
C:\Windows\SysWOW64\wiamrgi.exe

Filesize
263KB

MD5
1647ebaf4b2bfb48808277018fc36457

SHA1
171e2c803be1f5b87d10253d41f59ebde80aae17

SHA256
c8d470f947fd0e13653b824a310c873d292675ca9182e9fcecb50c5e1b789915

SHA512
812b15f9ce27d5ddd6291b506f9a8a018fd1cdcd046fb661f4ea54dd01dacd5e863d61f08b74a69175a0f700273bb73531d3274471490fa2feb755dff15cdcf6

Download Submit
C:\Windows\SysWOW64\wijttalw.exe

Filesize
263KB

MD5
f10e63f51d512000a2a1ff16875b226e

SHA1
4d4819d6c31958ac6ecf2fb2828d42aa73868014

SHA256
f228145cc0eef9e888102ba1f72270fefd583a1c29809995d219e19fc7e7e67f

SHA512
ea02ccb5debed7d934a9066ed2630fc1b810996ada5a72cc45c133056ea2e0e5fd9eca4f32b07bb52afe82285d6a02523bbc1c56481cfb91c136b8e9ad8d76c5

Download Submit
C:\Windows\SysWOW64\wje.exe

Filesize
263KB

MD5
de81536efaee6cc70da3bdc82706e8f8

SHA1
dbb08c2d899fc63d49a4c848936e095b27ed51d5

SHA256
04b887ecb64e9fc1f4d26afdf65d10d2a15d8cb9aabbd60ed4f85b6d73f61b9e

SHA512
6191736b2bd6028f7366393eee60ef632de5f0b67e480902b0a35014808159fb3e0bb1ae0329417090c4bd9c5e5a8b76af8f172bf40cfa7c7833802d25f17f03

Download Submit
C:\Windows\SysWOW64\wjrlx.exe

Filesize
263KB

MD5
22bc281054ffb41db8c996a740a5edb8

SHA1
af75777f206295b22b76fcfaf15d808d1b13b2d9

SHA256
33096a714466d95cab2d4192e80368b1639d3cb1ff083405e2a0fa4d7a2e4209

SHA512
77dc5b1c169d778f74e6eff7c53488e1a9821f0329eac9b3857292d48b51a2c730e5414f87651a88b8327a07285cc5f2db86d8c6d9ea74fffdc43d2a8e3732f1

Download Submit
C:\Windows\SysWOW64\wjxgoou.exe

Filesize
262KB

MD5
e0b74e3be4b50d47bd936b66faf21677

SHA1
290466b11d2d86105fbb4fd66b4cd157883f6d40

SHA256
11781c1e0c94b75bc4c2ca84f99530f7dbc82b9a773bb180ca826bfdbdeb63f8

SHA512
d32ee6324d95dad260f6fba12b6b5d007a76f0ca564cc5b0c6bd358e149fcf0a027af4e3093e97952b1e5bdccd6befa7818ad2010b51012da08109a94c473285

Download Submit
C:\Windows\SysWOW64\wkjfe.exe

Filesize
262KB

MD5
42df3fca3b3094d927ae56a29d4389b4

SHA1
f17b5836cd00aae59a7263d39dc4bdb9a094aa27

SHA256
242fc250aaed400932cb175766b34bb3020a9a8bcd71c85e02b5085575d5e151

SHA512
c65d53ed5bab91db73343d83b68f34307499400b945d011c1f5cc67a9a7d148a255116feffc91b63cdb301eff5ebc3387b6913024b3eb77ed6fc8173fd156148

Download Submit
C:\Windows\SysWOW64\wldd.exe

Filesize
263KB

MD5
d834d8f8a52c48a5c562189c5f049921

SHA1
3803a9b008cdd2cc9e3babcd411cc2bff4374778

SHA256
cfa7e39997fa1ef905e2e3de11263f518df6194d3757675e5183e28e8a09dfe3

SHA512
26741062896ef54d335a863391bef59e91915ca5517a0126bf92c4d77cfc1fd15c2da225a1b9f0e401ff2f0ddebe5d58822ccad369153c9796e95a7e21ce92e5

Download Submit
C:\Windows\SysWOW64\wmcxjnu.exe

Filesize
262KB

MD5
6f3c4857f1d061a871ce81ba1bb1b727

SHA1
37e8c90edf58bc57fdd7b0ed440649fe55f6d039

SHA256
ac7b999b6b307f02276eef295221c296622558812fd22162f06ec85d0ee0f1b3

SHA512
8330e27f89caeb0a2429a9bc684b382f88a2f72da798b58804084711ffac2991036b3f9440979393163006c1b0d7e57618847197bc186bf817d5ed167ba49c6a

Download Submit
C:\Windows\SysWOW64\wmwod.exe

Filesize
263KB

MD5
612dd3741a6641d776b065b6338093a3

SHA1
7680f8dee938d5d1264dda5b2aac95baacf0f960

SHA256
33efac4ec06e741166fb208cd8d260b47a7c685830c90de32dedcf0d05ca4c56

SHA512
1e00a6fbf0f991bff6b33508968eb4adeee5770388f05229db1cac125a53daf3199eb66c31e54917b0985301158420c1a98779ae9f6b53b9757192ebc8751f86

Download Submit
C:\Windows\SysWOW64\wnmltl.exe

Filesize
262KB

MD5
ba90e18b3c3249e939a01ce00f0d2820

SHA1
035eaeec31d8ecbbde4e132b703b30e91892a2e8

SHA256
0f5e2d0a0d781f93b5c3ae5dcfbaf4a7f0a96fd8fe7b2e3cddbd7ec2539cf3e0

SHA512
e0f152faad805f2b17b21109c93aab24f45d9c3b7da0e70fe9e94b8832941dafc8f9274784c3b5ee4c31ed5fa47f685f622caec5e2333a9d05dc2b892e220c65

Download Submit
C:\Windows\SysWOW64\wnodgl.exe

Filesize
262KB

MD5
fbf39e70b535873b34b0fd7fcf890076

SHA1
10b7ed8f7c0eeb888ccecb8ce037e6cca38feafa

SHA256
16f222eee7302a04f3c9978123ecae41294a0c445a8b52b9f1bdefd906300523

SHA512
5a1e758e3fa2917295c7c29fc48e46a8c1eba0ce14e5876040a5acc7152851f44d765faad0535f465a22c4f481782b3bdac3151c3e6cf76164df90ebaf6d1ea5

Download Submit
C:\Windows\SysWOW64\wplcf.exe

Filesize
263KB

MD5
1fb041a9d8e5035e4e624cda992180a8

SHA1
e2a491b4e617b36270ea216405c07ce11ab95a8d

SHA256
e7952dc4c35efd035979a5087c7b179509a5ec528b1092c123d3776999eccf67

SHA512
8178282dd97f66f97c813a2f802ed2a249df6aa01fe01c819ca16d315ddb885e87356fb8d1d2a053e528c3309a248577db73f71388bf78776eb92ed5b9746822

Download Submit
C:\Windows\SysWOW64\wpwmv.exe

Filesize
263KB

MD5
aebc978a2438cd742cd71264fa87ce97

SHA1
44822fdea13ed86cbc558de5956920e288a2d39f

SHA256
d5a9ddc41ba2eb2521ea1617f8691400e45654d819e556b05bdb7827b65a96ee

SHA512
3931b742a02ffdba0409c7cde7cec0c1fb42a28b18053ada2d7bf11d18f73afe3ebc4c2a45e2f9f525eae86284669b9d267b63fb78bc3f7d5283609a0a5f57d6

Download Submit
C:\Windows\SysWOW64\wqnibd.exe

Filesize
263KB

MD5
ebeaac15314d5d8b0747c404b8fda06a

SHA1
e641907f00478b147ee4fa9d70c9953ef2e2f2cf

SHA256
92ad59c173a3b867d59bb40ca9d9a60ae91ba826b6e967294dc02dd6328d9249

SHA512
e0feeb8e9e52da9e45cc544f4dec7cb8ad797bf8c42c44587f192be167c77aedbbeb6b566c65eaaf2e8dc83a8610e0ac19bf7ad7968a1e1f3955933faae14918

Download Submit
C:\Windows\SysWOW64\wqxhqrh.exe

Filesize
262KB

MD5
18f06f0ee05421b825541a84b548b4a3

SHA1
6c34cf3940da41244d461a3106db23cbcad6ccc2

SHA256
a46a344edb520945047c5e4c333964f9f30dec24b7f10c8fa5ddd516c0226013

SHA512
be6a0ea908e34667daba85554e8b86984cdf4090a116d6253cbf8065589971356ec8f78ae04959230e1a0e22b23396ed55f2fd94a80ca32cd55ac025b0cb4e5d

Download Submit
C:\Windows\SysWOW64\wsbnrypk.exe

Filesize
263KB

MD5
fc09404ee61f027eb9d5c56a4313341f

SHA1
c7dba9958e34f8bd821b0021e38676e097c9df5f

SHA256
975feaa9d46087b01fed7b418b28fef67f4c92ddee1d542bf9448650b4334d17

SHA512
034f9cd70bb82c72079ed57a7bc93f3feb0a0be79b7fe83e479bd6ee638f2c19cfb40b56ddcc932523fdb9f7dd3adab0b18611d90d056afc9a20d4fa8c5e5928

Download Submit
C:\Windows\SysWOW64\wsdq.exe

Filesize
262KB

MD5
ccfb157198b23c20ccca1ae1fd603ce8

SHA1
7899eb81fad813302ea66a93bd822d5cee201c41

SHA256
6d3bd034bb6ee2afaa9d7f5bc05b4c8ad7d5d9e288bb1e7d5d05320db37e43d1

SHA512
38255081728c1d8eadef5607b9c40394f6c58a588b3a079dfa01845faf973f4728e2843be5b18d8695f501dd2c63b49647b03fac73e549392438245e9efdcc40

Download Submit
C:\Windows\SysWOW64\wtpc.exe

Filesize
263KB

MD5
8f59f9535bba1198f62bd16f8641ad56

SHA1
696fccf0b89407d88e68fe4d50d637e7f3cab657

SHA256
9cafe9ff53e095531d91e546b0b2224ea2abf9cd5baf44f8403b5492d200d2a4

SHA512
85ab1cec8357ebacc894ca0c03dcc7a14873fe5beb3ce7b3bb1d040393d117c594acc08fa492507b038b63224b5fefb4b6b5f6bbf76b6b63e29e6c375ce61932

Download Submit
C:\Windows\SysWOW64\wusbqbk.exe

Filesize
263KB

MD5
d93037c148b51b24868133f1d0888897

SHA1
1ec3fbc5cceafd56b33ce18014e19178fb56c718

SHA256
b2cbd1761df3fadbc53a36208e162c0dace1da88af0186e538941db3f933b66e

SHA512
e9f39723c7bea892a1752145158819a62efa945a1c041b8ba99f063fe1b2f246469022cd41064c2316f4f1b41447d51c8be6a963e613c78ec4432272087f3a30

Download Submit
C:\Windows\SysWOW64\wvobdl.exe

Filesize
263KB

MD5
bfbf8fab35b1c0ecf3a239a4b855b45a

SHA1
46dbba78ad5cae390017dea9f22a4fa7f43dddf9

SHA256
f9750cb1e994c2fa83f03cc76e7c96e396abc606937d34e4eb909837ef17c296

SHA512
d862816a56d7d3ac7757d037d63b79ec40a63c64f6729ef74162aeb90f9ec4362869c839d5995e6ba713b504d5ae0850d9b1364ffa728b35dbbee3f9d2a0d229

Download Submit
C:\Windows\SysWOW64\wwiat.exe

Filesize
263KB

MD5
07e719af9ddb1199ead1ba8dd064eea1

SHA1
1f753c56a57491cb5f6162be02fc5594029998ae

SHA256
d608e74dc3942e41ee1bf4f2a0e0dbb2095f270257cec560349f57373c7d00d5

SHA512
0c56ba761b016fe6c1a3d5d99cc4562bd70d65a60196a8765ed04afe6d6151dd469cffcaebf9214e835456bf89cc967413e211bedc2c8beb9f395539c7ce0fd1

Download Submit
C:\Windows\SysWOW64\wwywlwj.exe

Filesize
262KB

MD5
f69745a1d8d07220a580ceb2f8613aa8

SHA1
813450e4472a8a8086138f52af773ddec2090694

SHA256
aa71ba51f98d44264fb053df82c71da8b5fcda298b044a84b7d90f922bd9c410

SHA512
a299ada719b4e3535497f499f2958d0be9382cb707babb23919580dc68b2ac4fae7161868ee44258351e6e38e99d4cb02e786d847618a7d8d398584325c19c08

Download Submit
C:\Windows\SysWOW64\wxhc.exe

Filesize
263KB

MD5
28bacc8332560b1694d31ad39168b611

SHA1
925693214a36a8501dcd5ef10b642a240f7404c1

SHA256
505c992e8510579625099981a13a21f96eb1e8d6aea1ec76606db7740c337263

SHA512
ab374787cb361ffd5b664633e631100300ded98b3a2b0118b2bd3c9ee83be69a1f3b2bb37fa75128d922f48c59551e376c8fd4a9fc021f707af9d1fc879d3044

Download Submit
C:\Windows\SysWOW64\wysuqk.exe

Filesize
263KB

MD5
317aaf94e41928f9b67cc9c04fdb13c1

SHA1
14dd9b726d6a741b5bf301d0d86c2d7bdc9a6ef2

SHA256
dfc99b5d783611c78c4842e769f3263466e8ad9ca9d870edf34e6e2bac887bec

SHA512
2dcc7958dd31a6c66f5068c82d3f0233485c12b1aa86ecd5d8cdd50db0c1f5682362c1ce541eb1641bc0029e1b3f5f88127269dcb30add8bca237bfccd583048

Download Submit
memory/8-712-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/216-414-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/244-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/244-125-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/460-458-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/692-652-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/716-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/716-235-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/728-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/732-756-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/736-644-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/940-686-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1008-491-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1076-450-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1488-704-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1528-747-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1608-397-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1656-298-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1688-348-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1860-524-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-730-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1948-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2096-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2104-405-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-483-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2444-309-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2444-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2528-508-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2616-584-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2688-592-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2688-423-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2792-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2896-610-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-432-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2936-380-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2956-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-660-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3092-601-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3096-575-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3132-474-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3188-619-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-225-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3236-738-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3248-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3312-499-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3316-441-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3332-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3372-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-721-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3472-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3540-533-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3592-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3592-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3592-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3604-558-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3952-266-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3956-516-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3956-329-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3964-389-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4064-695-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4132-466-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4252-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4276-677-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4276-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4328-628-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4472-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4476-669-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4516-319-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4592-204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4732-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4732-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4824-364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4840-372-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4924-541-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5004-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5008-636-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5088-549-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5096-287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download