88a6a4a7d032aa408de5f31093239c4955234af819322983673ba2c098d09318

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
Size

269KB
MD5

3ebb8c2a94a2ce51f752cd809fd3d697
SHA1

44f8da9685fa727dcd0546e3b75a86e06bc4a6ca
SHA256

88a6a4a7d032aa408de5f31093239c4955234af819322983673ba2c098d09318
SHA512

1130b6dfc6ea57692a16bef462308502c9369e9e7589eb7f8252b597088e81a3e6ba26cd9c28f469c623e7f6074146063223b9a28a035dc8c8844f6974cf6bbd
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuJOJ:ZY7xh6SZI4z7FSVpuJg

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2704	wppetwy.exe
2092	wrcysm.exe
2512	wydh.exe
1808	wldt.exe
3068	wgkdc.exe
1820	wuy.exe
1656	wedhnj.exe
2084	wit.exe
1492	wqtkndmxd.exe
2344	wdvydydvs.exe
1528	wryhn.exe
1924	wyaymvl.exe
2464	wifw.exe
2600	wpf.exe
1628	wxuvo.exe
1264	wlvkgfh.exe
952	wckynp.exe
1668	wlmqmufnw.exe
2872	whgos.exe
1736	wtieit.exe
1716	wcx.exe
2952	wcvd.exe
1000	wyjnys.exe
1804	wuiidu.exe
956	waytehf.exe
544	whyle.exe
2064	woptwru.exe
2776	wtu.exe
1532	wwlf.exe
1940	wolqa.exe
2352	wromir.exe
2128	wfxbcwvp.exe
1200	wvivp.exe
1092	wfntco.exe
848	wbcea.exe
2536	wwtwtuvy.exe
2168	wsg.exe
2224	wxlryriu.exe
792	wcqssevm.exe
1596	wlwdcysg.exe
2396	wunlueu.exe
1368	wlcydngjd.exe
2680	wfeedw.exe
2504	wwhxsuod.exe
2920	wsvjsvc.exe
2720	wxlutjbh.exe
2724	wuafsk.exe
1520	wtqtdf.exe
648	wcsmdlvg.exe
1040	wcestenqr.exe
2036	wdckpw.exe
2544	wuqyxgcb.exe
2492	wjcju.exe
2876	wtqus.exe
2168	wldjyav.exe
1752	wuhwsao.exe
2692	wvxldu.exe
1272	wrmvc.exe
2472	wybetba.exe
600	wbhauom.exe
2280	winwwoip.exe
2308	wvnkolan.exe
3004	waxerpwqj.exe
2648	wwwaxqvbv.exe

Loads dropped DLL 64 IoCs

pid	Process
2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
2704	wppetwy.exe
2704	wppetwy.exe
2704	wppetwy.exe
2704	wppetwy.exe
2092	wrcysm.exe
2092	wrcysm.exe
2092	wrcysm.exe
2092	wrcysm.exe
2512	wydh.exe
2512	wydh.exe
2512	wydh.exe
2512	wydh.exe
1808	wldt.exe
1808	wldt.exe
1808	wldt.exe
1808	wldt.exe
3068	wgkdc.exe
3068	wgkdc.exe
3068	wgkdc.exe
3068	wgkdc.exe
1820	wuy.exe
1820	wuy.exe
1820	wuy.exe
1820	wuy.exe
1656	wedhnj.exe
1656	wedhnj.exe
1656	wedhnj.exe
1656	wedhnj.exe
2084	wit.exe
2084	wit.exe
2084	wit.exe
2084	wit.exe
1492	wqtkndmxd.exe
1492	wqtkndmxd.exe
1492	wqtkndmxd.exe
1492	wqtkndmxd.exe
2344	wdvydydvs.exe
2344	wdvydydvs.exe
2344	wdvydydvs.exe
2344	wdvydydvs.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
1528	wryhn.exe
1528	wryhn.exe
1528	wryhn.exe
1528	wryhn.exe
1924	wyaymvl.exe
1924	wyaymvl.exe
1924	wyaymvl.exe
1924	wyaymvl.exe
2464	wifw.exe
2464	wifw.exe
2464	wifw.exe
2464	wifw.exe
2600	wpf.exe
2600	wpf.exe
2600	wpf.exe
2600	wpf.exe
1628	wxuvo.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wit.exe	wedhnj.exe
File opened for modification	C:\Windows\SysWOW64\whgos.exe	wlmqmufnw.exe
File created	C:\Windows\SysWOW64\wbhauom.exe	wybetba.exe
File opened for modification	C:\Windows\SysWOW64\wewcra.exe	wktmy.exe
File opened for modification	C:\Windows\SysWOW64\wsvjsvc.exe	wwhxsuod.exe
File opened for modification	C:\Windows\SysWOW64\wdckpw.exe	wcestenqr.exe
File opened for modification	C:\Windows\SysWOW64\wykkxy.exe	wxkrag.exe
File created	C:\Windows\SysWOW64\wvoxngdos.exe	wfhyarc.exe
File opened for modification	C:\Windows\SysWOW64\wxlutjbh.exe	wsvjsvc.exe
File created	C:\Windows\SysWOW64\waxerpwqj.exe	wvnkolan.exe
File opened for modification	C:\Windows\SysWOW64\wcestenqr.exe	wcsmdlvg.exe
File created	C:\Windows\SysWOW64\wdvcnsggj.exe	wmneacg.exe
File opened for modification	C:\Windows\SysWOW64\wchjfo.exe	wykkxy.exe
File opened for modification	C:\Windows\SysWOW64\wtieit.exe	whgos.exe
File created	C:\Windows\SysWOW64\wfntco.exe	wvivp.exe
File created	C:\Windows\SysWOW64\wlcydngjd.exe	wunlueu.exe
File created	C:\Windows\SysWOW64\wdvydydvs.exe	wqtkndmxd.exe
File opened for modification	C:\Windows\SysWOW64\wpf.exe	wifw.exe
File opened for modification	C:\Windows\SysWOW64\wgrdqi.exe	wnoyp.exe
File created	C:\Windows\SysWOW64\wvioajad.exe	wjtjq.exe
File created	C:\Windows\SysWOW64\wbcea.exe	wfntco.exe
File opened for modification	C:\Windows\SysWOW64\wfeedw.exe	wlcydngjd.exe
File opened for modification	C:\Windows\SysWOW64\wtqus.exe	wwblto.exe
File opened for modification	C:\Windows\SysWOW64\wmodmsdt.exe	wikbqgpd.exe
File opened for modification	C:\Windows\SysWOW64\wqqnu.exe	wewcra.exe
File opened for modification	C:\Windows\SysWOW64\wfjvp.exe	wqqnu.exe
File opened for modification	C:\Windows\SysWOW64\wckynp.exe	wlvkgfh.exe
File created	C:\Windows\SysWOW64\wtieit.exe	whgos.exe
File opened for modification	C:\Windows\SysWOW64\wtweoqy.exe	wqotbcj.exe
File created	C:\Windows\SysWOW64\whgos.exe	wlmqmufnw.exe
File opened for modification	C:\Windows\SysWOW64\wcx.exe	wtieit.exe
File created	C:\Windows\SysWOW64\wfeedw.exe	wlcydngjd.exe
File created	C:\Windows\SysWOW64\whnlmvq.exe	wfjsbf.exe
File opened for modification	C:\Windows\SysWOW64\wjhqbde.exe	wwaof.exe
File created	C:\Windows\SysWOW64\wqitsyr.exe	wbpl.exe
File created	C:\Windows\SysWOW64\wqtkndmxd.exe	wit.exe
File opened for modification	C:\Windows\SysWOW64\waytehf.exe	wuiidu.exe
File created	C:\Windows\SysWOW64\wpcgya.exe	wiela.exe
File created	C:\Windows\SysWOW64\wfjvp.exe	wqqnu.exe
File opened for modification	C:\Windows\SysWOW64\wydh.exe	wrcysm.exe
File created	C:\Windows\SysWOW64\wwwaxqvbv.exe	waxerpwqj.exe
File opened for modification	C:\Windows\SysWOW64\wnoyp.exe	wkneimc.exe
File created	C:\Windows\SysWOW64\wgrdqi.exe	wnoyp.exe
File created	C:\Windows\SysWOW64\wmodmsdt.exe	wikbqgpd.exe
File created	C:\Windows\SysWOW64\wktmy.exe	wyabwsp.exe
File created	C:\Windows\SysWOW64\waytehf.exe	wuiidu.exe
File created	C:\Windows\SysWOW64\wldjyav.exe	wtqus.exe
File created	C:\Windows\SysWOW64\wchjfo.exe	wykkxy.exe
File opened for modification	C:\Windows\SysWOW64\wiela.exe	wxbnque.exe
File created	C:\Windows\SysWOW64\wuy.exe	wgkdc.exe
File opened for modification	C:\Windows\SysWOW64\wdvcnsggj.exe	wmneacg.exe
File created	C:\Windows\SysWOW64\wfdy.exe	wnokhrl.exe
File created	C:\Windows\SysWOW64\wryahd.exe	wmodmsdt.exe
File created	C:\Windows\SysWOW64\wqqnu.exe	wewcra.exe
File opened for modification	C:\Windows\SysWOW64\waxerpwqj.exe	wvnkolan.exe
File opened for modification	C:\Windows\SysWOW64\wfjsbf.exe	wgrdqi.exe
File opened for modification	C:\Windows\SysWOW64\wuiidu.exe	wyjnys.exe
File created	C:\Windows\SysWOW64\wdckpw.exe	wcestenqr.exe
File opened for modification	C:\Windows\SysWOW64\wfxbcwvp.exe	wromir.exe
File opened for modification	C:\Windows\SysWOW64\wjtjq.exe	wfdy.exe
File created	C:\Windows\SysWOW64\wfyvh.exe	wnjiyot.exe
File created	C:\Windows\SysWOW64\wtcvue.exe	whijqfkd.exe
File created	C:\Windows\SysWOW64\woirnuavb.exe	wfjvp.exe
File opened for modification	C:\Windows\SysWOW64\wppetwy.exe	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2652	2344	WerFault.exe	58
1816	2536	WerFault.exe	138
1780	1596	WerFault.exe	152
2324	2280	WerFault.exe	220
1608	1264	WerFault.exe	248
2988	952	WerFault.exe	345
2316	2140	WerFault.exe	376

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjcju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkmrwrjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wppetwy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wavm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlvkgfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvivp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvxldu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlwdcysg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfccmpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wolqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wywnsyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnjiyot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wktmy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wybetba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtqus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsmdlvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiela.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxuvo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wykkxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtcvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsvjsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuhwsao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuiidu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wbfkndc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrvopn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmodmsdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wajtjrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkqmjhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgkdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjhqbde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1596	wlwdcysg.exe
952	wqotbcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2704	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2704	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2704	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2704	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2760	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2760	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2760	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2760	2168	3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2092	2704	wppetwy.exe	34
PID 2704 wrote to memory of 2092	2704	wppetwy.exe	34
PID 2704 wrote to memory of 2092	2704	wppetwy.exe	34
PID 2704 wrote to memory of 2092	2704	wppetwy.exe	34
PID 2704 wrote to memory of 2784	2704	wppetwy.exe	35
PID 2704 wrote to memory of 2784	2704	wppetwy.exe	35
PID 2704 wrote to memory of 2784	2704	wppetwy.exe	35
PID 2704 wrote to memory of 2784	2704	wppetwy.exe	35
PID 2092 wrote to memory of 2512	2092	wrcysm.exe	37
PID 2092 wrote to memory of 2512	2092	wrcysm.exe	37
PID 2092 wrote to memory of 2512	2092	wrcysm.exe	37
PID 2092 wrote to memory of 2512	2092	wrcysm.exe	37
PID 2092 wrote to memory of 2352	2092	wrcysm.exe	38
PID 2092 wrote to memory of 2352	2092	wrcysm.exe	38
PID 2092 wrote to memory of 2352	2092	wrcysm.exe	38
PID 2092 wrote to memory of 2352	2092	wrcysm.exe	38
PID 2512 wrote to memory of 1808	2512	wydh.exe	40
PID 2512 wrote to memory of 1808	2512	wydh.exe	40
PID 2512 wrote to memory of 1808	2512	wydh.exe	40
PID 2512 wrote to memory of 1808	2512	wydh.exe	40
PID 2512 wrote to memory of 620	2512	wydh.exe	41
PID 2512 wrote to memory of 620	2512	wydh.exe	41
PID 2512 wrote to memory of 620	2512	wydh.exe	41
PID 2512 wrote to memory of 620	2512	wydh.exe	41
PID 1808 wrote to memory of 3068	1808	wldt.exe	43
PID 1808 wrote to memory of 3068	1808	wldt.exe	43
PID 1808 wrote to memory of 3068	1808	wldt.exe	43
PID 1808 wrote to memory of 3068	1808	wldt.exe	43
PID 1808 wrote to memory of 1648	1808	wldt.exe	44
PID 1808 wrote to memory of 1648	1808	wldt.exe	44
PID 1808 wrote to memory of 1648	1808	wldt.exe	44
PID 1808 wrote to memory of 1648	1808	wldt.exe	44
PID 3068 wrote to memory of 1820	3068	wgkdc.exe	46
PID 3068 wrote to memory of 1820	3068	wgkdc.exe	46
PID 3068 wrote to memory of 1820	3068	wgkdc.exe	46
PID 3068 wrote to memory of 1820	3068	wgkdc.exe	46
PID 3068 wrote to memory of 2584	3068	wgkdc.exe	47
PID 3068 wrote to memory of 2584	3068	wgkdc.exe	47
PID 3068 wrote to memory of 2584	3068	wgkdc.exe	47
PID 3068 wrote to memory of 2584	3068	wgkdc.exe	47
PID 1820 wrote to memory of 1656	1820	wuy.exe	49
PID 1820 wrote to memory of 1656	1820	wuy.exe	49
PID 1820 wrote to memory of 1656	1820	wuy.exe	49
PID 1820 wrote to memory of 1656	1820	wuy.exe	49
PID 1820 wrote to memory of 580	1820	wuy.exe	50
PID 1820 wrote to memory of 580	1820	wuy.exe	50
PID 1820 wrote to memory of 580	1820	wuy.exe	50
PID 1820 wrote to memory of 580	1820	wuy.exe	50
PID 1656 wrote to memory of 2084	1656	wedhnj.exe	52
PID 1656 wrote to memory of 2084	1656	wedhnj.exe	52
PID 1656 wrote to memory of 2084	1656	wedhnj.exe	52
PID 1656 wrote to memory of 2084	1656	wedhnj.exe	52
PID 1656 wrote to memory of 264	1656	wedhnj.exe	53
PID 1656 wrote to memory of 264	1656	wedhnj.exe	53
PID 1656 wrote to memory of 264	1656	wedhnj.exe	53
PID 1656 wrote to memory of 264	1656	wedhnj.exe	53

C:\Users\Admin\AppData\Local\Temp\3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\wppetwy.exe
  "C:\Windows\system32\wppetwy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\wrcysm.exe
    "C:\Windows\system32\wrcysm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\wydh.exe
      "C:\Windows\system32\wydh.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\wldt.exe
        
        "C:\Windows\system32\wldt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\wgkdc.exe
        
        "C:\Windows\system32\wgkdc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\wuy.exe
        
        "C:\Windows\system32\wuy.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\wedhnj.exe
        
        "C:\Windows\system32\wedhnj.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\wit.exe
        
        "C:\Windows\system32\wit.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\wqtkndmxd.exe
        
        "C:\Windows\system32\wqtkndmxd.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\wdvydydvs.exe
        
        "C:\Windows\system32\wdvydydvs.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2344
        
        C:\Windows\SysWOW64\wryhn.exe
        
        "C:\Windows\system32\wryhn.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1528
        
        C:\Windows\SysWOW64\wyaymvl.exe
        
        "C:\Windows\system32\wyaymvl.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1924
        
        C:\Windows\SysWOW64\wifw.exe
        
        "C:\Windows\system32\wifw.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\wpf.exe
        
        "C:\Windows\system32\wpf.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2600
        
        C:\Windows\SysWOW64\wxuvo.exe
        
        "C:\Windows\system32\wxuvo.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\wlvkgfh.exe
        
        "C:\Windows\system32\wlvkgfh.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\wckynp.exe
        
        "C:\Windows\system32\wckynp.exe"
        18⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\wlmqmufnw.exe
        
        "C:\Windows\system32\wlmqmufnw.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\whgos.exe
        
        "C:\Windows\system32\whgos.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\wtieit.exe
        
        "C:\Windows\system32\wtieit.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wcx.exe
        
        "C:\Windows\system32\wcx.exe"
        22⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\wcvd.exe
        
        "C:\Windows\system32\wcvd.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\wyjnys.exe
        
        "C:\Windows\system32\wyjnys.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\wuiidu.exe
        
        "C:\Windows\system32\wuiidu.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\waytehf.exe
        
        "C:\Windows\system32\waytehf.exe"
        26⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\whyle.exe
        
        "C:\Windows\system32\whyle.exe"
        27⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\woptwru.exe
        
        "C:\Windows\system32\woptwru.exe"
        28⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\wtu.exe
        
        "C:\Windows\system32\wtu.exe"
        29⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\wwlf.exe
        
        "C:\Windows\system32\wwlf.exe"
        30⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\wolqa.exe
        
        "C:\Windows\system32\wolqa.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\wromir.exe
        
        "C:\Windows\system32\wromir.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\wfxbcwvp.exe
        
        "C:\Windows\system32\wfxbcwvp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\wvivp.exe
        
        "C:\Windows\system32\wvivp.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\wfntco.exe
        
        "C:\Windows\system32\wfntco.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\wbcea.exe
        
        "C:\Windows\system32\wbcea.exe"
        36⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\wwtwtuvy.exe
        
        "C:\Windows\system32\wwtwtuvy.exe"
        37⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\wsg.exe
        
        "C:\Windows\system32\wsg.exe"
        38⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\wxlryriu.exe
        
        "C:\Windows\system32\wxlryriu.exe"
        39⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\wcqssevm.exe
        
        "C:\Windows\system32\wcqssevm.exe"
        40⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\wlwdcysg.exe
        
        "C:\Windows\system32\wlwdcysg.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:1596
        
        C:\Windows\SysWOW64\wunlueu.exe
        
        "C:\Windows\system32\wunlueu.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\wlcydngjd.exe
        
        "C:\Windows\system32\wlcydngjd.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\wfeedw.exe
        
        "C:\Windows\system32\wfeedw.exe"
        44⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\wwhxsuod.exe
        
        "C:\Windows\system32\wwhxsuod.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\wsvjsvc.exe
        
        "C:\Windows\system32\wsvjsvc.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\wxlutjbh.exe
        
        "C:\Windows\system32\wxlutjbh.exe"
        47⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\wuafsk.exe
        
        "C:\Windows\system32\wuafsk.exe"
        48⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\wtqtdf.exe
        
        "C:\Windows\system32\wtqtdf.exe"
        49⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\wcsmdlvg.exe
        
        "C:\Windows\system32\wcsmdlvg.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\wcestenqr.exe
        
        "C:\Windows\system32\wcestenqr.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\wdckpw.exe
        
        "C:\Windows\system32\wdckpw.exe"
        52⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\wuqyxgcb.exe
        
        "C:\Windows\system32\wuqyxgcb.exe"
        53⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\wjcju.exe
        
        "C:\Windows\system32\wjcju.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\wwblto.exe
        
        "C:\Windows\system32\wwblto.exe"
        55⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wtqus.exe
        
        "C:\Windows\system32\wtqus.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\wldjyav.exe
        
        "C:\Windows\system32\wldjyav.exe"
        57⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\wuhwsao.exe
        
        "C:\Windows\system32\wuhwsao.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\wvxldu.exe
        
        "C:\Windows\system32\wvxldu.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\wrmvc.exe
        
        "C:\Windows\system32\wrmvc.exe"
        60⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\wybetba.exe
        
        "C:\Windows\system32\wybetba.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\wbhauom.exe
        
        "C:\Windows\system32\wbhauom.exe"
        62⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\SysWOW64\winwwoip.exe
        
        "C:\Windows\system32\winwwoip.exe"
        63⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\wvnkolan.exe
        
        "C:\Windows\system32\wvnkolan.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\waxerpwqj.exe
        
        "C:\Windows\system32\waxerpwqj.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\wwwaxqvbv.exe
        
        "C:\Windows\system32\wwwaxqvbv.exe"
        66⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\wkneimc.exe
        
        "C:\Windows\system32\wkneimc.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\wnoyp.exe
        
        "C:\Windows\system32\wnoyp.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\wgrdqi.exe
        
        "C:\Windows\system32\wgrdqi.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\wfjsbf.exe
        
        "C:\Windows\system32\wfjsbf.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\whnlmvq.exe
        
        "C:\Windows\system32\whnlmvq.exe"
        71⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\wudecnxv.exe
        
        "C:\Windows\system32\wudecnxv.exe"
        72⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\wmfidxwop.exe
        
        "C:\Windows\system32\wmfidxwop.exe"
        73⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\wnokhrl.exe
        
        "C:\Windows\system32\wnokhrl.exe"
        74⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\wfdy.exe
        
        "C:\Windows\system32\wfdy.exe"
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\wjtjq.exe
        
        "C:\Windows\system32\wjtjq.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\wvioajad.exe
        
        "C:\Windows\system32\wvioajad.exe"
        77⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\wikbqgpd.exe
        
        "C:\Windows\system32\wikbqgpd.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\wmodmsdt.exe
        
        "C:\Windows\system32\wmodmsdt.exe"
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:488
        
        C:\Windows\SysWOW64\wryahd.exe
        
        "C:\Windows\system32\wryahd.exe"
        80⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\wdypw.exe
        
        "C:\Windows\system32\wdypw.exe"
        81⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\wvayeo.exe
        
        "C:\Windows\system32\wvayeo.exe"
        82⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\wywnsyl.exe
        
        "C:\Windows\system32\wywnsyl.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\wajtjrd.exe
        
        "C:\Windows\system32\wajtjrd.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\wnjiyot.exe
        
        "C:\Windows\system32\wnjiyot.exe"
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\wfyvh.exe
        
        "C:\Windows\system32\wfyvh.exe"
        86⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\wmneacg.exe
        
        "C:\Windows\system32\wmneacg.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\wdvcnsggj.exe
        
        "C:\Windows\system32\wdvcnsggj.exe"
        88⤵
        
        PID:580
        
        C:\Windows\SysWOW64\wvkqucq.exe
        
        "C:\Windows\system32\wvkqucq.exe"
        89⤵
        
        PID:596
        
        C:\Windows\SysWOW64\wmdyqrc.exe
        
        "C:\Windows\system32\wmdyqrc.exe"
        90⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\whctut.exe
        
        "C:\Windows\system32\whctut.exe"
        91⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\wbfkndc.exe
        
        "C:\Windows\system32\wbfkndc.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\wxkrag.exe
        
        "C:\Windows\system32\wxkrag.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\wykkxy.exe
        
        "C:\Windows\system32\wykkxy.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\wchjfo.exe
        
        "C:\Windows\system32\wchjfo.exe"
        95⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\wxbnque.exe
        
        "C:\Windows\system32\wxbnque.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\wiela.exe
        
        "C:\Windows\system32\wiela.exe"
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\wpcgya.exe
        
        "C:\Windows\system32\wpcgya.exe"
        98⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\wfhyarc.exe
        
        "C:\Windows\system32\wfhyarc.exe"
        99⤵
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\wvoxngdos.exe
        
        "C:\Windows\system32\wvoxngdos.exe"
        100⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\whijqfkd.exe
        
        "C:\Windows\system32\whijqfkd.exe"
        101⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\wtcvue.exe
        
        "C:\Windows\system32\wtcvue.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\wavm.exe
        
        "C:\Windows\system32\wavm.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\wqotbcj.exe
        
        "C:\Windows\system32\wqotbcj.exe"
        104⤵
        Drops file in System32 directory
        Suspicious use of UnmapMainImage
        
        PID:952
        
        C:\Windows\SysWOW64\wtweoqy.exe
        
        "C:\Windows\system32\wtweoqy.exe"
        105⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\wkqmjhk.exe
        
        "C:\Windows\system32\wkqmjhk.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\wwaof.exe
        
        "C:\Windows\system32\wwaof.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wjhqbde.exe
        
        "C:\Windows\system32\wjhqbde.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\wyabwsp.exe
        
        "C:\Windows\system32\wyabwsp.exe"
        109⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\wktmy.exe
        
        "C:\Windows\system32\wktmy.exe"
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\wewcra.exe
        
        "C:\Windows\system32\wewcra.exe"
        111⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\wqqnu.exe
        
        "C:\Windows\system32\wqqnu.exe"
        112⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\wfjvp.exe
        
        "C:\Windows\system32\wfjvp.exe"
        113⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\woirnuavb.exe
        
        "C:\Windows\system32\woirnuavb.exe"
        114⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\wilhfd.exe
        
        "C:\Windows\system32\wilhfd.exe"
        115⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\wutjccwge.exe
        
        "C:\Windows\system32\wutjccwge.exe"
        116⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\wkmrwrjk.exe
        
        "C:\Windows\system32\wkmrwrjk.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\wbpl.exe
        
        "C:\Windows\system32\wbpl.exe"
        118⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\wqitsyr.exe
        
        "C:\Windows\system32\wqitsyr.exe"
        119⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\wfccmpd.exe
        
        "C:\Windows\system32\wfccmpd.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\wrvopn.exe
        
        "C:\Windows\system32\wrvopn.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\wiowke.exe
        
        "C:\Windows\system32\wiowke.exe"
        122⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\wqmsj.exe
        
        "C:\Windows\system32\wqmsj.exe"
        123⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\wfqlka.exe
        
        "C:\Windows\system32\wfqlka.exe"
        124⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\weoobxdq.exe
        
        "C:\Windows\system32\weoobxdq.exe"
        125⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\wysdt.exe
        
        "C:\Windows\system32\wysdt.exe"
        126⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weoobxdq.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqlka.exe"
        125⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqmsj.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiowke.exe"
        123⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvopn.exe"
        122⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfccmpd.exe"
        121⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqitsyr.exe"
        120⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpl.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkmrwrjk.exe"
        118⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutjccwge.exe"
        117⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wilhfd.exe"
        116⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woirnuavb.exe"
        115⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 184
        115⤵
        Program crash
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjvp.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqqnu.exe"
        113⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wewcra.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktmy.exe"
        111⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyabwsp.exe"
        110⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhqbde.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwaof.exe"
        108⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqmjhk.exe"
        107⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtweoqy.exe"
        106⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotbcj.exe"
        105⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 840
        105⤵
        Program crash
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavm.exe"
        104⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcvue.exe"
        103⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whijqfkd.exe"
        102⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvoxngdos.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhyarc.exe"
        100⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcgya.exe"
        99⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiela.exe"
        98⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbnque.exe"
        97⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchjfo.exe"
        96⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wykkxy.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxkrag.exe"
        94⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbfkndc.exe"
        93⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whctut.exe"
        92⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdyqrc.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkqucq.exe"
        90⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvcnsggj.exe"
        89⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmneacg.exe"
        88⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfyvh.exe"
        87⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjiyot.exe"
        86⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajtjrd.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywnsyl.exe"
        84⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvayeo.exe"
        83⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdypw.exe"
        82⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryahd.exe"
        81⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmodmsdt.exe"
        80⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wikbqgpd.exe"
        79⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvioajad.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjtjq.exe"
        77⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfdy.exe"
        76⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnokhrl.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmfidxwop.exe"
        74⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudecnxv.exe"
        73⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 184
        73⤵
        Program crash
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnlmvq.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfjsbf.exe"
        71⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrdqi.exe"
        70⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnoyp.exe"
        69⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkneimc.exe"
        68⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwwaxqvbv.exe"
        67⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxerpwqj.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvnkolan.exe"
        65⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winwwoip.exe"
        64⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 728
        64⤵
        Program crash
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhauom.exe"
        63⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybetba.exe"
        62⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrmvc.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvxldu.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuhwsao.exe"
        59⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldjyav.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqus.exe"
        57⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwblto.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjcju.exe"
        55⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuqyxgcb.exe"
        54⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdckpw.exe"
        53⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcestenqr.exe"
        52⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcsmdlvg.exe"
        51⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqtdf.exe"
        50⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuafsk.exe"
        49⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlutjbh.exe"
        48⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsvjsvc.exe"
        47⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhxsuod.exe"
        46⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfeedw.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlcydngjd.exe"
        44⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunlueu.exe"
        43⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlwdcysg.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 780
        42⤵
        Program crash
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqssevm.exe"
        41⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxlryriu.exe"
        40⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsg.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwtwtuvy.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 748
        38⤵
        Program crash
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbcea.exe"
        37⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfntco.exe"
        36⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvivp.exe"
        35⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxbcwvp.exe"
        34⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wromir.exe"
        33⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wolqa.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwlf.exe"
        31⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtu.exe"
        30⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptwru.exe"
        29⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whyle.exe"
        28⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waytehf.exe"
        27⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiidu.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjnys.exe"
        25⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvd.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcx.exe"
        23⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtieit.exe"
        22⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whgos.exe"
        21⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlmqmufnw.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wckynp.exe"
        19⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvkgfh.exe"
        18⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuvo.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpf.exe"
        16⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wifw.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyaymvl.exe"
        14⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryhn.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvydydvs.exe"
        12⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 184
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqtkndmxd.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wit.exe"
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedhnj.exe"
        9⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuy.exe"
        8⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkdc.exe"
        7⤵
        
        PID:2584
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wldt.exe"
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydh.exe"
        5⤵
        
        PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcysm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wppetwy.exe"
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\3ebb8c2a94a2ce51f752cd809fd3d697_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7HULQI49.txt

Filesize
131B

MD5
98e07a9ef63bd362f04cbe9337f68202

SHA1
d10966d1fd251f22477870ef70cc3186f3c7ec33

SHA256
daa2cb46b9598c2058e8c522562ed7d66b3b2a7fa88c0222767cf758a2051a46

SHA512
4ceb86ec4a124f1e96f0864a4284ffd4f7de71299787fffead39d5610b7c22504851aeb228aea5426e6ec7a1a7e5c285e57695f47f397146d627aad693c30473

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IKH4TWV8.txt

Filesize
98B

MD5
e7751bad80ea577491cdba25d3deefe9

SHA1
9665a57f5645383b094d5b4785818c69e346480b

SHA256
1cfc9abac1d131e76c4a343a8fe3f8b0d921102966bd376f0d20fcc13a86ff55

SHA512
4e85a62bdce0cae8d03ebbb515ab6e03b288fecdd7e93515f39ef45e346ca5ebfbbc5714d3e4d299d98c87f1eb87f3e72e2a75263e5d8cf2a4e89bf6b76dabdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KPZ2QUG0.txt

Filesize
131B

MD5
9b0d38e0e91c0151c8ced81628c12950

SHA1
904dbf900c6ca01c6be9a05e20e2e5285bf8b0f4

SHA256
6e978648bef0612ce44ad24273a06b25fd9a50fff383780d50ac026afa9bdd81

SHA512
23bf908a0db4b54af08f71175dc1ee25b36fa9762654b0ede129a7cbacbc451cbbc660092c8f967059e45445870e26f4e3a0ca4fa51caf5dbd6f0076993d7c10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LNQBOSBJ.txt

Filesize
131B

MD5
7d3d848042bed05c72e259a06e1c98d7

SHA1
74e2173abcca814ba1567905c5e62b200d74085f

SHA256
6e51ea44e106cfd07409be260010114e2c9e423b9b87e0d142f43885bce2d3d2

SHA512
c27a0378e5edfb7716f55e1f6d84b03dbfe09b31850ae660f324183bc735fe17370a2e27aefd45339a718534a8bb4c48344421b07279933342b1e7505550e308

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N3IAYSL2.txt

Filesize
131B

MD5
f75c243d59772f719dbe999e8e083434

SHA1
5eef48e768e7abc4de0a26d4b5f2e9162e468165

SHA256
641a8dd9383899170eb96935f0c3c4bd3be932338a4ac58c1f6ad3c8cea59723

SHA512
9643a9f9fd1b69507909c2713f5ca928bf65b38356f14089b3ab857596123840c5aeeef08d4625f6c02701353bd169dbec93ece66eec8403b071a568421236ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UMQT89YQ.txt

Filesize
131B

MD5
0196dd259dd49450f2433b28bdeb2ffb

SHA1
00d6886fd59ae8b3e20a804932c3c10460ffd362

SHA256
b9dfc01c42a859444b911cb93a8badda1838291dc2c4b8301c8b6ee0d20d4ce9

SHA512
4c396540ab0131ead1d7f6a5356611e628bf1da5ccbe04a01c1bcc8afc63657576b10f4f3fac1b14baf2b4f0fb238887f058f3884e730f0ac86667c99b81aa52

Download Submit
\Windows\SysWOW64\wdvydydvs.exe

Filesize
270KB

MD5
a50dfcbf37a0379db7b5cfb2fd76ffd6

SHA1
0750e018750b5cb7001db189afcf2de2db1e3eab

SHA256
162cf56ca5dd821974253be81fd6bac22ceb6e4293638079efb789608c812a2b

SHA512
417531fbc331fc1394506cce05198858d8fdfacee3cec24b760798efc4ca1d4b2569709d96e678534ba9ebbfc2a72387329685c96ef7c88cf7592c1cee8ee893

Download Submit
\Windows\SysWOW64\wedhnj.exe

Filesize
269KB

MD5
45aaa58b5a6769da0f7383283129d2b4

SHA1
4fefc1f1366d2be9a7a015f01dae3dd6edf4f56a

SHA256
da766b769d6720b9a3b964db807982f2c0365d78496a3744302dff7dc60438d5

SHA512
764e6e97b8385f0c1bf667b2df76e7d30c99d384ae582c94345d49938b1f842052032a33de3052497093e61f0a46dd610bb34526b31990b3e963d6326015dccb

Download Submit
\Windows\SysWOW64\wgkdc.exe

Filesize
269KB

MD5
5a9a5126a08b4cd8701c755a964cb379

SHA1
0e3723843d798c0726ef4c22007d63ff1f5d5b8e

SHA256
d41adf52dc814740265346eb0f2d40a37d2e087280ca5d545d6e1dfae2ad4417

SHA512
766ea5ee935bb084ea0ffe0180c2cfbb01104f85b30a0e2731fdc48c5b5e2456529999b2df7e8bdddd0c78d35ccefaaa88808e3856cbc788b3951b3550953eef

Download Submit
\Windows\SysWOW64\wit.exe

Filesize
270KB

MD5
86c94ead5209191bc023ea895ce9fa8a

SHA1
d08e609ef4bae777e622012a6bb058fd80b82612

SHA256
7be110dff9240e89fe741b3ba7a3648b141198ff10676c839dd35007443685da

SHA512
0acd29c3488b1df670c830e850037f46a31a760877ad2ea431c411896fcf733e1a3057a0f5ebbd3641d638d6e250f6899b99ccb2255f51e21ff2d359d7062a40

Download Submit
\Windows\SysWOW64\wldt.exe

Filesize
269KB

MD5
c14932ac159a87604124fd79689425cd

SHA1
4204cb38ab3e4a193538265d882f1d273d68e8a6

SHA256
feb07810bb40e9d43d99f6be1f3ec1c9d3a7fe035ea5514a2ab39531246f12da

SHA512
b275a502adc6cc6508b910de10a2b8f438d5f452b52697ee803408189116fb4cd328589adbbf6ba7f00d71d6e371a2974cdfa9244289900b000c3b4fc97b75e7

Download Submit
\Windows\SysWOW64\wppetwy.exe

Filesize
269KB

MD5
a7953829c728c2fba8e6bd993a059484

SHA1
846c051b7eeb3315a17153c36dc064fd20960644

SHA256
294fb7debd9ef5bb6e07ef273e5b0a7cc05bb20c66b4c9499598070412f2a3a0

SHA512
b1255bc251cecd8ed17bea4ebe26fd3fb3be03e27e99f9a9449b54e21bb2bdbb3fd3fe545838f6b5909419778e3f274dfd15b384906e2a820e4e13eb3d233d34

Download Submit
\Windows\SysWOW64\wqtkndmxd.exe

Filesize
270KB

MD5
9ff67d73ead1daef2c7e106ac1b43a0c

SHA1
f1c148e4f8db2f98eba0f332798409f72feb1b3d

SHA256
38f75e021e1f9d2a4974c660bbe2c9c7ffa0cfb8ac490da0f84b6a774bc89198

SHA512
cb1d81d29dd6a0cfef09f13783ed49e77b9827ca2baef2c942a9e7d22968022a5b71b45c3531eb9f5e496638a2a467c5fc5bbe472c103dc00c98b732a35efe04

Download Submit
\Windows\SysWOW64\wrcysm.exe

Filesize
269KB

MD5
952ea11d33892273849e2d37c6dda135

SHA1
817567258a828e1ac6c04f9275ec9328c6135bb8

SHA256
f0ee4a3f6e8489006d4d98ca8f764a086637d04451f835b068b146d3aa4556b9

SHA512
0b7118fa6e37f91d196305a0e23455afbce74f294ef7e4e57c425229b0c4a155985a6b9c7ac0cd6f0eeb1ceca643a7d62b841b9e50e0906cec5915e4aed1ff74

Download Submit
\Windows\SysWOW64\wuy.exe

Filesize
269KB

MD5
837b909b9af79b8ce8d9341a340be4b9

SHA1
6a994a22a555608fba2d4be4f42acd60490f2a33

SHA256
2db94628393c4aad0205d6d510e8601e80aac64680d8e22b744b661a477c38ea

SHA512
0287017b80dc99f71d117985c38f4e07633190f422c99ec64d5208b333fa6bf97cfc5ce1bec08c486ebe73b840258d2a813ceb824a358bc8a173e537d6f1880a

Download Submit
\Windows\SysWOW64\wydh.exe

Filesize
269KB

MD5
713fc3cfab2d480724bb4a6bc355f0b5

SHA1
bf72e9382f8ecce224bb842b6bd35b689e967906

SHA256
de92afa9f194451fd66e9e747696042808278d0f6523e7e05f92e47cf7824796

SHA512
43f4a7d550b58282b789dccc5f5dcb86edd276d38e971b92c2d551e1be460ea1b30534d411ee4d9fb4cd9b2ab3965f216557c055971e3a5d970e8d0e2612f7be

Download Submit
memory/952-353-0x00000000036C0000-0x00000000036D7000-memory.dmp

Filesize
92KB

Download
memory/952-354-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1000-444-0x0000000003F90000-0x0000000003FA7000-memory.dmp

Filesize
92KB

Download
memory/1264-337-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/1264-339-0x0000000004130000-0x0000000004147000-memory.dmp

Filesize
92KB

Download
memory/1264-323-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1264-340-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1264-338-0x0000000004130000-0x0000000004147000-memory.dmp

Filesize
92KB

Download
memory/1492-226-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1492-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1492-225-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/1492-224-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/1528-255-0x0000000003C40000-0x0000000003C57000-memory.dmp

Filesize
92KB

Download
memory/1528-253-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/1528-254-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/1528-257-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1628-321-0x0000000004000000-0x0000000004017000-memory.dmp

Filesize
92KB

Download
memory/1628-324-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1628-322-0x0000000004000000-0x0000000004017000-memory.dmp

Filesize
92KB

Download
memory/1628-320-0x00000000034E0000-0x00000000034F7000-memory.dmp

Filesize
92KB

Download
memory/1656-170-0x0000000003980000-0x0000000003997000-memory.dmp

Filesize
92KB

Download
memory/1656-175-0x0000000003980000-0x0000000003997000-memory.dmp

Filesize
92KB

Download
memory/1656-184-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-367-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/1668-370-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1668-369-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/1668-368-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/1716-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-417-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/1716-418-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/1716-416-0x0000000003AB0000-0x0000000003AC7000-memory.dmp

Filesize
92KB

Download
memory/1716-419-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1736-401-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/1736-399-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/1736-400-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/1736-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1736-385-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1808-109-0x0000000003440000-0x0000000003457000-memory.dmp

Filesize
92KB

Download
memory/1808-110-0x0000000003440000-0x0000000003457000-memory.dmp

Filesize
92KB

Download
memory/1808-111-0x0000000003440000-0x0000000003457000-memory.dmp

Filesize
92KB

Download
memory/1820-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-156-0x00000000038C0000-0x00000000038D7000-memory.dmp

Filesize
92KB

Download
memory/1820-157-0x00000000038C0000-0x00000000038D7000-memory.dmp

Filesize
92KB

Download
memory/1820-158-0x00000000038C0000-0x00000000038D7000-memory.dmp

Filesize
92KB

Download
memory/1820-159-0x00000000038C0000-0x00000000038D7000-memory.dmp

Filesize
92KB

Download
memory/1924-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1924-267-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/1924-272-0x0000000003FF0000-0x0000000004007000-memory.dmp

Filesize
92KB

Download
memory/1924-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-207-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-205-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/2092-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2092-65-0x0000000003770000-0x0000000003787000-memory.dmp

Filesize
92KB

Download
memory/2092-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2168-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2168-13-0x0000000004150000-0x0000000004167000-memory.dmp

Filesize
92KB

Download
memory/2168-12-0x0000000003E60000-0x0000000003E77000-memory.dmp

Filesize
92KB

Download
memory/2168-21-0x0000000004160000-0x0000000004177000-memory.dmp

Filesize
92KB

Download
memory/2168-20-0x0000000004160000-0x0000000004177000-memory.dmp

Filesize
92KB

Download
memory/2168-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-258-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-227-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-240-0x00000000022F0000-0x0000000002307000-memory.dmp

Filesize
92KB

Download
memory/2464-287-0x0000000003850000-0x0000000003867000-memory.dmp

Filesize
92KB

Download
memory/2464-289-0x0000000003850000-0x0000000003867000-memory.dmp

Filesize
92KB

Download
memory/2464-288-0x0000000003850000-0x0000000003867000-memory.dmp

Filesize
92KB

Download
memory/2464-274-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2464-291-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2492-928-0x0000000003C80000-0x0000000003E44000-memory.dmp

Filesize
1.8MB

Download
memory/2492-927-0x0000000074EA0000-0x0000000074EEF000-memory.dmp

Filesize
316KB

Download
memory/2492-926-0x0000000074E20000-0x0000000074E78000-memory.dmp

Filesize
352KB

Download
memory/2492-924-0x0000000077490000-0x00000000775AF000-memory.dmp

Filesize
1.1MB

Download
memory/2492-925-0x0000000077390000-0x000000007748A000-memory.dmp

Filesize
1000KB

Download
memory/2512-86-0x00000000038F0000-0x0000000003907000-memory.dmp

Filesize
92KB

Download
memory/2512-80-0x00000000022B0000-0x00000000022C7000-memory.dmp

Filesize
92KB

Download
memory/2512-87-0x00000000038F0000-0x0000000003907000-memory.dmp

Filesize
92KB

Download
memory/2512-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-307-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-304-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2600-305-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2600-290-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-306-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2704-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-37-0x0000000003A50000-0x0000000003A67000-memory.dmp

Filesize
92KB

Download
memory/2872-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2872-382-0x00000000035B0000-0x00000000035C7000-memory.dmp

Filesize
92KB

Download
memory/2872-383-0x00000000035B0000-0x00000000035C7000-memory.dmp

Filesize
92KB

Download
memory/2872-384-0x00000000035B0000-0x00000000035C7000-memory.dmp

Filesize
92KB

Download
memory/2952-433-0x0000000002610000-0x0000000002627000-memory.dmp

Filesize
92KB

Download
memory/2952-432-0x0000000002610000-0x0000000002627000-memory.dmp

Filesize
92KB

Download
memory/2952-434-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-132-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/3068-133-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/3068-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3068-134-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/3068-131-0x00000000032E0000-0x00000000032F7000-memory.dmp

Filesize
92KB

Download
memory/3068-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download