1c4e3fe2b33c66d0ff8e3375958b9c3c6df2fb43f133fb1e72803a69dd626dfc

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
Size

261KB
MD5

9ef5bdc61586c73eb4f775ab3bb16c9c
SHA1

f9794ce350f231c5dc20c40a255128bc3147a76c
SHA256

1c4e3fe2b33c66d0ff8e3375958b9c3c6df2fb43f133fb1e72803a69dd626dfc
SHA512

90a92f1381ae5a408e84685e96269100e35884fbd39deb5028e97c1b5888e0f072a38104350c09790220aa6571603b7b69dc2997e6dfe873bbe495e714047145
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpuc:ZY7xh6SZI4z7FSVpuc

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2960 cmd.exe

pid	process
2960	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

wihx.exewos.exewid.exewsagwpwv.exewteyig.exewnaqdoaxs.exewevrq.exewuopslf.exewoxuh.exewpvlfl.exewmryr.exewgmo.exewschdknp.exewtvog.exewrqdta.exewbgxsy.exewvm.exewcqvgl.exewylis.exewibfrmhsg.exewehm.exewok.exewtcxfx.exewygnhhujc.exewams.exewxchuxx.exeweiwwgncf.exewrwpmyu.exewmdxydbjt.exewwrty.exewhwfqdwbe.exewlch.exewmtvu.exewpxlws.exewqoaho.exewri.exewfxbcwvp.exewddytxck.exewgtjv.exewxcwqv.exeweub.exewunynp.exewyraid.exewroqd.exewvecex.exewcjq.exewkn.exewnsuiwqc.exewqkgjjpij.exewyacjk.exewbehmfco.exewdfdus.exewbpfb.exewqrbrfv.exewuibant.exewwogdj.exewflqjlok.exewwggesi.exewdlvgbxbj.exewmohy.exewapkwth.exewsmlkfx.exewvdwlrwm.exewrigwv.exe

pid	process
2888	wihx.exe
2728	wos.exe
304	wid.exe
1160	wsagwpwv.exe
1516	wteyig.exe
964	wnaqdoaxs.exe
2232	wevrq.exe
1956	wuopslf.exe
2832	woxuh.exe
2988	wpvlfl.exe
2412	wmryr.exe
3036	wgmo.exe
2604	wschdknp.exe
2508	wtvog.exe
2012	wrqdta.exe
1568	wbgxsy.exe
1704	wvm.exe
2704	wcqvgl.exe
2724	wylis.exe
2776	wibfrmhsg.exe
1232	wehm.exe
2252	wok.exe
1672	wtcxfx.exe
1164	wygnhhujc.exe
1968	wams.exe
2248	wxchuxx.exe
2736	weiwwgncf.exe
2720	wrwpmyu.exe
1516	wmdxydbjt.exe
2192	wwrty.exe
3028	whwfqdwbe.exe
1836	wlch.exe
2212	wmtvu.exe
2420	wpxlws.exe
1568	wqoaho.exe
2356	wri.exe
3052	wfxbcwvp.exe
684	wddytxck.exe
3012	wgtjv.exe
1168	wxcwqv.exe
2492	weub.exe
1692	wunynp.exe
1732	wyraid.exe
536	wroqd.exe
2536	wvecex.exe
2888	wcjq.exe
2928	wkn.exe
808	wnsuiwqc.exe
2408	wqkgjjpij.exe
1928	wyacjk.exe
1672	wbehmfco.exe
2140	wdfdus.exe
2948	wbpfb.exe
2868	wqrbrfv.exe
1488	wuibant.exe
2904	wwogdj.exe
1112	wflqjlok.exe
2192	wwggesi.exe
996	wdlvgbxbj.exe
2104	wmohy.exe
1636	wapkwth.exe
772	wsmlkfx.exe
964	wvdwlrwm.exe
2840	wrigwv.exe

Loads dropped DLL 64 IoCs

Processes:

9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exewihx.exewos.exewid.exewsagwpwv.exeWerFault.exewteyig.exewnaqdoaxs.exewevrq.exewuopslf.exewoxuh.exewpvlfl.exewmryr.exewgmo.exewschdknp.exewtvog.exewrqdta.exe

pid	process
1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
2888	wihx.exe
2888	wihx.exe
2888	wihx.exe
2888	wihx.exe
2728	wos.exe
2728	wos.exe
2728	wos.exe
2728	wos.exe
304	wid.exe
304	wid.exe
304	wid.exe
304	wid.exe
1160	wsagwpwv.exe
1160	wsagwpwv.exe
1160	wsagwpwv.exe
1160	wsagwpwv.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1516	wteyig.exe
1516	wteyig.exe
1516	wteyig.exe
1516	wteyig.exe
964	wnaqdoaxs.exe
964	wnaqdoaxs.exe
964	wnaqdoaxs.exe
964	wnaqdoaxs.exe
2232	wevrq.exe
2232	wevrq.exe
2232	wevrq.exe
2232	wevrq.exe
1956	wuopslf.exe
1956	wuopslf.exe
1956	wuopslf.exe
1956	wuopslf.exe
2832	woxuh.exe
2832	woxuh.exe
2832	woxuh.exe
2832	woxuh.exe
2988	wpvlfl.exe
2988	wpvlfl.exe
2988	wpvlfl.exe
2988	wpvlfl.exe
2412	wmryr.exe
2412	wmryr.exe
2412	wmryr.exe
2412	wmryr.exe
3036	wgmo.exe
3036	wgmo.exe
3036	wgmo.exe
3036	wgmo.exe
2604	wschdknp.exe
2604	wschdknp.exe
2604	wschdknp.exe
2604	wschdknp.exe
2508	wtvog.exe
2508	wtvog.exe
2508	wtvog.exe
2508	wtvog.exe
2012	wrqdta.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

Processes:

wcjq.exewmohy.exewmwvuoy.exewbpqhr.exewxgcqjv.exewjhfi.exewrqdta.exewyacjk.exewxuvfmt.exewrusyp.exewkdxbs.exewhnvqy.exewid.exewsmlkfx.exewfhiuoui.exewqrbrfv.exewcydyke.exewehm.exeweiwwgncf.exewjgeou.exewsksue.exewqoaho.exeweub.exewdlvgbxbj.exewqntgvph.exewlch.exewfxbcwvp.exewwggesi.exewibftah.exewvtc.exewgmo.exewbgxsy.exewtcxfx.exewvm.exewnsuiwqc.exewjacudh.exewcworwt.exewtvog.exewibfrmhsg.exewapkwth.exewiatfk.exewnxbqdpbp.exewsgcb.exewrwpmyu.exewbpfb.exewrtuoahy.exewklfvw.exewgkhn.exewrjmceq.exewwogdj.exewybgk.exewyraid.exewkn.exewevrq.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wkn.exe	wcjq.exe
File opened for modification	C:\Windows\SysWOW64\wapkwth.exe	wmohy.exe
File opened for modification	C:\Windows\SysWOW64\wgaavx.exe	wmwvuoy.exe
File opened for modification	C:\Windows\SysWOW64\wsksue.exe	wbpqhr.exe
File opened for modification	C:\Windows\SysWOW64\wcworwt.exe	wxgcqjv.exe
File created	C:\Windows\SysWOW64\wtlqb.exe	wjhfi.exe
File created	C:\Windows\SysWOW64\wbgxsy.exe	wrqdta.exe
File created	C:\Windows\SysWOW64\wbehmfco.exe	wyacjk.exe
File opened for modification	C:\Windows\SysWOW64\wcakh.exe	wxuvfmt.exe
File opened for modification	C:\Windows\SysWOW64\wibftah.exe	wrusyp.exe
File opened for modification	C:\Windows\SysWOW64\wgkhn.exe	wkdxbs.exe
File opened for modification	C:\Windows\SysWOW64\wuulus.exe	whnvqy.exe
File created	C:\Windows\SysWOW64\wsagwpwv.exe	wid.exe
File opened for modification	C:\Windows\SysWOW64\wvdwlrwm.exe	wsmlkfx.exe
File opened for modification	C:\Windows\SysWOW64\wbpqhr.exe	wfhiuoui.exe
File opened for modification	C:\Windows\SysWOW64\wuibant.exe	wqrbrfv.exe
File created	C:\Windows\SysWOW64\wohtdgd.exe	wcydyke.exe
File created	C:\Windows\SysWOW64\wok.exe	wehm.exe
File opened for modification	C:\Windows\SysWOW64\wrwpmyu.exe	weiwwgncf.exe
File created	C:\Windows\SysWOW64\wxuvfmt.exe	wjgeou.exe
File created	C:\Windows\SysWOW64\wxbsd.exe	wsksue.exe
File opened for modification	C:\Windows\SysWOW64\wri.exe	wqoaho.exe
File opened for modification	C:\Windows\SysWOW64\wunynp.exe	weub.exe
File opened for modification	C:\Windows\SysWOW64\wmohy.exe	wdlvgbxbj.exe
File opened for modification	C:\Windows\SysWOW64\wnifsvm.exe	wqntgvph.exe
File opened for modification	C:\Windows\SysWOW64\wmtvu.exe	wlch.exe
File created	C:\Windows\SysWOW64\wddytxck.exe	wfxbcwvp.exe
File opened for modification	C:\Windows\SysWOW64\wdlvgbxbj.exe	wwggesi.exe
File created	C:\Windows\SysWOW64\wrqcubk.exe	wibftah.exe
File opened for modification	C:\Windows\SysWOW64\wcydyke.exe	wvtc.exe
File created	C:\Windows\SysWOW64\wschdknp.exe	wgmo.exe
File created	C:\Windows\SysWOW64\wvm.exe	wbgxsy.exe
File created	C:\Windows\SysWOW64\wygnhhujc.exe	wtcxfx.exe
File opened for modification	C:\Windows\SysWOW64\wcqvgl.exe	wvm.exe
File created	C:\Windows\SysWOW64\wqkgjjpij.exe	wnsuiwqc.exe
File created	C:\Windows\SysWOW64\wvtc.exe	wjacudh.exe
File created	C:\Windows\SysWOW64\wunynp.exe	weub.exe
File created	C:\Windows\SysWOW64\wsksue.exe	wbpqhr.exe
File created	C:\Windows\SysWOW64\whmna.exe	wcworwt.exe
File opened for modification	C:\Windows\SysWOW64\wschdknp.exe	wgmo.exe
File opened for modification	C:\Windows\SysWOW64\wrqdta.exe	wtvog.exe
File opened for modification	C:\Windows\SysWOW64\wehm.exe	wibfrmhsg.exe
File opened for modification	C:\Windows\SysWOW64\wsmlkfx.exe	wapkwth.exe
File opened for modification	C:\Windows\SysWOW64\wxumibng.exe	wiatfk.exe
File opened for modification	C:\Windows\SysWOW64\wrywx.exe	wnxbqdpbp.exe
File created	C:\Windows\SysWOW64\wmwvuoy.exe	wsgcb.exe
File created	C:\Windows\SysWOW64\wmdxydbjt.exe	wrwpmyu.exe
File opened for modification	C:\Windows\SysWOW64\wddytxck.exe	wfxbcwvp.exe
File created	C:\Windows\SysWOW64\wqrbrfv.exe	wbpfb.exe
File created	C:\Windows\SysWOW64\wwyjqhw.exe	wrtuoahy.exe
File created	C:\Windows\SysWOW64\wkrkaqoly.exe	wklfvw.exe
File opened for modification	C:\Windows\SysWOW64\wqntgvph.exe	wgkhn.exe
File opened for modification	C:\Windows\SysWOW64\waxibes.exe	wrjmceq.exe
File created	C:\Windows\SysWOW64\wxumibng.exe	wiatfk.exe
File created	C:\Windows\SysWOW64\wflqjlok.exe	wwogdj.exe
File opened for modification	C:\Windows\SysWOW64\wflqjlok.exe	wwogdj.exe
File created	C:\Windows\SysWOW64\wbhauom.exe	wybgk.exe
File opened for modification	C:\Windows\SysWOW64\wroqd.exe	wyraid.exe
File created	C:\Windows\SysWOW64\wnsuiwqc.exe	wkn.exe
File created	C:\Windows\SysWOW64\wdlvgbxbj.exe	wwggesi.exe
File created	C:\Windows\SysWOW64\wvdwlrwm.exe	wsmlkfx.exe
File opened for modification	C:\Windows\SysWOW64\wkrkaqoly.exe	wklfvw.exe
File opened for modification	C:\Windows\SysWOW64\wuopslf.exe	wevrq.exe
File created	C:\Windows\SysWOW64\wrqdta.exe	wtvog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1828	1160	WerFault.exe	wsagwpwv.exe
2096	2736	WerFault.exe	weiwwgncf.exe
1096	808	WerFault.exe	wnsuiwqc.exe
2400	996	WerFault.exe	wdlvgbxbj.exe
2868	964	WerFault.exe	wvdwlrwm.exe
788	2084	WerFault.exe	wkrxsdnwa.exe
2732	1804	WerFault.exe	wmdvfohkc.exe
708	2964	WerFault.exe	wrtuoahy.exe
2512	548	WerFault.exe	wmdwaubc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.execmd.exewwyjqhw.execmd.exewnaqdoaxs.execmd.exewcqvgl.execmd.exewygnhhujc.exewyacjk.exewuibant.execmd.exewxumibng.execmd.execmd.exewrcli.execmd.exewroqd.exewkvvup.execmd.exewsgcb.execmd.execmd.execmd.exewmryr.execmd.execmd.exewdordj.execmd.execmd.exewriql.execmd.exewgaavx.execmd.exewos.execmd.exewhmna.execmd.execmd.execmd.execmd.execmd.exewfqti.execmd.execmd.execmd.exewdlvgbxbj.exewsmlkfx.execmd.execmd.exewjacudh.exewihx.exewvdwlrwm.execmd.exewrtuoahy.exewntmesn.execmd.exewrknaeb.exewtvog.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwyjqhw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnaqdoaxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcqvgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wygnhhujc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyacjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuibant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxumibng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wroqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkvvup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsgcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmryr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdordj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wriql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgaavx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whmna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfqti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdlvgbxbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmlkfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjacudh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wihx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvdwlrwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrtuoahy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wntmesn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrknaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtvog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exewihx.exewos.exewid.exewsagwpwv.exewteyig.exewnaqdoaxs.exewevrq.exe

description	pid	process	target process
PID 1704 wrote to memory of 2888	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wihx.exe
PID 1704 wrote to memory of 2888	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wihx.exe
PID 1704 wrote to memory of 2888	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wihx.exe
PID 1704 wrote to memory of 2888	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	wihx.exe
PID 1704 wrote to memory of 2960	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 1704 wrote to memory of 2960	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 1704 wrote to memory of 2960	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 1704 wrote to memory of 2960	1704	9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe	cmd.exe
PID 2888 wrote to memory of 2728	2888	wihx.exe	wos.exe
PID 2888 wrote to memory of 2728	2888	wihx.exe	wos.exe
PID 2888 wrote to memory of 2728	2888	wihx.exe	wos.exe
PID 2888 wrote to memory of 2728	2888	wihx.exe	wos.exe
PID 2888 wrote to memory of 2748	2888	wihx.exe	cmd.exe
PID 2888 wrote to memory of 2748	2888	wihx.exe	cmd.exe
PID 2888 wrote to memory of 2748	2888	wihx.exe	cmd.exe
PID 2888 wrote to memory of 2748	2888	wihx.exe	cmd.exe
PID 2728 wrote to memory of 304	2728	wos.exe	wid.exe
PID 2728 wrote to memory of 304	2728	wos.exe	wid.exe
PID 2728 wrote to memory of 304	2728	wos.exe	wid.exe
PID 2728 wrote to memory of 304	2728	wos.exe	wid.exe
PID 2728 wrote to memory of 1112	2728	wos.exe	cmd.exe
PID 2728 wrote to memory of 1112	2728	wos.exe	cmd.exe
PID 2728 wrote to memory of 1112	2728	wos.exe	cmd.exe
PID 2728 wrote to memory of 1112	2728	wos.exe	cmd.exe
PID 304 wrote to memory of 1160	304	wid.exe	wsagwpwv.exe
PID 304 wrote to memory of 1160	304	wid.exe	wsagwpwv.exe
PID 304 wrote to memory of 1160	304	wid.exe	wsagwpwv.exe
PID 304 wrote to memory of 1160	304	wid.exe	wsagwpwv.exe
PID 304 wrote to memory of 1376	304	wid.exe	cmd.exe
PID 304 wrote to memory of 1376	304	wid.exe	cmd.exe
PID 304 wrote to memory of 1376	304	wid.exe	cmd.exe
PID 304 wrote to memory of 1376	304	wid.exe	cmd.exe
PID 1160 wrote to memory of 1516	1160	wsagwpwv.exe	wteyig.exe
PID 1160 wrote to memory of 1516	1160	wsagwpwv.exe	wteyig.exe
PID 1160 wrote to memory of 1516	1160	wsagwpwv.exe	wteyig.exe
PID 1160 wrote to memory of 1516	1160	wsagwpwv.exe	wteyig.exe
PID 1160 wrote to memory of 2636	1160	wsagwpwv.exe	cmd.exe
PID 1160 wrote to memory of 2636	1160	wsagwpwv.exe	cmd.exe
PID 1160 wrote to memory of 2636	1160	wsagwpwv.exe	cmd.exe
PID 1160 wrote to memory of 2636	1160	wsagwpwv.exe	cmd.exe
PID 1160 wrote to memory of 1828	1160	wsagwpwv.exe	WerFault.exe
PID 1160 wrote to memory of 1828	1160	wsagwpwv.exe	WerFault.exe
PID 1160 wrote to memory of 1828	1160	wsagwpwv.exe	WerFault.exe
PID 1160 wrote to memory of 1828	1160	wsagwpwv.exe	WerFault.exe
PID 1516 wrote to memory of 964	1516	wteyig.exe	wnaqdoaxs.exe
PID 1516 wrote to memory of 964	1516	wteyig.exe	wnaqdoaxs.exe
PID 1516 wrote to memory of 964	1516	wteyig.exe	wnaqdoaxs.exe
PID 1516 wrote to memory of 964	1516	wteyig.exe	wnaqdoaxs.exe
PID 1516 wrote to memory of 2576	1516	wteyig.exe	cmd.exe
PID 1516 wrote to memory of 2576	1516	wteyig.exe	cmd.exe
PID 1516 wrote to memory of 2576	1516	wteyig.exe	cmd.exe
PID 1516 wrote to memory of 2576	1516	wteyig.exe	cmd.exe
PID 964 wrote to memory of 2232	964	wnaqdoaxs.exe	wevrq.exe
PID 964 wrote to memory of 2232	964	wnaqdoaxs.exe	wevrq.exe
PID 964 wrote to memory of 2232	964	wnaqdoaxs.exe	wevrq.exe
PID 964 wrote to memory of 2232	964	wnaqdoaxs.exe	wevrq.exe
PID 964 wrote to memory of 1644	964	wnaqdoaxs.exe	cmd.exe
PID 964 wrote to memory of 1644	964	wnaqdoaxs.exe	cmd.exe
PID 964 wrote to memory of 1644	964	wnaqdoaxs.exe	cmd.exe
PID 964 wrote to memory of 1644	964	wnaqdoaxs.exe	cmd.exe
PID 2232 wrote to memory of 1956	2232	wevrq.exe	wuopslf.exe
PID 2232 wrote to memory of 1956	2232	wevrq.exe	wuopslf.exe
PID 2232 wrote to memory of 1956	2232	wevrq.exe	wuopslf.exe
PID 2232 wrote to memory of 1956	2232	wevrq.exe	wuopslf.exe

C:\Users\Admin\AppData\Local\Temp\9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\wihx.exe
  "C:\Windows\system32\wihx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\wos.exe
    "C:\Windows\system32\wos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\wid.exe
      "C:\Windows\system32\wid.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:304
    - - C:\Windows\SysWOW64\wsagwpwv.exe
        
        "C:\Windows\system32\wsagwpwv.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Windows\SysWOW64\wteyig.exe
        
        "C:\Windows\system32\wteyig.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\wnaqdoaxs.exe
        
        "C:\Windows\system32\wnaqdoaxs.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\wevrq.exe
        
        "C:\Windows\system32\wevrq.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\wuopslf.exe
        
        "C:\Windows\system32\wuopslf.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1956
        
        C:\Windows\SysWOW64\woxuh.exe
        
        "C:\Windows\system32\woxuh.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2832
        
        C:\Windows\SysWOW64\wpvlfl.exe
        
        "C:\Windows\system32\wpvlfl.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2988
        
        C:\Windows\SysWOW64\wmryr.exe
        
        "C:\Windows\system32\wmryr.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\wgmo.exe
        
        "C:\Windows\system32\wgmo.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\wschdknp.exe
        
        "C:\Windows\system32\wschdknp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2604
        
        C:\Windows\SysWOW64\wtvog.exe
        
        "C:\Windows\system32\wtvog.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\wrqdta.exe
        
        "C:\Windows\system32\wrqdta.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\wbgxsy.exe
        
        "C:\Windows\system32\wbgxsy.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\wvm.exe
        
        "C:\Windows\system32\wvm.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\wcqvgl.exe
        
        "C:\Windows\system32\wcqvgl.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\wylis.exe
        
        "C:\Windows\system32\wylis.exe"
        20⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\wibfrmhsg.exe
        
        "C:\Windows\system32\wibfrmhsg.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\wehm.exe
        
        "C:\Windows\system32\wehm.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\wok.exe
        
        "C:\Windows\system32\wok.exe"
        23⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\wtcxfx.exe
        
        "C:\Windows\system32\wtcxfx.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\wygnhhujc.exe
        
        "C:\Windows\system32\wygnhhujc.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\wams.exe
        
        "C:\Windows\system32\wams.exe"
        26⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\wxchuxx.exe
        
        "C:\Windows\system32\wxchuxx.exe"
        27⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\weiwwgncf.exe
        
        "C:\Windows\system32\weiwwgncf.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\wrwpmyu.exe
        
        "C:\Windows\system32\wrwpmyu.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\wmdxydbjt.exe
        
        "C:\Windows\system32\wmdxydbjt.exe"
        30⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\wwrty.exe
        
        "C:\Windows\system32\wwrty.exe"
        31⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\whwfqdwbe.exe
        
        "C:\Windows\system32\whwfqdwbe.exe"
        32⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\wlch.exe
        
        "C:\Windows\system32\wlch.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wmtvu.exe
        
        "C:\Windows\system32\wmtvu.exe"
        34⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\wpxlws.exe
        
        "C:\Windows\system32\wpxlws.exe"
        35⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\wqoaho.exe
        
        "C:\Windows\system32\wqoaho.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\wri.exe
        
        "C:\Windows\system32\wri.exe"
        37⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\wfxbcwvp.exe
        
        "C:\Windows\system32\wfxbcwvp.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\wddytxck.exe
        
        "C:\Windows\system32\wddytxck.exe"
        39⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\wgtjv.exe
        
        "C:\Windows\system32\wgtjv.exe"
        40⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\wxcwqv.exe
        
        "C:\Windows\system32\wxcwqv.exe"
        41⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\weub.exe
        
        "C:\Windows\system32\weub.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\wunynp.exe
        
        "C:\Windows\system32\wunynp.exe"
        43⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\wyraid.exe
        
        "C:\Windows\system32\wyraid.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\wroqd.exe
        
        "C:\Windows\system32\wroqd.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\wvecex.exe
        
        "C:\Windows\system32\wvecex.exe"
        46⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\wcjq.exe
        
        "C:\Windows\system32\wcjq.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\wkn.exe
        
        "C:\Windows\system32\wkn.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wnsuiwqc.exe
        
        "C:\Windows\system32\wnsuiwqc.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\wqkgjjpij.exe
        
        "C:\Windows\system32\wqkgjjpij.exe"
        50⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\wyacjk.exe
        
        "C:\Windows\system32\wyacjk.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\wbehmfco.exe
        
        "C:\Windows\system32\wbehmfco.exe"
        52⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\wdfdus.exe
        
        "C:\Windows\system32\wdfdus.exe"
        53⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\wbpfb.exe
        
        "C:\Windows\system32\wbpfb.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\wqrbrfv.exe
        
        "C:\Windows\system32\wqrbrfv.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\wuibant.exe
        
        "C:\Windows\system32\wuibant.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\wwogdj.exe
        
        "C:\Windows\system32\wwogdj.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\wflqjlok.exe
        
        "C:\Windows\system32\wflqjlok.exe"
        58⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\wwggesi.exe
        
        "C:\Windows\system32\wwggesi.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\wdlvgbxbj.exe
        
        "C:\Windows\system32\wdlvgbxbj.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\wmohy.exe
        
        "C:\Windows\system32\wmohy.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\wapkwth.exe
        
        "C:\Windows\system32\wapkwth.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\wsmlkfx.exe
        
        "C:\Windows\system32\wsmlkfx.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\wvdwlrwm.exe
        
        "C:\Windows\system32\wvdwlrwm.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\wrigwv.exe
        
        "C:\Windows\system32\wrigwv.exe"
        65⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\wfhiuoui.exe
        
        "C:\Windows\system32\wfhiuoui.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\wbpqhr.exe
        
        "C:\Windows\system32\wbpqhr.exe"
        67⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\wsksue.exe
        
        "C:\Windows\system32\wsksue.exe"
        68⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\wxbsd.exe
        
        "C:\Windows\system32\wxbsd.exe"
        69⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\wpvurx.exe
        
        "C:\Windows\system32\wpvurx.exe"
        70⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\wybgk.exe
        
        "C:\Windows\system32\wybgk.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\wbhauom.exe
        
        "C:\Windows\system32\wbhauom.exe"
        72⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\wkvvup.exe
        
        "C:\Windows\system32\wkvvup.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\wlqdyhp.exe
        
        "C:\Windows\system32\wlqdyhp.exe"
        74⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\wrusyp.exe
        
        "C:\Windows\system32\wrusyp.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\wibftah.exe
        
        "C:\Windows\system32\wibftah.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\wrqcubk.exe
        
        "C:\Windows\system32\wrqcubk.exe"
        77⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\wfmhqu.exe
        
        "C:\Windows\system32\wfmhqu.exe"
        78⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\wkrxsdnwa.exe
        
        "C:\Windows\system32\wkrxsdnwa.exe"
        79⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\whxtl.exe
        
        "C:\Windows\system32\whxtl.exe"
        80⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\wmdvfohkc.exe
        
        "C:\Windows\system32\wmdvfohkc.exe"
        81⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\wrtuoahy.exe
        
        "C:\Windows\system32\wrtuoahy.exe"
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\wwyjqhw.exe
        
        "C:\Windows\system32\wwyjqhw.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\wntmesn.exe
        
        "C:\Windows\system32\wntmesn.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\wklfvw.exe
        
        "C:\Windows\system32\wklfvw.exe"
        85⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\wkrkaqoly.exe
        
        "C:\Windows\system32\wkrkaqoly.exe"
        86⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\wxgcqjv.exe
        
        "C:\Windows\system32\wxgcqjv.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\wcworwt.exe
        
        "C:\Windows\system32\wcworwt.exe"
        88⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\whmna.exe
        
        "C:\Windows\system32\whmna.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\wkdxbs.exe
        
        "C:\Windows\system32\wkdxbs.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\wgkhn.exe
        
        "C:\Windows\system32\wgkhn.exe"
        91⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\wqntgvph.exe
        
        "C:\Windows\system32\wqntgvph.exe"
        92⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\wnifsvm.exe
        
        "C:\Windows\system32\wnifsvm.exe"
        93⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\wfpsn.exe
        
        "C:\Windows\system32\wfpsn.exe"
        94⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\wjgeou.exe
        
        "C:\Windows\system32\wjgeou.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\wxuvfmt.exe
        
        "C:\Windows\system32\wxuvfmt.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\wcakh.exe
        
        "C:\Windows\system32\wcakh.exe"
        97⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\wmdwaubc.exe
        
        "C:\Windows\system32\wmdwaubc.exe"
        98⤵
        
        PID:548
        
        C:\Windows\SysWOW64\wrjmceq.exe
        
        "C:\Windows\system32\wrjmceq.exe"
        99⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\waxibes.exe
        
        "C:\Windows\system32\waxibes.exe"
        100⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\wkcste.exe
        
        "C:\Windows\system32\wkcste.exe"
        101⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\wtada.exe
        
        "C:\Windows\system32\wtada.exe"
        102⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\whnvqy.exe
        
        "C:\Windows\system32\whnvqy.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\wuulus.exe
        
        "C:\Windows\system32\wuulus.exe"
        104⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\wiatfk.exe
        
        "C:\Windows\system32\wiatfk.exe"
        105⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\wxumibng.exe
        
        "C:\Windows\system32\wxumibng.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\wdordj.exe
        
        "C:\Windows\system32\wdordj.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\wyglv.exe
        
        "C:\Windows\system32\wyglv.exe"
        108⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\wumjp.exe
        
        "C:\Windows\system32\wumjp.exe"
        109⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\wfqti.exe
        
        "C:\Windows\system32\wfqti.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\wjhfi.exe
        
        "C:\Windows\system32\wjhfi.exe"
        111⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\wtlqb.exe
        
        "C:\Windows\system32\wtlqb.exe"
        112⤵
        
        PID:964
        
        C:\Windows\SysWOW64\wqgenyug.exe
        
        "C:\Windows\system32\wqgenyug.exe"
        113⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\wmxvhcm.exe
        
        "C:\Windows\system32\wmxvhcm.exe"
        114⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\wrcli.exe
        
        "C:\Windows\system32\wrcli.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\wriql.exe
        
        "C:\Windows\system32\wriql.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\wioegq.exe
        
        "C:\Windows\system32\wioegq.exe"
        117⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\wfuaar.exe
        
        "C:\Windows\system32\wfuaar.exe"
        118⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\wjacudh.exe
        
        "C:\Windows\system32\wjacudh.exe"
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\wvtc.exe
        
        "C:\Windows\system32\wvtc.exe"
        120⤵
        Drops file in System32 directory
        
        PID:580
        
        C:\Windows\SysWOW64\wcydyke.exe
        
        "C:\Windows\system32\wcydyke.exe"
        121⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\wohtdgd.exe
        
        "C:\Windows\system32\wohtdgd.exe"
        122⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\wpacgvdp.exe
        
        "C:\Windows\system32\wpacgvdp.exe"
        123⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\wmgyy.exe
        
        "C:\Windows\system32\wmgyy.exe"
        124⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\wrknaeb.exe
        
        "C:\Windows\system32\wrknaeb.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\wkgqoort.exe
        
        "C:\Windows\system32\wkgqoort.exe"
        126⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\wnxbqdpbp.exe
        
        "C:\Windows\system32\wnxbqdpbp.exe"
        127⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\wrywx.exe
        
        "C:\Windows\system32\wrywx.exe"
        128⤵
        
        PID:716
        
        C:\Windows\SysWOW64\wsgcb.exe
        
        "C:\Windows\system32\wsgcb.exe"
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\wmwvuoy.exe
        
        "C:\Windows\system32\wmwvuoy.exe"
        130⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\wgaavx.exe
        
        "C:\Windows\system32\wgaavx.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwvuoy.exe"
        131⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgcb.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrywx.exe"
        129⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxbqdpbp.exe"
        128⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgqoort.exe"
        127⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrknaeb.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmgyy.exe"
        125⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpacgvdp.exe"
        124⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wohtdgd.exe"
        123⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcydyke.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtc.exe"
        121⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjacudh.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfuaar.exe"
        119⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioegq.exe"
        118⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wriql.exe"
        117⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrcli.exe"
        116⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmxvhcm.exe"
        115⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgenyug.exe"
        114⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtlqb.exe"
        113⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjhfi.exe"
        112⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfqti.exe"
        111⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wumjp.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyglv.exe"
        109⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdordj.exe"
        108⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxumibng.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiatfk.exe"
        106⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuulus.exe"
        105⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnvqy.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtada.exe"
        103⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcste.exe"
        102⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxibes.exe"
        101⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjmceq.exe"
        100⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdwaubc.exe"
        99⤵
        
        PID:892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 180
        99⤵
        Program crash
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcakh.exe"
        98⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxuvfmt.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjgeou.exe"
        96⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpsn.exe"
        95⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnifsvm.exe"
        94⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqntgvph.exe"
        93⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgkhn.exe"
        92⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkdxbs.exe"
        91⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmna.exe"
        90⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcworwt.exe"
        89⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxgcqjv.exe"
        88⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrkaqoly.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklfvw.exe"
        86⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntmesn.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwyjqhw.exe"
        84⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtuoahy.exe"
        83⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 752
        83⤵
        Program crash
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdvfohkc.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 712
        82⤵
        Program crash
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxtl.exe"
        81⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrxsdnwa.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 180
        80⤵
        Program crash
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfmhqu.exe"
        79⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqcubk.exe"
        78⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibftah.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrusyp.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlqdyhp.exe"
        75⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvvup.exe"
        74⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhauom.exe"
        73⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wybgk.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvurx.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxbsd.exe"
        70⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsksue.exe"
        69⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpqhr.exe"
        68⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfhiuoui.exe"
        67⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrigwv.exe"
        66⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvdwlrwm.exe"
        65⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 180
        65⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmlkfx.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wapkwth.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmohy.exe"
        62⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdlvgbxbj.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 712
        61⤵
        Program crash
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwggesi.exe"
        60⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wflqjlok.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwogdj.exe"
        58⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuibant.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqrbrfv.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpfb.exe"
        55⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfdus.exe"
        54⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbehmfco.exe"
        53⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyacjk.exe"
        52⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkgjjpij.exe"
        51⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnsuiwqc.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 744
        50⤵
        Program crash
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkn.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjq.exe"
        48⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvecex.exe"
        47⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroqd.exe"
        46⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyraid.exe"
        45⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wunynp.exe"
        44⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weub.exe"
        43⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcwqv.exe"
        42⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtjv.exe"
        41⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddytxck.exe"
        40⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxbcwvp.exe"
        39⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wri.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqoaho.exe"
        37⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpxlws.exe"
        36⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtvu.exe"
        35⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlch.exe"
        34⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whwfqdwbe.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrty.exe"
        32⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdxydbjt.exe"
        31⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwpmyu.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weiwwgncf.exe"
        29⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 180
        29⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxchuxx.exe"
        28⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wams.exe"
        27⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wygnhhujc.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcxfx.exe"
        25⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wok.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wehm.exe"
        23⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wibfrmhsg.exe"
        22⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wylis.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcqvgl.exe"
        20⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvm.exe"
        19⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbgxsy.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrqdta.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvog.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wschdknp.exe"
        15⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmo.exe"
        14⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmryr.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvlfl.exe"
        12⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woxuh.exe"
        11⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuopslf.exe"
        10⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevrq.exe"
        9⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnaqdoaxs.exe"
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wteyig.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsagwpwv.exe"
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 720
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wid.exe"
        5⤵
        
        PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihx.exe"
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\9ef5bdc61586c73eb4f775ab3bb16c9c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A8FW9BY6.txt

Filesize
132B

MD5
7205587f8ff7ddd5fec067073f7c9c94

SHA1
f8b438f4d66a232a69db2a3dbb4c0f1d2060a485

SHA256
87ccb2b9d3f6d496337aa7505db519c4bf476383597a8978486b114528f2bec1

SHA512
a144a18398a7083c716a17737b2146db29458802fe47f56c4c4f56e155a40bc3341da0405c84a13a2bd112f7e90ec725683bdcc53c65d362ed4e69c052b97756

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CSRV9P38.txt

Filesize
131B

MD5
ba6c43945f7a0292573ba85edc7374d3

SHA1
628b1f9d31216f102317d8f6f1383d3db9754777

SHA256
4c06f13e9c459ee2b58232d2c080a64fb31e4a819b309469b227839d1842f3bd

SHA512
97876c55979b1c574cb32478dcbb44a179c1c9fd43a50efc7b98d877c084d19d0e05798b5ebe1da6eed1c8f065e869e39bcf88eda06f9462bd3fa5360f266918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VNIE34IK.txt

Filesize
132B

MD5
ca42ddbf5e8a056f489436064f17df21

SHA1
4aabcb0cc54a286df8ba9f41a53dc51b5796939f

SHA256
3f443bd8d3c62b4b2c694c06c54518eefe4d54e52b8228b139786843cf0f63e6

SHA512
b06898e92f4edc1f05b4f8593cb00e86446fd4f4bf0c38ebf18e7352e92bacd3434376d02a43a2ad0ec9682d689ff68ff2a85d4c7303f07643c837b0ccfc05dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VY9SCJV6.txt

Filesize
98B

MD5
451ae9b33e0aff9657335f46004605b4

SHA1
927c2bd389a115d50e0f9dde9ac703b02ae756de

SHA256
7b53cd3e320780a835cf7d3538c94fab179bb50329298d1ee720d502db3753fb

SHA512
62b5f7252cb6c1e17af0cdc657a3b761ae6d79a36099833d36b6c1562de0d29cc8274775a3a89a96f5891028cf0775bcfab97e0cd1bdaf2fd2436fa73aee4dea

Download Submit
\Windows\SysWOW64\wevrq.exe

Filesize
261KB

MD5
7a0b1d70b24ad2229c5f713ece255e22

SHA1
ce96cb53bc45153b2ea26ff956c51e81c4310f47

SHA256
0dcc558d8da9b7f2cc970323316d8866e25c27fe1f8a3883bf5e8e4da7650813

SHA512
9458e012b530909a109454054a674536a565bc5775ed07972241e3b7c9f75f145ec668533d74d52d5a85cfa47023cf1d05d44023f884135c0fb7fec56a9f8ec0

Download Submit
\Windows\SysWOW64\wid.exe

Filesize
261KB

MD5
63b6d152cf840c144be3aa52ca38a5bb

SHA1
334bbc14feb89cb6261beb8f72176efdfb30aa9e

SHA256
5444c61c20f5bac02f6e98326d5b28bf5245f02b8e811def9a6f02b08f771170

SHA512
0a1e34f2a46506a82336b499c508fe07b0b1d50039a3814ce38f8650860eb7da9ec47b0535b1f6123159e08f22f539be9c646018ce64210f9db8a1d3be1816d1

Download Submit
\Windows\SysWOW64\wihx.exe

Filesize
261KB

MD5
076b0a316233d23dc6693d23506ae56d

SHA1
ed964cd7738515536447e8e13af6be9dd1834f73

SHA256
d1335947282019b8d765a5fdf03f646df09ea28f2308072634eaa8c1bc191a08

SHA512
59578a804359e91eaf8afc4eadd7fa5292ae6617468ba394e903ff672c0cce4a656eb280a857003ce36907361a51980a0ec0705c85d47ac660d33b3bca406588

Download Submit
\Windows\SysWOW64\wnaqdoaxs.exe

Filesize
261KB

MD5
6b3874b6b7b395dafeee43bcb9d9d6e4

SHA1
94eb3399683871be7c6ddf3b4f6a157e27918c16

SHA256
135519ce97cba72787373dad7bfd29a6614590ce01e05b97812613228dc00915

SHA512
97858aa0d875a001a48e04b4dffc114896203126a208570c71911ecaf3173050b877ca879d1ac7d1ecea76d1d69b56169b6dafc3603ae363e89010a5d1698190

Download Submit
\Windows\SysWOW64\wos.exe

Filesize
261KB

MD5
2c31b443aee92659a5ba7b66e412b9e5

SHA1
2b982eccef7de2ab6cc70431b15e2afa46527d52

SHA256
0660342a5c5532d964016aa8e1364575d0a6f5e0d9328507dc35f5d971d44fa6

SHA512
23de96f72867699885d797670096899355f3eba2077c5c992751e38c78031b02b5a4ab660482845bf78f7257d87bd60a0d393c721af58e104c31e19c610be667

Download Submit
\Windows\SysWOW64\woxuh.exe

Filesize
261KB

MD5
e86f45a032403c6ef1a30c2d92be9dff

SHA1
d4c62671be30775d530637208dbbadde3f99c3ad

SHA256
969aee66770f1c89e0b7ea62332c2668ce6ec636b6da4f75093d382b7cf4efc7

SHA512
bb0a7cb898c9bbed4a25663d1aeb4a424628bff89131386df6e198955bd4ac480b8e81f4b5dd5973b4f6d5eda37cb74d730cba0a74d3c20a73427cee1be13614

Download Submit
\Windows\SysWOW64\wpvlfl.exe

Filesize
261KB

MD5
4cfddc148f58276b9278ad6c0ba25c6c

SHA1
fb952afb2ca72c4806268b7b9c8c1a45ec8d9f12

SHA256
083c6e4a19e7020dd175b127468422d42d73c1df8be5959fc531a8240f38ecfa

SHA512
fc6a5058210eede753e85b9e1db89a24190cd303006fa7df8efdd776448b531d0c308926b5c9a81073a45b692be57a724aa1625b34335679330a42ee76299268

Download Submit
\Windows\SysWOW64\wsagwpwv.exe

Filesize
261KB

MD5
eb47c152f0ac696fd6447aea877818d0

SHA1
97c7cb0db448a7ee0adddd3f07e34ac6cdd6e354

SHA256
5a3c20f519609e24ae20ced4266e6f2186a8741b5e313a0fe95e516feb30db49

SHA512
a6fe0cfd2ed404b60e52a41b4c0171022f93e1e0c5d1ce9a8fd40591e52a0edb3dc8d8146c95649b8f473090b1509d8b1f302cb155d2f7f152460328c83605e9

Download Submit
\Windows\SysWOW64\wteyig.exe

Filesize
261KB

MD5
f9a025a62f6b6f4a26f4b6fa2f7caf6f

SHA1
08a5cc1b89814eebdfbe717ccd00627bc8a16ff0

SHA256
8c881a91c5a5aff1c6afaabec915adf51e7dda50987c561d2845398eb7aaa649

SHA512
83e6f13fe637abb8bbaac8ead247eaed3c1dd2dfd62e93966e262bf1f25b2786e5270e01e5864a186ef26b6add139d05865bf2e06c8a2e913dba480111cb1a98

Download Submit
\Windows\SysWOW64\wuopslf.exe

Filesize
261KB

MD5
c768756708b630b9c7e03036947a41fb

SHA1
547721959011b29d2b7b4f6ac3525f199252ddcd

SHA256
7b6285b314554255795187c2bd0a14ccf54150a3b0f02b3b145ea67e83d15ef1

SHA512
f043da97995a5cd001c082ca9164b8344db735bfed691235d841af5461e7bf886791790afd8a0baf82bfd54008f1ddb2bb615b53c3166a7bede5f3f6d32f8a65

Download Submit
memory/304-80-0x0000000004030000-0x0000000004047000-memory.dmp

Filesize
92KB

Download
memory/304-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/964-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/964-156-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/964-155-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1160-159-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/1160-158-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/1160-157-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/1160-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1160-108-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/1160-107-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/1160-106-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/1232-417-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/1232-416-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/1232-412-0x0000000003B50000-0x0000000003B67000-memory.dmp

Filesize
92KB

Download
memory/1232-418-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-133-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/1516-132-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/1516-131-0x0000000003620000-0x0000000003637000-memory.dmp

Filesize
92KB

Download
memory/1516-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1568-320-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1568-334-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1672-448-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/1672-447-0x00000000035A0000-0x00000000035B7000-memory.dmp

Filesize
92KB

Download
memory/1704-349-0x0000000003530000-0x0000000003547000-memory.dmp

Filesize
92KB

Download
memory/1704-344-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/1704-13-0x00000000023E0000-0x00000000023F7000-memory.dmp

Filesize
92KB

Download
memory/1704-12-0x00000000023E0000-0x00000000023F7000-memory.dmp

Filesize
92KB

Download
memory/1704-347-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/1704-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-20-0x0000000003AA0000-0x0000000003AB7000-memory.dmp

Filesize
92KB

Download
memory/1704-21-0x0000000003AA0000-0x0000000003AB7000-memory.dmp

Filesize
92KB

Download
memory/1704-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-199-0x0000000003370000-0x0000000003387000-memory.dmp

Filesize
92KB

Download
memory/1956-207-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-205-0x0000000003770000-0x0000000003787000-memory.dmp

Filesize
92KB

Download
memory/1956-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2012-319-0x0000000000AA0000-0x0000000000AB7000-memory.dmp

Filesize
92KB

Download
memory/2012-318-0x0000000000AA0000-0x0000000000AB7000-memory.dmp

Filesize
92KB

Download
memory/2012-321-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2232-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2232-180-0x0000000003B80000-0x0000000003B97000-memory.dmp

Filesize
92KB

Download
memory/2232-181-0x0000000003B80000-0x0000000003B97000-memory.dmp

Filesize
92KB

Download
memory/2232-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2232-182-0x0000000003B80000-0x0000000003B97000-memory.dmp

Filesize
92KB

Download
memory/2252-434-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2252-428-0x0000000002080000-0x0000000002097000-memory.dmp

Filesize
92KB

Download
memory/2252-432-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download
memory/2252-433-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download
memory/2412-244-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2412-258-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2412-257-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2412-260-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2508-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2508-290-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2508-304-0x0000000002600000-0x0000000002617000-memory.dmp

Filesize
92KB

Download
memory/2604-276-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-291-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2604-286-0x0000000003510000-0x0000000003527000-memory.dmp

Filesize
92KB

Download
memory/2704-350-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-364-0x0000000003B10000-0x0000000003B27000-memory.dmp

Filesize
92KB

Download
memory/2704-366-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2704-368-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-365-0x0000000003B20000-0x0000000003B37000-memory.dmp

Filesize
92KB

Download
memory/2724-383-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/2724-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-384-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-380-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/2724-382-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/2728-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2728-66-0x0000000003540000-0x0000000003557000-memory.dmp

Filesize
92KB

Download
memory/2728-60-0x0000000003540000-0x0000000003557000-memory.dmp

Filesize
92KB

Download
memory/2728-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-399-0x0000000003920000-0x0000000003937000-memory.dmp

Filesize
92KB

Download
memory/2776-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-401-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2776-400-0x0000000003EF0000-0x0000000003F07000-memory.dmp

Filesize
92KB

Download
memory/2776-385-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-398-0x0000000003920000-0x0000000003937000-memory.dmp

Filesize
92KB

Download
memory/2832-227-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2832-225-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/2832-220-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/2832-226-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/2888-43-0x0000000003E30000-0x0000000003E47000-memory.dmp

Filesize
92KB

Download
memory/2888-44-0x0000000003E30000-0x0000000003E47000-memory.dmp

Filesize
92KB

Download
memory/2888-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-42-0x0000000003E20000-0x0000000003E37000-memory.dmp

Filesize
92KB

Download
memory/2988-237-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2988-243-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2988-242-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/2988-241-0x00000000031F0000-0x0000000003207000-memory.dmp

Filesize
92KB

Download
memory/3036-259-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-272-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/3036-274-0x0000000003EA0000-0x0000000003EB7000-memory.dmp

Filesize
92KB

Download
memory/3036-275-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download