metasploit | 9a72961f7e496936d6ba0c059fd83896e25cec2a629787df149a701ed95107e1

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
Size

275KB
MD5

98d5da824fabf016acea65ce4f45b4ad
SHA1

9e24b0782145056654a531125416901784f65a33
SHA256

9a72961f7e496936d6ba0c059fd83896e25cec2a629787df149a701ed95107e1
SHA512

c18eb94030b507e54b8dd7d593f602e249ffd6bcd09a777f0541bdb39d3989ba1db32c6a2f480b0232b0fe92a0151a74f10f8e63f6542c08907a9778f8a4a82c
SSDEEP

6144:ZUZj3LOq20acQcCY/RBUlj/8IBaNgwqD3t5kgBwfg/JhG8N4Ccs+R:2Zj3LzZN0/vBaNgt5BwKJhXNWd

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
4796	tdsvlaw.exe
4860	bebwkea.exe
1020	nzunaxy.exe
2600	diawldw.exe
3596	lukksft.exe
1040	akftjtx.exe
628	soomwfr.exe
704	iaxichw.exe
5072	xqsrtos.exe
2760	iqqxddo.exe
1264	xolgnkr.exe
5232	negheqv.exe
5064	cqpdsss.exe
2480	kolzbuj.exe
372	aavuhwo.exe
4704	pmmqwgk.exe
4868	wyywyon.exe
612	mlqsers.exe
3572	xdfzogg.exe
3388	mbahfmj.exe
996	unujrii.exe
5656	jzeffse.exe
5984	oyiaypk.exe
1112	jpwuyge.exe
5184	ezkshjc.exe
3656	zgeduac.exe
2136	rnqkcqv.exe
5512	eusvpqv.exe
4428	yeglytt.exe
4660	qpdfinc.exe
2756	ojlirkt.exe
4456	bmrhanr.exe
680	vstsfnr.exe
1344	fwdexer.exe
3088	yaefkqm.exe
1452	nqzgbwq.exe
4628	xtzhgik.exe
920	qxiastf.exe
912	imugajh.exe
5732	xzdcoul.exe
3324	hgpiekf.exe
2604	akqjiva.exe
848	srbqylb.exe
1284	kgnwfbd.exe
1008	ckoxsny.exe
5468	mrzdzcz.exe
2820	bpcerjd.exe
3516	uissaqr.exe
5460	jfnbkxu.exe
60	ugkhtmq.exe
4996	jwfqltu.exe
5860	bgujvnu.exe
5044	uhrpfuq.exe
1948	mksrjgl.exe
2168	tinrbmp.exe
4572	lpygqcq.exe
4932	bfthzrm.exe
4544	tjcamco.exe
1072	ejrookc.exe
4700	vcohgel.exe
2172	njannue.exe
5368	gnaoafh.exe
4192	ycmvivb.exe
4592	ikybxlc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eusvpqv.exe	rnqkcqv.exe
File created	C:\Windows\SysWOW64\bgujvnu.exe	jwfqltu.exe
File created	C:\Windows\SysWOW64\unujrii.exe	mbahfmj.exe
File created	C:\Windows\SysWOW64\qpdfinc.exe	yeglytt.exe
File opened for modification	C:\Windows\SysWOW64\uhrpfuq.exe	bgujvnu.exe
File opened for modification	C:\Windows\SysWOW64\xqsrtos.exe	iaxichw.exe
File created	C:\Windows\SysWOW64\mbahfmj.exe	xdfzogg.exe
File opened for modification	C:\Windows\SysWOW64\fwdexer.exe	vstsfnr.exe
File created	C:\Windows\SysWOW64\nbmtxmy.exe	sgvvurf.exe
File opened for modification	C:\Windows\SysWOW64\rnqkcqv.exe	zgeduac.exe
File created	C:\Windows\SysWOW64\eusvpqv.exe	rnqkcqv.exe
File created	C:\Windows\SysWOW64\imugajh.exe	qxiastf.exe
File created	C:\Windows\SysWOW64\hgpiekf.exe	xzdcoul.exe
File created	C:\Windows\SysWOW64\akqjiva.exe	hgpiekf.exe
File opened for modification	C:\Windows\SysWOW64\jfnbkxu.exe	uissaqr.exe
File opened for modification	C:\Windows\SysWOW64\jwfqltu.exe	ugkhtmq.exe
File created	C:\Windows\SysWOW64\iaxichw.exe	soomwfr.exe
File created	C:\Windows\SysWOW64\aavuhwo.exe	kolzbuj.exe
File opened for modification	C:\Windows\SysWOW64\oyiaypk.exe	jzeffse.exe
File created	C:\Windows\SysWOW64\fwdexer.exe	vstsfnr.exe
File created	C:\Windows\SysWOW64\nqzgbwq.exe	yaefkqm.exe
File opened for modification	C:\Windows\SysWOW64\imugajh.exe	qxiastf.exe
File created	C:\Windows\SysWOW64\kgnwfbd.exe	srbqylb.exe
File created	C:\Windows\SysWOW64\mrzdzcz.exe	ckoxsny.exe
File created	C:\Windows\SysWOW64\tdsvlaw.exe	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
File created	C:\Windows\SysWOW64\ezkshjc.exe	jpwuyge.exe
File opened for modification	C:\Windows\SysWOW64\ojlirkt.exe	qpdfinc.exe
File created	C:\Windows\SysWOW64\ugkhtmq.exe	jfnbkxu.exe
File opened for modification	C:\Windows\SysWOW64\vcohgel.exe	ejrookc.exe
File opened for modification	C:\Windows\SysWOW64\tdsvlaw.exe	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
File opened for modification	C:\Windows\SysWOW64\iqqxddo.exe	xqsrtos.exe
File created	C:\Windows\SysWOW64\kolzbuj.exe	cqpdsss.exe
File opened for modification	C:\Windows\SysWOW64\bpcerjd.exe	mrzdzcz.exe
File created	C:\Windows\SysWOW64\lpygqcq.exe	tinrbmp.exe
File opened for modification	C:\Windows\SysWOW64\xolgnkr.exe	iqqxddo.exe
File opened for modification	C:\Windows\SysWOW64\mbahfmj.exe	xdfzogg.exe
File opened for modification	C:\Windows\SysWOW64\ugkhtmq.exe	jfnbkxu.exe
File created	C:\Windows\SysWOW64\jfnbkxu.exe	uissaqr.exe
File created	C:\Windows\SysWOW64\mksrjgl.exe	uhrpfuq.exe
File opened for modification	C:\Windows\SysWOW64\vstsfnr.exe	bmrhanr.exe
File opened for modification	C:\Windows\SysWOW64\xzdcoul.exe	imugajh.exe
File created	C:\Windows\SysWOW64\ejrookc.exe	tjcamco.exe
File created	C:\Windows\SysWOW64\negheqv.exe	xolgnkr.exe
File opened for modification	C:\Windows\SysWOW64\pmmqwgk.exe	aavuhwo.exe
File opened for modification	C:\Windows\SysWOW64\zgeduac.exe	ezkshjc.exe
File opened for modification	C:\Windows\SysWOW64\xtzhgik.exe	nqzgbwq.exe
File opened for modification	C:\Windows\SysWOW64\qxiastf.exe	xtzhgik.exe
File opened for modification	C:\Windows\SysWOW64\bgujvnu.exe	jwfqltu.exe
File opened for modification	C:\Windows\SysWOW64\soomwfr.exe	akftjtx.exe
File opened for modification	C:\Windows\SysWOW64\negheqv.exe	xolgnkr.exe
File created	C:\Windows\SysWOW64\tjcamco.exe	bfthzrm.exe
File created	C:\Windows\SysWOW64\aoyckxx.exe	ikybxlc.exe
File created	C:\Windows\SysWOW64\xdfzogg.exe	mlqsers.exe
File opened for modification	C:\Windows\SysWOW64\bebwkea.exe	tdsvlaw.exe
File created	C:\Windows\SysWOW64\xqsrtos.exe	iaxichw.exe
File created	C:\Windows\SysWOW64\xolgnkr.exe	iqqxddo.exe
File opened for modification	C:\Windows\SysWOW64\mlqsers.exe	wyywyon.exe
File created	C:\Windows\SysWOW64\oyiaypk.exe	jzeffse.exe
File created	C:\Windows\SysWOW64\bmrhanr.exe	ojlirkt.exe
File created	C:\Windows\SysWOW64\yaefkqm.exe	fwdexer.exe
File opened for modification	C:\Windows\SysWOW64\yaefkqm.exe	fwdexer.exe
File created	C:\Windows\SysWOW64\soomwfr.exe	akftjtx.exe
File opened for modification	C:\Windows\SysWOW64\yeglytt.exe	eusvpqv.exe
File opened for modification	C:\Windows\SysWOW64\srbqylb.exe	akqjiva.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3456	5956	WerFault.exe	84
5092	4796	WerFault.exe	93
4740	4860	WerFault.exe	98
2336	1020	WerFault.exe	102
2004	2600	WerFault.exe	107
5628	3596	WerFault.exe	110
4712	1040	WerFault.exe	113
4484	628	WerFault.exe	116
3216	704	WerFault.exe	119
3324	5072	WerFault.exe	122
848	2760	WerFault.exe	125
1284	1264	WerFault.exe	128
6140	5232	WerFault.exe	131
1436	5064	WerFault.exe	135
5928	2480	WerFault.exe	138
4788	372	WerFault.exe	142
4840	4704	WerFault.exe	147
1544	4868	WerFault.exe	154
3620	612	WerFault.exe	157
4536	3572	WerFault.exe	160
1724	3388	WerFault.exe	163
1084	996	WerFault.exe	166
4076	5656	WerFault.exe	169
5032	5984	WerFault.exe	172
2160	1112	WerFault.exe	175
5912	5184	WerFault.exe
1140	3656	WerFault.exe	181
3628	2136	WerFault.exe
2820	5512	WerFault.exe	187
5364	4428	WerFault.exe
4128	4660	WerFault.exe
4960	2756	WerFault.exe
5996	4456	WerFault.exe
4936	680	WerFault.exe	203
4772	1344	WerFault.exe	206
2332	3088	WerFault.exe	209
3804	1452	WerFault.exe	212
2096	4628	WerFault.exe	215
236	920	WerFault.exe	218
3680	912	WerFault.exe	221
3904	5732	WerFault.exe	224
788	3324	WerFault.exe	227
2392	2604	WerFault.exe	230
3328	848	WerFault.exe	233
2260	1284	WerFault.exe	236
5164	1008	WerFault.exe	239
4696	5468	WerFault.exe	242
5884	2820	WerFault.exe	245
5140	3516	WerFault.exe	248
6040	5460	WerFault.exe	251
4756	60	WerFault.exe	254
6068	4996	WerFault.exe	257
4492	5860	WerFault.exe	260
2144	5044	WerFault.exe	263
2184	1948	WerFault.exe	266
2932	2168	WerFault.exe	269
3096	4572	WerFault.exe	272
5904	4932	WerFault.exe	275
4272	4544	WerFault.exe	278
236	1072	WerFault.exe	281
1080	4700	WerFault.exe	284
5392	2172	WerFault.exe	287
2500	5368	WerFault.exe	290
2524	4192	WerFault.exe	293

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	negheqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyiaypk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugkhtmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soomwfr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uissaqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmmqwgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rnqkcqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpdfinc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckoxsny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfnbkxu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgujvnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mksrjgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akftjtx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojlirkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwdexer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diawldw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nqzgbwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xqsrtos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyywyon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbahfmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezkshjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akqjiva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njannue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdsvlaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nzunaxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jpwuyge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eusvpqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxiastf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tinrbmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgvvurf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jzeffse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgeduac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imugajh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srbqylb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaxichw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kolzbuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlqsers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unujrii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yaefkqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtzhgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqpdsss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmrhanr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vstsfnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpcerjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jwfqltu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoyckxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhrpfuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejrookc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycmvivb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikybxlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lukksft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yeglytt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xzdcoul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcohgel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gnaoafh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xolgnkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aavuhwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kgnwfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfthzrm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdfzogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mrzdzcz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqqxddo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hgpiekf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5956 wrote to memory of 4796	5956	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	93
PID 5956 wrote to memory of 4796	5956	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	93
PID 5956 wrote to memory of 4796	5956	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	93
PID 4796 wrote to memory of 4860	4796	tdsvlaw.exe	98
PID 4796 wrote to memory of 4860	4796	tdsvlaw.exe	98
PID 4796 wrote to memory of 4860	4796	tdsvlaw.exe	98
PID 4860 wrote to memory of 1020	4860	bebwkea.exe	102
PID 4860 wrote to memory of 1020	4860	bebwkea.exe	102
PID 4860 wrote to memory of 1020	4860	bebwkea.exe	102
PID 1020 wrote to memory of 2600	1020	nzunaxy.exe	107
PID 1020 wrote to memory of 2600	1020	nzunaxy.exe	107
PID 1020 wrote to memory of 2600	1020	nzunaxy.exe	107
PID 2600 wrote to memory of 3596	2600	diawldw.exe	110
PID 2600 wrote to memory of 3596	2600	diawldw.exe	110
PID 2600 wrote to memory of 3596	2600	diawldw.exe	110
PID 3596 wrote to memory of 1040	3596	lukksft.exe	113
PID 3596 wrote to memory of 1040	3596	lukksft.exe	113
PID 3596 wrote to memory of 1040	3596	lukksft.exe	113
PID 1040 wrote to memory of 628	1040	akftjtx.exe	116
PID 1040 wrote to memory of 628	1040	akftjtx.exe	116
PID 1040 wrote to memory of 628	1040	akftjtx.exe	116
PID 628 wrote to memory of 704	628	soomwfr.exe	119
PID 628 wrote to memory of 704	628	soomwfr.exe	119
PID 628 wrote to memory of 704	628	soomwfr.exe	119
PID 704 wrote to memory of 5072	704	iaxichw.exe	122
PID 704 wrote to memory of 5072	704	iaxichw.exe	122
PID 704 wrote to memory of 5072	704	iaxichw.exe	122
PID 5072 wrote to memory of 2760	5072	xqsrtos.exe	125
PID 5072 wrote to memory of 2760	5072	xqsrtos.exe	125
PID 5072 wrote to memory of 2760	5072	xqsrtos.exe	125
PID 2760 wrote to memory of 1264	2760	iqqxddo.exe	128
PID 2760 wrote to memory of 1264	2760	iqqxddo.exe	128
PID 2760 wrote to memory of 1264	2760	iqqxddo.exe	128
PID 1264 wrote to memory of 5232	1264	xolgnkr.exe	131
PID 1264 wrote to memory of 5232	1264	xolgnkr.exe	131
PID 1264 wrote to memory of 5232	1264	xolgnkr.exe	131
PID 5232 wrote to memory of 5064	5232	negheqv.exe	135
PID 5232 wrote to memory of 5064	5232	negheqv.exe	135
PID 5232 wrote to memory of 5064	5232	negheqv.exe	135
PID 5064 wrote to memory of 2480	5064	cqpdsss.exe	138
PID 5064 wrote to memory of 2480	5064	cqpdsss.exe	138
PID 5064 wrote to memory of 2480	5064	cqpdsss.exe	138
PID 2480 wrote to memory of 372	2480	kolzbuj.exe	142
PID 2480 wrote to memory of 372	2480	kolzbuj.exe	142
PID 2480 wrote to memory of 372	2480	kolzbuj.exe	142
PID 372 wrote to memory of 4704	372	aavuhwo.exe	147
PID 372 wrote to memory of 4704	372	aavuhwo.exe	147
PID 372 wrote to memory of 4704	372	aavuhwo.exe	147
PID 4704 wrote to memory of 4868	4704	pmmqwgk.exe	154
PID 4704 wrote to memory of 4868	4704	pmmqwgk.exe	154
PID 4704 wrote to memory of 4868	4704	pmmqwgk.exe	154
PID 4868 wrote to memory of 612	4868	wyywyon.exe	157
PID 4868 wrote to memory of 612	4868	wyywyon.exe	157
PID 4868 wrote to memory of 612	4868	wyywyon.exe	157
PID 612 wrote to memory of 3572	612	mlqsers.exe	160
PID 612 wrote to memory of 3572	612	mlqsers.exe	160
PID 612 wrote to memory of 3572	612	mlqsers.exe	160
PID 3572 wrote to memory of 3388	3572	xdfzogg.exe	163
PID 3572 wrote to memory of 3388	3572	xdfzogg.exe	163
PID 3572 wrote to memory of 3388	3572	xdfzogg.exe	163
PID 3388 wrote to memory of 996	3388	mbahfmj.exe	166
PID 3388 wrote to memory of 996	3388	mbahfmj.exe	166
PID 3388 wrote to memory of 996	3388	mbahfmj.exe	166
PID 996 wrote to memory of 5656	996	unujrii.exe	169

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 388
  2⤵
  - Program crash
  PID:3456
- C:\Windows\SysWOW64\tdsvlaw.exe
  C:\Windows\system32\tdsvlaw.exe 1388 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 388
    3⤵
    - Program crash
    PID:5092
- - C:\Windows\SysWOW64\bebwkea.exe
    C:\Windows\system32\bebwkea.exe 1380 "C:\Windows\SysWOW64\tdsvlaw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 388
      4⤵
      Program crash
      PID:4740
  - - C:\Windows\SysWOW64\nzunaxy.exe
      C:\Windows\system32\nzunaxy.exe 1392 "C:\Windows\SysWOW64\bebwkea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 388
        5⤵
        Program crash
        
        PID:2336
    - - C:\Windows\SysWOW64\diawldw.exe
        
        C:\Windows\system32\diawldw.exe 1400 "C:\Windows\SysWOW64\nzunaxy.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 388
        6⤵
        Program crash
        
        PID:2004
      - C:\Windows\SysWOW64\lukksft.exe
        
        C:\Windows\system32\lukksft.exe 1396 "C:\Windows\SysWOW64\diawldw.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 388
        7⤵
        Program crash
        
        PID:5628
        
        C:\Windows\SysWOW64\akftjtx.exe
        
        C:\Windows\system32\akftjtx.exe 1280 "C:\Windows\SysWOW64\lukksft.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 388
        8⤵
        Program crash
        
        PID:4712
        
        C:\Windows\SysWOW64\soomwfr.exe
        
        C:\Windows\system32\soomwfr.exe 1288 "C:\Windows\SysWOW64\akftjtx.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 388
        9⤵
        Program crash
        
        PID:4484
        
        C:\Windows\SysWOW64\iaxichw.exe
        
        C:\Windows\system32\iaxichw.exe 1432 "C:\Windows\SysWOW64\soomwfr.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 388
        10⤵
        Program crash
        
        PID:3216
        
        C:\Windows\SysWOW64\xqsrtos.exe
        
        C:\Windows\system32\xqsrtos.exe 1316 "C:\Windows\SysWOW64\iaxichw.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 388
        11⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\iqqxddo.exe
        
        C:\Windows\system32\iqqxddo.exe 1440 "C:\Windows\SysWOW64\xqsrtos.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 388
        12⤵
        Program crash
        
        PID:848
        
        C:\Windows\SysWOW64\xolgnkr.exe
        
        C:\Windows\system32\xolgnkr.exe 1456 "C:\Windows\SysWOW64\iqqxddo.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 388
        13⤵
        Program crash
        
        PID:1284
        
        C:\Windows\SysWOW64\negheqv.exe
        
        C:\Windows\system32\negheqv.exe 1460 "C:\Windows\SysWOW64\xolgnkr.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 396
        14⤵
        Program crash
        
        PID:6140
        
        C:\Windows\SysWOW64\cqpdsss.exe
        
        C:\Windows\system32\cqpdsss.exe 1300 "C:\Windows\SysWOW64\negheqv.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 388
        15⤵
        Program crash
        
        PID:1436
        
        C:\Windows\SysWOW64\kolzbuj.exe
        
        C:\Windows\system32\kolzbuj.exe 1320 "C:\Windows\SysWOW64\cqpdsss.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 388
        16⤵
        Program crash
        
        PID:5928
        
        C:\Windows\SysWOW64\aavuhwo.exe
        
        C:\Windows\system32\aavuhwo.exe 1480 "C:\Windows\SysWOW64\kolzbuj.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 392
        17⤵
        Program crash
        
        PID:4788
        
        C:\Windows\SysWOW64\pmmqwgk.exe
        
        C:\Windows\system32\pmmqwgk.exe 1312 "C:\Windows\SysWOW64\aavuhwo.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 388
        18⤵
        Program crash
        
        PID:4840
        
        C:\Windows\SysWOW64\wyywyon.exe
        
        C:\Windows\system32\wyywyon.exe 1496 "C:\Windows\SysWOW64\pmmqwgk.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 388
        19⤵
        Program crash
        
        PID:1544
        
        C:\Windows\SysWOW64\mlqsers.exe
        
        C:\Windows\system32\mlqsers.exe 1356 "C:\Windows\SysWOW64\wyywyon.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 388
        20⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\xdfzogg.exe
        
        C:\Windows\system32\xdfzogg.exe 1340 "C:\Windows\SysWOW64\mlqsers.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 388
        21⤵
        Program crash
        
        PID:4536
        
        C:\Windows\SysWOW64\mbahfmj.exe
        
        C:\Windows\system32\mbahfmj.exe 1368 "C:\Windows\SysWOW64\xdfzogg.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 388
        22⤵
        Program crash
        
        PID:1724
        
        C:\Windows\SysWOW64\unujrii.exe
        
        C:\Windows\system32\unujrii.exe 1536 "C:\Windows\SysWOW64\mbahfmj.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 388
        23⤵
        Program crash
        
        PID:1084
        
        C:\Windows\SysWOW64\jzeffse.exe
        
        C:\Windows\system32\jzeffse.exe 1376 "C:\Windows\SysWOW64\unujrii.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 388
        24⤵
        Program crash
        
        PID:4076
        
        C:\Windows\SysWOW64\oyiaypk.exe
        
        C:\Windows\system32\oyiaypk.exe 1544 "C:\Windows\SysWOW64\jzeffse.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 388
        25⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\jpwuyge.exe
        
        C:\Windows\system32\jpwuyge.exe 1560 "C:\Windows\SysWOW64\oyiaypk.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 388
        26⤵
        Program crash
        
        PID:2160
        
        C:\Windows\SysWOW64\ezkshjc.exe
        
        C:\Windows\system32\ezkshjc.exe 1556 "C:\Windows\SysWOW64\jpwuyge.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 388
        27⤵
        Program crash
        
        PID:5912
        
        C:\Windows\SysWOW64\zgeduac.exe
        
        C:\Windows\system32\zgeduac.exe 1528 "C:\Windows\SysWOW64\ezkshjc.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 388
        28⤵
        Program crash
        
        PID:1140
        
        C:\Windows\SysWOW64\rnqkcqv.exe
        
        C:\Windows\system32\rnqkcqv.exe 1576 "C:\Windows\SysWOW64\zgeduac.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 392
        29⤵
        Program crash
        
        PID:3628
        
        C:\Windows\SysWOW64\eusvpqv.exe
        
        C:\Windows\system32\eusvpqv.exe 1584 "C:\Windows\SysWOW64\rnqkcqv.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 388
        30⤵
        Program crash
        
        PID:2820
        
        C:\Windows\SysWOW64\yeglytt.exe
        
        C:\Windows\system32\yeglytt.exe 1600 "C:\Windows\SysWOW64\eusvpqv.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 388
        31⤵
        Program crash
        
        PID:5364
        
        C:\Windows\SysWOW64\qpdfinc.exe
        
        C:\Windows\system32\qpdfinc.exe 1616 "C:\Windows\SysWOW64\yeglytt.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 388
        32⤵
        Program crash
        
        PID:4128
        
        C:\Windows\SysWOW64\ojlirkt.exe
        
        C:\Windows\system32\ojlirkt.exe 1612 "C:\Windows\SysWOW64\qpdfinc.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 392
        33⤵
        Program crash
        
        PID:4960
        
        C:\Windows\SysWOW64\bmrhanr.exe
        
        C:\Windows\system32\bmrhanr.exe 1624 "C:\Windows\SysWOW64\ojlirkt.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 388
        34⤵
        Program crash
        
        PID:5996
        
        C:\Windows\SysWOW64\vstsfnr.exe
        
        C:\Windows\system32\vstsfnr.exe 1448 "C:\Windows\SysWOW64\bmrhanr.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 388
        35⤵
        Program crash
        
        PID:4936
        
        C:\Windows\SysWOW64\fwdexer.exe
        
        C:\Windows\system32\fwdexer.exe 1472 "C:\Windows\SysWOW64\vstsfnr.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 388
        36⤵
        Program crash
        
        PID:4772
        
        C:\Windows\SysWOW64\yaefkqm.exe
        
        C:\Windows\system32\yaefkqm.exe 1640 "C:\Windows\SysWOW64\fwdexer.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 388
        37⤵
        Program crash
        
        PID:2332
        
        C:\Windows\SysWOW64\nqzgbwq.exe
        
        C:\Windows\system32\nqzgbwq.exe 1504 "C:\Windows\SysWOW64\yaefkqm.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 388
        38⤵
        Program crash
        
        PID:3804
        
        C:\Windows\SysWOW64\xtzhgik.exe
        
        C:\Windows\system32\xtzhgik.exe 1656 "C:\Windows\SysWOW64\nqzgbwq.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 388
        39⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\qxiastf.exe
        
        C:\Windows\system32\qxiastf.exe 1488 "C:\Windows\SysWOW64\xtzhgik.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 388
        40⤵
        Program crash
        
        PID:236
        
        C:\Windows\SysWOW64\imugajh.exe
        
        C:\Windows\system32\imugajh.exe 1512 "C:\Windows\SysWOW64\qxiastf.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 388
        41⤵
        Program crash
        
        PID:3680
        
        C:\Windows\SysWOW64\xzdcoul.exe
        
        C:\Windows\system32\xzdcoul.exe 1520 "C:\Windows\SysWOW64\imugajh.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 388
        42⤵
        Program crash
        
        PID:3904
        
        C:\Windows\SysWOW64\hgpiekf.exe
        
        C:\Windows\system32\hgpiekf.exe 1692 "C:\Windows\SysWOW64\xzdcoul.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 388
        43⤵
        Program crash
        
        PID:788
        
        C:\Windows\SysWOW64\akqjiva.exe
        
        C:\Windows\system32\akqjiva.exe 1696 "C:\Windows\SysWOW64\hgpiekf.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 396
        44⤵
        Program crash
        
        PID:2392
        
        C:\Windows\SysWOW64\srbqylb.exe
        
        C:\Windows\system32\srbqylb.exe 1704 "C:\Windows\SysWOW64\akqjiva.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 388
        45⤵
        Program crash
        
        PID:3328
        
        C:\Windows\SysWOW64\kgnwfbd.exe
        
        C:\Windows\system32\kgnwfbd.exe 1524 "C:\Windows\SysWOW64\srbqylb.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 388
        46⤵
        Program crash
        
        PID:2260
        
        C:\Windows\SysWOW64\ckoxsny.exe
        
        C:\Windows\system32\ckoxsny.exe 1568 "C:\Windows\SysWOW64\kgnwfbd.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 392
        47⤵
        Program crash
        
        PID:5164
        
        C:\Windows\SysWOW64\mrzdzcz.exe
        
        C:\Windows\system32\mrzdzcz.exe 1744 "C:\Windows\SysWOW64\ckoxsny.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 388
        48⤵
        Program crash
        
        PID:4696
        
        C:\Windows\SysWOW64\bpcerjd.exe
        
        C:\Windows\system32\bpcerjd.exe 1736 "C:\Windows\SysWOW64\mrzdzcz.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 388
        49⤵
        Program crash
        
        PID:5884
        
        C:\Windows\SysWOW64\uissaqr.exe
        
        C:\Windows\system32\uissaqr.exe 1580 "C:\Windows\SysWOW64\bpcerjd.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 388
        50⤵
        Program crash
        
        PID:5140
        
        C:\Windows\SysWOW64\jfnbkxu.exe
        
        C:\Windows\system32\jfnbkxu.exe 1756 "C:\Windows\SysWOW64\uissaqr.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 388
        51⤵
        Program crash
        
        PID:6040
        
        C:\Windows\SysWOW64\ugkhtmq.exe
        
        C:\Windows\system32\ugkhtmq.exe 1768 "C:\Windows\SysWOW64\jfnbkxu.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 388
        52⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\jwfqltu.exe
        
        C:\Windows\system32\jwfqltu.exe 1604 "C:\Windows\SysWOW64\ugkhtmq.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 388
        53⤵
        Program crash
        
        PID:6068
        
        C:\Windows\SysWOW64\bgujvnu.exe
        
        C:\Windows\system32\bgujvnu.exe 1784 "C:\Windows\SysWOW64\jwfqltu.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 388
        54⤵
        Program crash
        
        PID:4492
        
        C:\Windows\SysWOW64\uhrpfuq.exe
        
        C:\Windows\system32\uhrpfuq.exe 1780 "C:\Windows\SysWOW64\bgujvnu.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 396
        55⤵
        Program crash
        
        PID:2144
        
        C:\Windows\SysWOW64\mksrjgl.exe
        
        C:\Windows\system32\mksrjgl.exe 1800 "C:\Windows\SysWOW64\uhrpfuq.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 388
        56⤵
        Program crash
        
        PID:2184
        
        C:\Windows\SysWOW64\tinrbmp.exe
        
        C:\Windows\system32\tinrbmp.exe 1648 "C:\Windows\SysWOW64\mksrjgl.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 388
        57⤵
        Program crash
        
        PID:2932
        
        C:\Windows\SysWOW64\lpygqcq.exe
        
        C:\Windows\system32\lpygqcq.exe 1808 "C:\Windows\SysWOW64\tinrbmp.exe"
        57⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 388
        58⤵
        Program crash
        
        PID:3096
        
        C:\Windows\SysWOW64\bfthzrm.exe
        
        C:\Windows\system32\bfthzrm.exe 1652 "C:\Windows\SysWOW64\lpygqcq.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 388
        59⤵
        Program crash
        
        PID:5904
        
        C:\Windows\SysWOW64\tjcamco.exe
        
        C:\Windows\system32\tjcamco.exe 1672 "C:\Windows\SysWOW64\bfthzrm.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 388
        60⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\ejrookc.exe
        
        C:\Windows\system32\ejrookc.exe 1668 "C:\Windows\SysWOW64\tjcamco.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 388
        61⤵
        Program crash
        
        PID:236
        
        C:\Windows\SysWOW64\vcohgel.exe
        
        C:\Windows\system32\vcohgel.exe 1848 "C:\Windows\SysWOW64\ejrookc.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 388
        62⤵
        Program crash
        
        PID:1080
        
        C:\Windows\SysWOW64\njannue.exe
        
        C:\Windows\system32\njannue.exe 1844 "C:\Windows\SysWOW64\vcohgel.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 388
        63⤵
        Program crash
        
        PID:5392
        
        C:\Windows\SysWOW64\gnaoafh.exe
        
        C:\Windows\system32\gnaoafh.exe 1856 "C:\Windows\SysWOW64\njannue.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 388
        64⤵
        Program crash
        
        PID:2500
        
        C:\Windows\SysWOW64\ycmvivb.exe
        
        C:\Windows\system32\ycmvivb.exe 1644 "C:\Windows\SysWOW64\gnaoafh.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 388
        65⤵
        Program crash
        
        PID:2524
        
        C:\Windows\SysWOW64\ikybxlc.exe
        
        C:\Windows\system32\ikybxlc.exe 1876 "C:\Windows\SysWOW64\ycmvivb.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 388
        66⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\aoyckxx.exe
        
        C:\Windows\system32\aoyckxx.exe 1888 "C:\Windows\SysWOW64\ikybxlc.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 388
        67⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\sgvvurf.exe
        
        C:\Windows\system32\sgvvurf.exe 1884 "C:\Windows\SysWOW64\aoyckxx.exe"
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 388
        68⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\nbmtxmy.exe
        
        C:\Windows\system32\nbmtxmy.exe 1896 "C:\Windows\SysWOW64\sgvvurf.exe"
        68⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 388
        69⤵
        
        PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5956 -ip 5956
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4796 -ip 4796
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4860 -ip 4860
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1020 -ip 1020
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2600 -ip 2600
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3596 -ip 3596
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1040 -ip 1040
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 628 -ip 628
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 704 -ip 704
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5072 -ip 5072
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2760 -ip 2760
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1264 -ip 1264
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5232 -ip 5232
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5064 -ip 5064
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2480 -ip 2480
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 372 -ip 372
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 4704
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4868 -ip 4868
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 612 -ip 612
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3572 -ip 3572
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3388 -ip 3388
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 996 -ip 996
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5656 -ip 5656
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5984 -ip 5984
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1112 -ip 1112
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5184 -ip 5184
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3656 -ip 3656
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2136 -ip 2136
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5512 -ip 5512
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4428 -ip 4428
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4660 -ip 4660
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2756 -ip 2756
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4456 -ip 4456
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 680 -ip 680
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1344 -ip 1344
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3088 -ip 3088
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1452 -ip 1452
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4628 -ip 4628
1⤵
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 920 -ip 920
1⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 912 -ip 912
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5732 -ip 5732
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3324 -ip 3324
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2604 -ip 2604
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 848 -ip 848
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1284 -ip 1284
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1008 -ip 1008
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5468 -ip 5468
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2820 -ip 2820
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3516 -ip 3516
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5460 -ip 5460
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 60 -ip 60
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4996 -ip 4996
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5860 -ip 5860
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5044 -ip 5044
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1948 -ip 1948
1⤵
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2168 -ip 2168
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4572 -ip 4572
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4932 -ip 4932
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4544 -ip 4544
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1072 -ip 1072
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4700 -ip 4700
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2172 -ip 2172
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5368 -ip 5368
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4192 -ip 4192
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4592 -ip 4592
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2400 -ip 2400
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5444 -ip 5444
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4336 -ip 4336
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tdsvlaw.exe

Filesize
275KB

MD5
98d5da824fabf016acea65ce4f45b4ad

SHA1
9e24b0782145056654a531125416901784f65a33

SHA256
9a72961f7e496936d6ba0c059fd83896e25cec2a629787df149a701ed95107e1

SHA512
c18eb94030b507e54b8dd7d593f602e249ffd6bcd09a777f0541bdb39d3989ba1db32c6a2f480b0232b0fe92a0151a74f10f8e63f6542c08907a9778f8a4a82c

Download Submit
memory/60-359-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/372-133-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/612-154-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/628-73-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/680-257-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/704-80-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/848-317-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/912-293-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/920-287-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/996-176-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1008-329-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1020-45-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1040-66-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1072-413-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1112-197-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1264-101-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1284-323-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1344-263-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1452-275-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1948-383-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2136-218-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2168-389-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2172-425-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2400-449-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2480-124-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2600-52-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2604-311-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2756-247-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2760-94-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2820-341-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3088-269-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3324-305-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3388-161-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3388-169-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3516-347-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3572-162-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3596-59-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3656-211-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4192-437-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4428-233-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4428-225-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4456-252-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4544-407-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4572-395-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4592-443-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4628-281-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4660-240-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4700-419-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4704-131-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4704-140-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4796-27-0x00000000007A0000-0x00000000007E0000-memory.dmp

Filesize
256KB

Download
memory/4796-13-0x00000000007A0000-0x00000000007E0000-memory.dmp

Filesize
256KB

Download
memory/4796-26-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4796-16-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4796-17-0x0000000002200000-0x0000000002205000-memory.dmp

Filesize
20KB

Download
memory/4796-18-0x00000000022F0000-0x000000000231C000-memory.dmp

Filesize
176KB

Download
memory/4860-29-0x0000000000760000-0x0000000000765000-memory.dmp

Filesize
20KB

Download
memory/4860-28-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4860-30-0x00000000029F0000-0x0000000002A1C000-memory.dmp

Filesize
176KB

Download
memory/4860-38-0x0000000000690000-0x00000000006D0000-memory.dmp

Filesize
256KB

Download
memory/4860-25-0x0000000000690000-0x00000000006D0000-memory.dmp

Filesize
256KB

Download
memory/4860-37-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4868-147-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4932-401-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4996-365-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5044-377-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5064-117-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5064-108-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5072-87-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5184-204-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5232-110-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5232-100-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/5368-431-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5444-455-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5460-353-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5468-335-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5512-226-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5656-183-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5732-299-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5860-371-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5956-5-0x00000000029E0000-0x0000000002A0C000-memory.dmp

Filesize
176KB

Download
memory/5956-0-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5956-4-0x0000000002210000-0x0000000002215000-memory.dmp

Filesize
20KB

Download
memory/5956-3-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5956-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/5956-14-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5956-15-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/5956-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/5984-190-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download