metasploit | d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

Analysis

max time kernel
151s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
Size

347KB
MD5

5180d37dfabb7fa22fd7f1a02fc4babb
SHA1

af3037f4c8f0300fa47c71261d70355d3ac66a9a
SHA256

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043
SHA512

1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937
SSDEEP

6144:MxLjTaCEbW1gIPp6nlml+19yxKpbj+mYl+eL:MxWBi3E11pbymYlV

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

Processes:

wmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

pid	process
888	wmsrvc.exe
1688	wmsrvc.exe
1944	wmsrvc.exe
456	wmsrvc.exe
1360	wmsrvc.exe
1416	wmsrvc.exe
1732	wmsrvc.exe
1672	wmsrvc.exe
1988	wmsrvc.exe
1752	wmsrvc.exe
912	wmsrvc.exe
1796	wmsrvc.exe
1172	wmsrvc.exe
396	wmsrvc.exe
1264	wmsrvc.exe
656	wmsrvc.exe
812	wmsrvc.exe
1516	wmsrvc.exe
912	wmsrvc.exe
1924	wmsrvc.exe
1712	wmsrvc.exe
1444	wmsrvc.exe
1016	wmsrvc.exe
1472	wmsrvc.exe
1576	wmsrvc.exe
932	wmsrvc.exe
1172	wmsrvc.exe
344	wmsrvc.exe
1948	wmsrvc.exe
644	wmsrvc.exe
976	wmsrvc.exe
860	wmsrvc.exe
1048	wmsrvc.exe
1740	wmsrvc.exe
1728	wmsrvc.exe
1712	wmsrvc.exe
1948	wmsrvc.exe
1912	wmsrvc.exe
976	wmsrvc.exe
1576	wmsrvc.exe
1360	wmsrvc.exe
1548	wmsrvc.exe
1172	wmsrvc.exe
1652	wmsrvc.exe
808	wmsrvc.exe
1492	wmsrvc.exe
772	wmsrvc.exe
1068	wmsrvc.exe
1784	wmsrvc.exe
888	wmsrvc.exe
1920	wmsrvc.exe
2028	wmsrvc.exe
388	wmsrvc.exe
1976	wmsrvc.exe
908	wmsrvc.exe
1872	wmsrvc.exe
1740	wmsrvc.exe
1188	wmsrvc.exe
1948	wmsrvc.exe
1592	wmsrvc.exe
808	wmsrvc.exe
812	wmsrvc.exe
1248	wmsrvc.exe
1596	wmsrvc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/976-60-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/888-77-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1944-93-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1360-111-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1732-125-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1988-145-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/912-152-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/912-160-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1172-176-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1264-185-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/912-222-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1712-239-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral1/memory/1016-256-0x0000000000400000-0x000000000046A000-memory.dmp	upx
\Windows\SysWOW64\wmsrvc.exe	upx
\Windows\SysWOW64\wmsrvc.exe	upx

Loads dropped DLL 64 IoCs

Processes:

pid	process
2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
1688	wmsrvc.exe
1688	wmsrvc.exe
456	wmsrvc.exe
456	wmsrvc.exe
1416	wmsrvc.exe
1416	wmsrvc.exe
1672	wmsrvc.exe
1672	wmsrvc.exe
1752	wmsrvc.exe
1752	wmsrvc.exe
1796	wmsrvc.exe
1796	wmsrvc.exe
396	wmsrvc.exe
396	wmsrvc.exe
656	wmsrvc.exe
656	wmsrvc.exe
1516	wmsrvc.exe
1516	wmsrvc.exe
1924	wmsrvc.exe
1924	wmsrvc.exe
1444	wmsrvc.exe
1444	wmsrvc.exe
1472	wmsrvc.exe
1472	wmsrvc.exe
932	wmsrvc.exe
932	wmsrvc.exe
344	wmsrvc.exe
344	wmsrvc.exe
644	wmsrvc.exe
644	wmsrvc.exe
860	wmsrvc.exe
860	wmsrvc.exe
1740	wmsrvc.exe
1740	wmsrvc.exe
1712	wmsrvc.exe
1712	wmsrvc.exe
1912	wmsrvc.exe
1912	wmsrvc.exe
1576	wmsrvc.exe
1576	wmsrvc.exe
1548	wmsrvc.exe
1548	wmsrvc.exe
1652	wmsrvc.exe
1652	wmsrvc.exe
1492	wmsrvc.exe
1492	wmsrvc.exe
1068	wmsrvc.exe
1068	wmsrvc.exe
888	wmsrvc.exe
888	wmsrvc.exe
2028	wmsrvc.exe
2028	wmsrvc.exe
1976	wmsrvc.exe
1976	wmsrvc.exe
1872	wmsrvc.exe
1872	wmsrvc.exe
1188	wmsrvc.exe
1188	wmsrvc.exe
1592	wmsrvc.exe
1592	wmsrvc.exe
812	wmsrvc.exe
812	wmsrvc.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

description	pid	process	target process
PID 976 set thread context of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 888 set thread context of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 1944 set thread context of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1360 set thread context of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1732 set thread context of 1672	1732	wmsrvc.exe	wmsrvc.exe
PID 1988 set thread context of 1752	1988	wmsrvc.exe	wmsrvc.exe
PID 912 set thread context of 1796	912	wmsrvc.exe	wmsrvc.exe
PID 1172 set thread context of 396	1172	wmsrvc.exe	wmsrvc.exe
PID 1264 set thread context of 656	1264	wmsrvc.exe	wmsrvc.exe
PID 812 set thread context of 1516	812	wmsrvc.exe	wmsrvc.exe
PID 912 set thread context of 1924	912	wmsrvc.exe	wmsrvc.exe
PID 1712 set thread context of 1444	1712	wmsrvc.exe	wmsrvc.exe
PID 1016 set thread context of 1472	1016	wmsrvc.exe	wmsrvc.exe
PID 1576 set thread context of 932	1576	wmsrvc.exe	wmsrvc.exe
PID 1172 set thread context of 344	1172	wmsrvc.exe	wmsrvc.exe
PID 1948 set thread context of 644	1948	wmsrvc.exe	wmsrvc.exe
PID 976 set thread context of 860	976	wmsrvc.exe	wmsrvc.exe
PID 1048 set thread context of 1740	1048	wmsrvc.exe	wmsrvc.exe
PID 1728 set thread context of 1712	1728	wmsrvc.exe	wmsrvc.exe
PID 1948 set thread context of 1912	1948	wmsrvc.exe	wmsrvc.exe
PID 976 set thread context of 1576	976	wmsrvc.exe	wmsrvc.exe
PID 1360 set thread context of 1548	1360	wmsrvc.exe	wmsrvc.exe
PID 1172 set thread context of 1652	1172	wmsrvc.exe	wmsrvc.exe
PID 808 set thread context of 1492	808	wmsrvc.exe	wmsrvc.exe
PID 772 set thread context of 1068	772	wmsrvc.exe	wmsrvc.exe
PID 1784 set thread context of 888	1784	wmsrvc.exe	wmsrvc.exe
PID 1920 set thread context of 2028	1920	wmsrvc.exe	wmsrvc.exe
PID 388 set thread context of 1976	388	wmsrvc.exe	wmsrvc.exe
PID 908 set thread context of 1872	908	wmsrvc.exe	wmsrvc.exe
PID 1740 set thread context of 1188	1740	wmsrvc.exe	wmsrvc.exe
PID 1948 set thread context of 1592	1948	wmsrvc.exe	wmsrvc.exe
PID 808 set thread context of 812	808	wmsrvc.exe	wmsrvc.exe
PID 1248 set thread context of 1596	1248	wmsrvc.exe	wmsrvc.exe
PID 1824 set thread context of 1272	1824	wmsrvc.exe	wmsrvc.exe
PID 1944 set thread context of 560	1944	wmsrvc.exe	wmsrvc.exe
PID 580 set thread context of 1368	580	wmsrvc.exe	wmsrvc.exe
PID 1736 set thread context of 1700	1736	wmsrvc.exe	wmsrvc.exe
PID 2012 set thread context of 472	2012	wmsrvc.exe	wmsrvc.exe
PID 1652 set thread context of 2032	1652	wmsrvc.exe	wmsrvc.exe
PID 976 set thread context of 1500	976	wmsrvc.exe	wmsrvc.exe
PID 1748 set thread context of 984	1748	wmsrvc.exe	wmsrvc.exe
PID 1384 set thread context of 1092	1384	wmsrvc.exe	wmsrvc.exe
PID 1968 set thread context of 936	1968	wmsrvc.exe	wmsrvc.exe
PID 912 set thread context of 1320	912	wmsrvc.exe	wmsrvc.exe
PID 1740 set thread context of 572	1740	wmsrvc.exe	wmsrvc.exe
PID 1652 set thread context of 1016	1652	wmsrvc.exe	wmsrvc.exe
PID 1736 set thread context of 772	1736	wmsrvc.exe	wmsrvc.exe
PID 1784 set thread context of 1988	1784	wmsrvc.exe	wmsrvc.exe
PID 960 set thread context of 1428	960	wmsrvc.exe	wmsrvc.exe
PID 1592 set thread context of 824	1592	wmsrvc.exe	wmsrvc.exe
PID 2012 set thread context of 1196	2012	wmsrvc.exe	wmsrvc.exe
PID 1168 set thread context of 1680	1168	wmsrvc.exe	wmsrvc.exe
PID 1100 set thread context of 1388	1100	wmsrvc.exe	wmsrvc.exe
PID 1608 set thread context of 1364	1608	wmsrvc.exe	wmsrvc.exe
PID 1124 set thread context of 1308	1124	wmsrvc.exe	wmsrvc.exe
PID 1212 set thread context of 1572	1212	wmsrvc.exe	wmsrvc.exe
PID 1756 set thread context of 1552	1756	wmsrvc.exe	wmsrvc.exe
PID 1580 set thread context of 772	1580	wmsrvc.exe	wmsrvc.exe
PID 1988 set thread context of 552	1988	wmsrvc.exe	wmsrvc.exe
PID 1140 set thread context of 1592	1140	wmsrvc.exe	wmsrvc.exe
PID 1460 set thread context of 1372	1460	wmsrvc.exe	wmsrvc.exe
PID 1740 set thread context of 772	1740	wmsrvc.exe	wmsrvc.exe
PID 1908 set thread context of 1204	1908	wmsrvc.exe	wmsrvc.exe
PID 1716 set thread context of 824	1716	wmsrvc.exe	wmsrvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
1688	wmsrvc.exe
456	wmsrvc.exe
1416	wmsrvc.exe
1672	wmsrvc.exe
1752	wmsrvc.exe
1796	wmsrvc.exe
396	wmsrvc.exe
656	wmsrvc.exe
1516	wmsrvc.exe
1924	wmsrvc.exe
1444	wmsrvc.exe
1472	wmsrvc.exe
932	wmsrvc.exe
344	wmsrvc.exe
644	wmsrvc.exe
860	wmsrvc.exe
1740	wmsrvc.exe
1712	wmsrvc.exe
1912	wmsrvc.exe
1576	wmsrvc.exe
1548	wmsrvc.exe
1652	wmsrvc.exe
1492	wmsrvc.exe
1068	wmsrvc.exe
888	wmsrvc.exe
2028	wmsrvc.exe
1976	wmsrvc.exe
1872	wmsrvc.exe
1188	wmsrvc.exe
1592	wmsrvc.exe
812	wmsrvc.exe
1596	wmsrvc.exe
1272	wmsrvc.exe
560	wmsrvc.exe
1368	wmsrvc.exe
1700	wmsrvc.exe
472	wmsrvc.exe
2032	wmsrvc.exe
1500	wmsrvc.exe
984	wmsrvc.exe
1092	wmsrvc.exe
936	wmsrvc.exe
1320	wmsrvc.exe
572	wmsrvc.exe
1016	wmsrvc.exe
772	wmsrvc.exe
1988	wmsrvc.exe
1428	wmsrvc.exe
824	wmsrvc.exe
1196	wmsrvc.exe
1680	wmsrvc.exe
1388	wmsrvc.exe
1364	wmsrvc.exe
1308	wmsrvc.exe
1572	wmsrvc.exe
1552	wmsrvc.exe
772	wmsrvc.exe
552	wmsrvc.exe
1592	wmsrvc.exe
1372	wmsrvc.exe
772	wmsrvc.exe
1204	wmsrvc.exe
824	wmsrvc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
888	wmsrvc.exe
1944	wmsrvc.exe
1360	wmsrvc.exe
1732	wmsrvc.exe
1988	wmsrvc.exe
912	wmsrvc.exe
1172	wmsrvc.exe
1264	wmsrvc.exe
812	wmsrvc.exe
912	wmsrvc.exe
1712	wmsrvc.exe
1016	wmsrvc.exe
1576	wmsrvc.exe
1172	wmsrvc.exe
1948	wmsrvc.exe
976	wmsrvc.exe
1048	wmsrvc.exe
1728	wmsrvc.exe
1948	wmsrvc.exe
976	wmsrvc.exe
1360	wmsrvc.exe
1172	wmsrvc.exe
808	wmsrvc.exe
772	wmsrvc.exe
1784	wmsrvc.exe
1920	wmsrvc.exe
388	wmsrvc.exe
908	wmsrvc.exe
1740	wmsrvc.exe
1948	wmsrvc.exe
808	wmsrvc.exe
1248	wmsrvc.exe
1824	wmsrvc.exe
1944	wmsrvc.exe
580	wmsrvc.exe
1736	wmsrvc.exe
2012	wmsrvc.exe
1652	wmsrvc.exe
976	wmsrvc.exe
1748	wmsrvc.exe
1384	wmsrvc.exe
1968	wmsrvc.exe
912	wmsrvc.exe
1740	wmsrvc.exe
1652	wmsrvc.exe
1736	wmsrvc.exe
1784	wmsrvc.exe
960	wmsrvc.exe
1592	wmsrvc.exe
2012	wmsrvc.exe
1168	wmsrvc.exe
1100	wmsrvc.exe
1608	wmsrvc.exe
1124	wmsrvc.exe
1212	wmsrvc.exe
1756	wmsrvc.exe
1580	wmsrvc.exe
1988	wmsrvc.exe
1140	wmsrvc.exe
1460	wmsrvc.exe
1740	wmsrvc.exe
1908	wmsrvc.exe
1716	wmsrvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exed3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

description	pid	process	target process
PID 976 wrote to memory of 1924	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 976 wrote to memory of 1924	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 976 wrote to memory of 1924	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 976 wrote to memory of 1924	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 976 wrote to memory of 2036	976	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2036 wrote to memory of 888	2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 2036 wrote to memory of 888	2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 2036 wrote to memory of 888	2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 2036 wrote to memory of 888	2036	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 888 wrote to memory of 1512	888	wmsrvc.exe	cmd.exe
PID 888 wrote to memory of 1512	888	wmsrvc.exe	cmd.exe
PID 888 wrote to memory of 1512	888	wmsrvc.exe	cmd.exe
PID 888 wrote to memory of 1512	888	wmsrvc.exe	cmd.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 888 wrote to memory of 1688	888	wmsrvc.exe	wmsrvc.exe
PID 1688 wrote to memory of 1944	1688	wmsrvc.exe	wmsrvc.exe
PID 1688 wrote to memory of 1944	1688	wmsrvc.exe	wmsrvc.exe
PID 1688 wrote to memory of 1944	1688	wmsrvc.exe	wmsrvc.exe
PID 1688 wrote to memory of 1944	1688	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 1620	1944	wmsrvc.exe	cmd.exe
PID 1944 wrote to memory of 1620	1944	wmsrvc.exe	cmd.exe
PID 1944 wrote to memory of 1620	1944	wmsrvc.exe	cmd.exe
PID 1944 wrote to memory of 1620	1944	wmsrvc.exe	cmd.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 1944 wrote to memory of 456	1944	wmsrvc.exe	wmsrvc.exe
PID 456 wrote to memory of 1360	456	wmsrvc.exe	wmsrvc.exe
PID 456 wrote to memory of 1360	456	wmsrvc.exe	wmsrvc.exe
PID 456 wrote to memory of 1360	456	wmsrvc.exe	wmsrvc.exe
PID 456 wrote to memory of 1360	456	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 672	1360	wmsrvc.exe	cmd.exe
PID 1360 wrote to memory of 672	1360	wmsrvc.exe	cmd.exe
PID 1360 wrote to memory of 672	1360	wmsrvc.exe	cmd.exe
PID 1360 wrote to memory of 672	1360	wmsrvc.exe	cmd.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe
PID 1360 wrote to memory of 1416	1360	wmsrvc.exe	wmsrvc.exe

C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
"C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
2⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
"C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Users\Admin\AppData\Local\Temp\D3A5CE~1.EXE
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
4⤵
PID:1512

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
6⤵
PID:1620

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
8⤵
PID:672

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
10⤵
PID:1760

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
12⤵
PID:2028

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
14⤵
PID:2032

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
18⤵
PID:592

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:656

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
20⤵
PID:1764

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
22⤵
PID:1124

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
24⤵
PID:1560

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
26⤵
PID:1468

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
28⤵
PID:848

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:932

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
30⤵
PID:1704

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:344

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
32⤵
PID:984

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
34⤵
PID:1904

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
34⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
36⤵
PID:1580

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
36⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
38⤵
PID:1620

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
38⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
40⤵
PID:1716

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
40⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
42⤵
PID:560

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
44⤵
PID:272

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
44⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
46⤵
PID:592

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
46⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
48⤵
PID:1016

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
48⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
50⤵
PID:1968

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
52⤵
PID:1796

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
52⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
54⤵
PID:1728

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
54⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
56⤵
PID:672

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
56⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
58⤵
PID:1248

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
58⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
60⤵
PID:344

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
60⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
62⤵
PID:1680

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
62⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
64⤵
PID:580

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
64⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
66⤵
PID:908

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
66⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
68⤵
PID:1664

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
68⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
70⤵
PID:1984

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
70⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
72⤵
PID:2044

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
72⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
74⤵
PID:344

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
74⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
76⤵
PID:756

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
76⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:472

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
77⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
78⤵
PID:388

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
78⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
80⤵
PID:964

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
80⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
81⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
82⤵
PID:2040

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
82⤵
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
84⤵
PID:1020

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
86⤵
PID:1756

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
86⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:936

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
88⤵
PID:1704

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
88⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
90⤵
PID:1308

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
90⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
92⤵
PID:836

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
92⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
94⤵
PID:1608

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
94⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
96⤵
PID:1728

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
96⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
98⤵
PID:1020

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
98⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
100⤵
PID:580

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
100⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
102⤵
PID:1372

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
102⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
104⤵
PID:592

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
104⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
106⤵
PID:932

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
106⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
108⤵
PID:1512

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
108⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
110⤵
PID:1728

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
110⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
112⤵
PID:960

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
112⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
114⤵
PID:1612

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
114⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
116⤵
PID:1468

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
116⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
118⤵
PID:1492

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
118⤵
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
119⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
120⤵
PID:1956

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
120⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
121⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
122⤵
PID:1512

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
122⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
123⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
124⤵
PID:1320

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
124⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
125⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
126⤵
PID:1020

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
126⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
127⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
128⤵
PID:976

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
128⤵
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
129⤵
- Drops file in System32 directory
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
130⤵
PID:1196

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
130⤵
- Drops file in System32 directory
PID:2040

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
131⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
132⤵
PID:1748

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
132⤵
PID:772

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
133⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
134⤵
PID:1324

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
134⤵
PID:836

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
135⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
136⤵
PID:272

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
136⤵
PID:1588

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
137⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
138⤵
PID:620

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
138⤵
- Drops file in System32 directory
PID:1452

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
139⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
140⤵
PID:852

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
140⤵
PID:580

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
141⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
142⤵
PID:836

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
142⤵
PID:272

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
143⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
144⤵
PID:1468

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
144⤵
- Drops file in System32 directory
PID:620

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
145⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
146⤵
PID:1044

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
146⤵
PID:1908

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
147⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
148⤵
PID:908

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
148⤵
PID:1728

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
149⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
150⤵
PID:1196

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
150⤵
PID:672

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
151⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
152⤵
PID:1920

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
152⤵
PID:1044

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
153⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
154⤵
PID:808

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
154⤵
PID:1828

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
155⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
156⤵
PID:836

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
156⤵
PID:1904

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
157⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
158⤵
PID:1796

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
158⤵
PID:1584

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
159⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
160⤵
PID:1448

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
160⤵
- Drops file in System32 directory
PID:820

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
161⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
162⤵
PID:836

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
162⤵
PID:1520

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
163⤵
- Drops file in System32 directory
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
164⤵
PID:1108

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
164⤵
PID:1120

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
165⤵
- Drops file in System32 directory
PID:1592

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
166⤵
PID:1512

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
167⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
168⤵
PID:1732

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
168⤵
- Drops file in System32 directory
PID:1984

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
169⤵
- Drops file in System32 directory
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
170⤵
PID:1796

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
170⤵
PID:1044

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
171⤵
- Drops file in System32 directory
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
172⤵
PID:1124

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
172⤵
PID:1360

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
173⤵
- Drops file in System32 directory
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
174⤵
PID:1660

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
174⤵
- Drops file in System32 directory
PID:1136

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
175⤵
- Drops file in System32 directory
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
176⤵
PID:864

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
176⤵
- Drops file in System32 directory
PID:1968

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
177⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
178⤵
PID:1740

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
178⤵
PID:1756

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
179⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
180⤵
PID:1168

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
180⤵
- Drops file in System32 directory
PID:1108

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
181⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
182⤵
PID:1384

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
182⤵
PID:976

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
183⤵
- Drops file in System32 directory
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
184⤵
PID:1992

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
184⤵
PID:852

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
185⤵
- Drops file in System32 directory
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
186⤵
PID:1212

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
186⤵
PID:1172

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
187⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
188⤵
PID:824

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
188⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
166⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
1⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
\Windows\SysWOW64\wmsrvc.exe
Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
memory/272-364-0x0000000000000000-mapping.dmp

Download
memory/344-291-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/344-289-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/344-285-0x0000000000431D8B-mapping.dmp

Download
memory/396-184-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/396-174-0x0000000000431D8B-mapping.dmp

Download
memory/456-90-0x0000000000431D8B-mapping.dmp

Download
memory/456-95-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/456-96-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/456-102-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/560-352-0x0000000000000000-mapping.dmp

Download
memory/592-188-0x0000000000000000-mapping.dmp

Download
memory/644-296-0x0000000000431D8B-mapping.dmp

Download
memory/644-301-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/644-303-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/656-190-0x0000000000431D8B-mapping.dmp

Download
memory/656-200-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/672-105-0x0000000000000000-mapping.dmp

Download
memory/812-198-0x0000000000000000-mapping.dmp

Download
memory/848-266-0x0000000000000000-mapping.dmp

Download
memory/860-308-0x0000000000431D8B-mapping.dmp

Download
memory/860-314-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/888-66-0x0000000000000000-mapping.dmp

Download
memory/888-77-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/912-212-0x0000000000000000-mapping.dmp

Download
memory/912-152-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/912-222-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/912-160-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/912-149-0x0000000000000000-mapping.dmp

Download
memory/932-274-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/932-280-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/932-268-0x0000000000431D8B-mapping.dmp

Download
memory/976-348-0x0000000000000000-mapping.dmp

Download
memory/976-302-0x0000000000000000-mapping.dmp

Download
memory/976-310-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/976-60-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/976-356-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/984-294-0x0000000000000000-mapping.dmp

Download
memory/1016-245-0x0000000000000000-mapping.dmp

Download
memory/1016-256-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1048-321-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1048-313-0x0000000000000000-mapping.dmp

Download
memory/1124-217-0x0000000000000000-mapping.dmp

Download
memory/1172-167-0x0000000000000000-mapping.dmp

Download
memory/1172-278-0x0000000000000000-mapping.dmp

Download
memory/1172-376-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1172-176-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1196-172-0x0000000000000000-mapping.dmp

Download
memory/1264-185-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1264-182-0x0000000000000000-mapping.dmp

Download
memory/1360-368-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1360-360-0x0000000000000000-mapping.dmp

Download
memory/1360-111-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1360-100-0x0000000000000000-mapping.dmp

Download
memory/1416-113-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1416-118-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1416-112-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1416-107-0x0000000000431D8B-mapping.dmp

Download
memory/1444-247-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1444-241-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1444-235-0x0000000000431D8B-mapping.dmp

Download
memory/1468-250-0x0000000000000000-mapping.dmp

Download
memory/1472-252-0x0000000000431D8B-mapping.dmp

Download
memory/1472-263-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1472-258-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1472-257-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1492-387-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1512-72-0x0000000000000000-mapping.dmp

Download
memory/1516-205-0x0000000000431D8B-mapping.dmp

Download
memory/1516-214-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-370-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-371-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1560-233-0x0000000000000000-mapping.dmp

Download
memory/1576-361-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1576-359-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1576-354-0x0000000000431D8B-mapping.dmp

Download
memory/1576-270-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1576-261-0x0000000000000000-mapping.dmp

Download
memory/1580-317-0x0000000000000000-mapping.dmp

Download
memory/1620-88-0x0000000000000000-mapping.dmp

Download
memory/1620-328-0x0000000000000000-mapping.dmp

Download
memory/1652-380-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1652-379-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1672-134-0x0000000003580000-0x00000000035EA000-memory.dmp

Filesize
424KB

Download
memory/1672-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1672-129-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1672-123-0x0000000000431D8B-mapping.dmp

Download
memory/1688-74-0x0000000000431D8B-mapping.dmp

Download
memory/1688-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1688-80-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1688-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1704-283-0x0000000000000000-mapping.dmp

Download
memory/1712-330-0x0000000000431D8B-mapping.dmp

Download
memory/1712-335-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1712-337-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1712-239-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1712-228-0x0000000000000000-mapping.dmp

Download
memory/1716-340-0x0000000000000000-mapping.dmp

Download
memory/1728-324-0x0000000000000000-mapping.dmp

Download
memory/1728-332-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-125-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-116-0x0000000000000000-mapping.dmp

Download
memory/1740-319-0x0000000000431D8B-mapping.dmp

Download
memory/1740-325-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-141-0x0000000000431D8B-mapping.dmp

Download
memory/1752-146-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1760-121-0x0000000000000000-mapping.dmp

Download
memory/1764-203-0x0000000000000000-mapping.dmp

Download
memory/1796-157-0x0000000000431D8B-mapping.dmp

Download
memory/1796-169-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1796-163-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1904-306-0x0000000000000000-mapping.dmp

Download
memory/1912-347-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1912-349-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1912-342-0x0000000000431D8B-mapping.dmp

Download
memory/1924-230-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1924-225-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1924-219-0x0000000000431D8B-mapping.dmp

Download
memory/1924-56-0x0000000000000000-mapping.dmp

Download
memory/1924-224-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1944-83-0x0000000000000000-mapping.dmp

Download
memory/1944-93-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1948-290-0x0000000000000000-mapping.dmp

Download
memory/1948-345-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1948-336-0x0000000000000000-mapping.dmp

Download
memory/1948-298-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1988-145-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1988-133-0x0000000000000000-mapping.dmp

Download
memory/2028-139-0x0000000000000000-mapping.dmp

Download
memory/2032-155-0x0000000000000000-mapping.dmp

Download
memory/2036-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2036-68-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2036-63-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2036-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2036-61-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/2036-58-0x0000000000431D8B-mapping.dmp

Download