metasploit | d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

Analysis

max time kernel
164s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
Size

347KB
MD5

5180d37dfabb7fa22fd7f1a02fc4babb
SHA1

af3037f4c8f0300fa47c71261d70355d3ac66a9a
SHA256

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043
SHA512

1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937
SSDEEP

6144:MxLjTaCEbW1gIPp6nlml+19yxKpbj+mYl+eL:MxWBi3E11pbymYlV

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

Processes:

wmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

pid	process
4860	wmsrvc.exe
2044	wmsrvc.exe
4304	wmsrvc.exe
4484	wmsrvc.exe
4720	wmsrvc.exe
988	wmsrvc.exe
2440	wmsrvc.exe
3816	wmsrvc.exe
748	wmsrvc.exe
4272	wmsrvc.exe
4416	wmsrvc.exe
4904	wmsrvc.exe
2132	wmsrvc.exe
2288	wmsrvc.exe
4128	wmsrvc.exe
4464	wmsrvc.exe
4404	wmsrvc.exe
4156	wmsrvc.exe
2244	wmsrvc.exe
3020	wmsrvc.exe
2656	wmsrvc.exe
2296	wmsrvc.exe
4440	wmsrvc.exe
2628	wmsrvc.exe
1404	wmsrvc.exe
4392	wmsrvc.exe
1104	wmsrvc.exe
4348	wmsrvc.exe
5116	wmsrvc.exe
3376	wmsrvc.exe
3756	wmsrvc.exe
4836	wmsrvc.exe
3768	wmsrvc.exe
4224	wmsrvc.exe
2260	wmsrvc.exe
4624	wmsrvc.exe
1888	wmsrvc.exe
4428	wmsrvc.exe
4784	wmsrvc.exe
2280	wmsrvc.exe
2372	wmsrvc.exe
4524	wmsrvc.exe
4964	wmsrvc.exe
1524	wmsrvc.exe
1680	wmsrvc.exe
1404	wmsrvc.exe
4256	wmsrvc.exe
2316	wmsrvc.exe
4188	wmsrvc.exe
732	wmsrvc.exe
1852	wmsrvc.exe
3516	wmsrvc.exe
5044	wmsrvc.exe
968	wmsrvc.exe
3656	wmsrvc.exe
3672	wmsrvc.exe
4180	wmsrvc.exe
2584	wmsrvc.exe
3104	wmsrvc.exe
4284	wmsrvc.exe
4168	wmsrvc.exe
4968	wmsrvc.exe
1128	wmsrvc.exe
4076	wmsrvc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2252-135-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2252-139-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4860-153-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4304-166-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4720-178-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2440-192-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/748-205-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4416-217-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2132-231-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4128-244-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4404-257-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2244-261-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2244-270-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2656-277-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2656-283-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/4440-294-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/1404-307-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/1104-320-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/5116-333-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/3756-346-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/3768-359-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
behavioral2/memory/2260-372-0x0000000000400000-0x000000000046A000-memory.dmp	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx
C:\Windows\SysWOW64\wmsrvc.exe	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wmsrvc.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File created	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmsrvc.exe	wmsrvc.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

description	pid	process	target process
PID 2252 set thread context of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 4860 set thread context of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4304 set thread context of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4720 set thread context of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 2440 set thread context of 3816	2440	wmsrvc.exe	wmsrvc.exe
PID 748 set thread context of 4272	748	wmsrvc.exe	wmsrvc.exe
PID 4416 set thread context of 4904	4416	wmsrvc.exe	wmsrvc.exe
PID 2132 set thread context of 2288	2132	wmsrvc.exe	wmsrvc.exe
PID 4128 set thread context of 4464	4128	wmsrvc.exe	wmsrvc.exe
PID 4404 set thread context of 4156	4404	wmsrvc.exe	wmsrvc.exe
PID 2244 set thread context of 3020	2244	wmsrvc.exe	wmsrvc.exe
PID 2656 set thread context of 2296	2656	wmsrvc.exe	wmsrvc.exe
PID 4440 set thread context of 2628	4440	wmsrvc.exe	wmsrvc.exe
PID 1404 set thread context of 4392	1404	wmsrvc.exe	wmsrvc.exe
PID 1104 set thread context of 4348	1104	wmsrvc.exe	wmsrvc.exe
PID 5116 set thread context of 3376	5116	wmsrvc.exe	wmsrvc.exe
PID 3756 set thread context of 4836	3756	wmsrvc.exe	wmsrvc.exe
PID 3768 set thread context of 4224	3768	wmsrvc.exe	wmsrvc.exe
PID 2260 set thread context of 4624	2260	wmsrvc.exe	wmsrvc.exe
PID 1888 set thread context of 4428	1888	wmsrvc.exe	wmsrvc.exe
PID 4784 set thread context of 2280	4784	wmsrvc.exe	wmsrvc.exe
PID 2372 set thread context of 4524	2372	wmsrvc.exe	wmsrvc.exe
PID 4964 set thread context of 1524	4964	wmsrvc.exe	wmsrvc.exe
PID 1680 set thread context of 1404	1680	wmsrvc.exe	wmsrvc.exe
PID 4256 set thread context of 2316	4256	wmsrvc.exe	wmsrvc.exe
PID 4188 set thread context of 732	4188	wmsrvc.exe	wmsrvc.exe
PID 1852 set thread context of 3516	1852	wmsrvc.exe	wmsrvc.exe
PID 5044 set thread context of 968	5044	wmsrvc.exe	wmsrvc.exe
PID 3656 set thread context of 3672	3656	wmsrvc.exe	wmsrvc.exe
PID 4180 set thread context of 2584	4180	wmsrvc.exe	wmsrvc.exe
PID 3104 set thread context of 4284	3104	wmsrvc.exe	wmsrvc.exe
PID 4168 set thread context of 4968	4168	wmsrvc.exe	wmsrvc.exe
PID 1128 set thread context of 4076	1128	wmsrvc.exe	wmsrvc.exe
PID 1748 set thread context of 5004	1748	wmsrvc.exe	wmsrvc.exe
PID 2608 set thread context of 1528	2608	wmsrvc.exe	wmsrvc.exe
PID 4552 set thread context of 1488	4552	wmsrvc.exe	wmsrvc.exe
PID 4468 set thread context of 3740	4468	wmsrvc.exe	wmsrvc.exe
PID 1348 set thread context of 4972	1348	wmsrvc.exe	wmsrvc.exe
PID 1852 set thread context of 700	1852	wmsrvc.exe	wmsrvc.exe
PID 4460 set thread context of 2380	4460	wmsrvc.exe	wmsrvc.exe
PID 4204 set thread context of 3696	4204	wmsrvc.exe	wmsrvc.exe
PID 2708 set thread context of 3096	2708	wmsrvc.exe	wmsrvc.exe
PID 1384 set thread context of 3064	1384	wmsrvc.exe	wmsrvc.exe
PID 4784 set thread context of 1724	4784	wmsrvc.exe	wmsrvc.exe
PID 3420 set thread context of 4696	3420	wmsrvc.exe	wmsrvc.exe
PID 1380 set thread context of 812	1380	wmsrvc.exe	wmsrvc.exe
PID 1680 set thread context of 3124	1680	wmsrvc.exe	wmsrvc.exe
PID 4164 set thread context of 1480	4164	wmsrvc.exe	wmsrvc.exe
PID 2732 set thread context of 4580	2732	wmsrvc.exe	wmsrvc.exe
PID 4652 set thread context of 1884	4652	wmsrvc.exe	wmsrvc.exe
PID 2936 set thread context of 4928	2936	wmsrvc.exe	wmsrvc.exe
PID 4604 set thread context of 5000	4604	wmsrvc.exe	wmsrvc.exe
PID 1544 set thread context of 1860	1544	wmsrvc.exe	wmsrvc.exe
PID 2360 set thread context of 1688	2360	wmsrvc.exe	wmsrvc.exe
PID 2648 set thread context of 3384	2648	wmsrvc.exe	wmsrvc.exe
PID 3440 set thread context of 4060	3440	wmsrvc.exe	wmsrvc.exe
PID 4964 set thread context of 872	4964	wmsrvc.exe	wmsrvc.exe
PID 2368 set thread context of 2032	2368	wmsrvc.exe	wmsrvc.exe
PID 4552 set thread context of 5016	4552	wmsrvc.exe	wmsrvc.exe
PID 2440 set thread context of 600	2440	wmsrvc.exe	wmsrvc.exe
PID 4064 set thread context of 580	4064	wmsrvc.exe	wmsrvc.exe
PID 4640 set thread context of 3732	4640	wmsrvc.exe	wmsrvc.exe
PID 2332 set thread context of 4504	2332	wmsrvc.exe	wmsrvc.exe
PID 1508 set thread context of 1084	1508	wmsrvc.exe	wmsrvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

wmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exed3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmsrvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3972	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
3972	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
2044	wmsrvc.exe
2044	wmsrvc.exe
4484	wmsrvc.exe
4484	wmsrvc.exe
988	wmsrvc.exe
988	wmsrvc.exe
3816	wmsrvc.exe
3816	wmsrvc.exe
4272	wmsrvc.exe
4272	wmsrvc.exe
4904	wmsrvc.exe
4904	wmsrvc.exe
2288	wmsrvc.exe
2288	wmsrvc.exe
4464	wmsrvc.exe
4464	wmsrvc.exe
4156	wmsrvc.exe
4156	wmsrvc.exe
3020	wmsrvc.exe
3020	wmsrvc.exe
2296	wmsrvc.exe
2296	wmsrvc.exe
2628	wmsrvc.exe
2628	wmsrvc.exe
4392	wmsrvc.exe
4392	wmsrvc.exe
4348	wmsrvc.exe
4348	wmsrvc.exe
3376	wmsrvc.exe
3376	wmsrvc.exe
4836	wmsrvc.exe
4836	wmsrvc.exe
4224	wmsrvc.exe
4224	wmsrvc.exe
4624	wmsrvc.exe
4624	wmsrvc.exe
4428	wmsrvc.exe
4428	wmsrvc.exe
2280	wmsrvc.exe
2280	wmsrvc.exe
4524	wmsrvc.exe
4524	wmsrvc.exe
1524	wmsrvc.exe
1524	wmsrvc.exe
1404	wmsrvc.exe
1404	wmsrvc.exe
2316	wmsrvc.exe
2316	wmsrvc.exe
732	wmsrvc.exe
732	wmsrvc.exe
3516	wmsrvc.exe
3516	wmsrvc.exe
968	wmsrvc.exe
968	wmsrvc.exe
3672	wmsrvc.exe
3672	wmsrvc.exe
2584	wmsrvc.exe
2584	wmsrvc.exe
4284	wmsrvc.exe
4284	wmsrvc.exe
4968	wmsrvc.exe
4968	wmsrvc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
4860	wmsrvc.exe
4304	wmsrvc.exe
4720	wmsrvc.exe
2440	wmsrvc.exe
748	wmsrvc.exe
4416	wmsrvc.exe
2132	wmsrvc.exe
4128	wmsrvc.exe
4404	wmsrvc.exe
2244	wmsrvc.exe
2656	wmsrvc.exe
4440	wmsrvc.exe
1404	wmsrvc.exe
1104	wmsrvc.exe
5116	wmsrvc.exe
3756	wmsrvc.exe
3768	wmsrvc.exe
2260	wmsrvc.exe
1888	wmsrvc.exe
4784	wmsrvc.exe
2372	wmsrvc.exe
4964	wmsrvc.exe
1680	wmsrvc.exe
4256	wmsrvc.exe
4188	wmsrvc.exe
1852	wmsrvc.exe
5044	wmsrvc.exe
3656	wmsrvc.exe
4180	wmsrvc.exe
3104	wmsrvc.exe
4168	wmsrvc.exe
1128	wmsrvc.exe
1748	wmsrvc.exe
2608	wmsrvc.exe
4552	wmsrvc.exe
4468	wmsrvc.exe
1348	wmsrvc.exe
1852	wmsrvc.exe
4460	wmsrvc.exe
4204	wmsrvc.exe
2708	wmsrvc.exe
1384	wmsrvc.exe
4784	wmsrvc.exe
3420	wmsrvc.exe
1380	wmsrvc.exe
1680	wmsrvc.exe
4164	wmsrvc.exe
2732	wmsrvc.exe
4652	wmsrvc.exe
2936	wmsrvc.exe
4604	wmsrvc.exe
1544	wmsrvc.exe
2360	wmsrvc.exe
2648	wmsrvc.exe
3440	wmsrvc.exe
4964	wmsrvc.exe
2368	wmsrvc.exe
4552	wmsrvc.exe
2440	wmsrvc.exe
4064	wmsrvc.exe
4640	wmsrvc.exe
2332	wmsrvc.exe
1508	wmsrvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exed3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exewmsrvc.exe

description	pid	process	target process
PID 2252 wrote to memory of 2160	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 2252 wrote to memory of 2160	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 2252 wrote to memory of 2160	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	cmd.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 2252 wrote to memory of 3972	2252	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
PID 3972 wrote to memory of 4860	3972	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 3972 wrote to memory of 4860	3972	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 3972 wrote to memory of 4860	3972	d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe	wmsrvc.exe
PID 4860 wrote to memory of 4576	4860	wmsrvc.exe	cmd.exe
PID 4860 wrote to memory of 4576	4860	wmsrvc.exe	cmd.exe
PID 4860 wrote to memory of 4576	4860	wmsrvc.exe	cmd.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 4860 wrote to memory of 2044	4860	wmsrvc.exe	wmsrvc.exe
PID 2044 wrote to memory of 4304	2044	wmsrvc.exe	wmsrvc.exe
PID 2044 wrote to memory of 4304	2044	wmsrvc.exe	wmsrvc.exe
PID 2044 wrote to memory of 4304	2044	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4324	4304	wmsrvc.exe	cmd.exe
PID 4304 wrote to memory of 4324	4304	wmsrvc.exe	cmd.exe
PID 4304 wrote to memory of 4324	4304	wmsrvc.exe	cmd.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4304 wrote to memory of 4484	4304	wmsrvc.exe	wmsrvc.exe
PID 4484 wrote to memory of 4720	4484	wmsrvc.exe	wmsrvc.exe
PID 4484 wrote to memory of 4720	4484	wmsrvc.exe	wmsrvc.exe
PID 4484 wrote to memory of 4720	4484	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 4620	4720	wmsrvc.exe	cmd.exe
PID 4720 wrote to memory of 4620	4720	wmsrvc.exe	cmd.exe
PID 4720 wrote to memory of 4620	4720	wmsrvc.exe	cmd.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 4720 wrote to memory of 988	4720	wmsrvc.exe	wmsrvc.exe
PID 988 wrote to memory of 2440	988	wmsrvc.exe	wmsrvc.exe
PID 988 wrote to memory of 2440	988	wmsrvc.exe	wmsrvc.exe
PID 988 wrote to memory of 2440	988	wmsrvc.exe	wmsrvc.exe
PID 2440 wrote to memory of 3740	2440	wmsrvc.exe	cmd.exe
PID 2440 wrote to memory of 3740	2440	wmsrvc.exe	cmd.exe
PID 2440 wrote to memory of 3740	2440	wmsrvc.exe	cmd.exe
PID 2440 wrote to memory of 3816	2440	wmsrvc.exe	wmsrvc.exe
PID 2440 wrote to memory of 3816	2440	wmsrvc.exe	wmsrvc.exe
PID 2440 wrote to memory of 3816	2440	wmsrvc.exe	wmsrvc.exe
PID 2440 wrote to memory of 3816	2440	wmsrvc.exe	wmsrvc.exe
PID 2440 wrote to memory of 3816	2440	wmsrvc.exe	wmsrvc.exe

C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
"C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
2⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe
"C:\Users\Admin\AppData\Local\Temp\d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Users\Admin\AppData\Local\Temp\D3A5CE~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
4⤵
PID:4576

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
6⤵
PID:4324

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
8⤵
PID:4620

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
10⤵
PID:3740

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3816

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
12⤵
PID:3856

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
14⤵
PID:380

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
16⤵
PID:876

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
18⤵
PID:4500

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
20⤵
PID:4388

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
22⤵
PID:4192

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
24⤵
PID:904

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
26⤵
PID:4372

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
28⤵
PID:3680

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
28⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
30⤵
PID:260

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
30⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
32⤵
PID:1120

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3376

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
34⤵
PID:3516

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
36⤵
PID:3216

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
36⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
38⤵
PID:1544

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
40⤵
PID:1664

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
40⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4428

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
42⤵
PID:5024

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
46⤵
PID:4636

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
46⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
48⤵
PID:4400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
50⤵
PID:3416

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
52⤵
PID:2440

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:732

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
54⤵
PID:4480

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
54⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3516

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
56⤵
PID:1792

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
56⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
58⤵
PID:400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
60⤵
PID:2172

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
62⤵
PID:3204

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
62⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
64⤵
PID:2052

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
64⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
66⤵
PID:3420

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
66⤵
- Executes dropped EXE
- Checks computer location settings
PID:4076

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
68⤵
PID:2104

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
68⤵
- Checks computer location settings
PID:5004

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
70⤵
PID:5012

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
70⤵
- Checks computer location settings
PID:1528

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
72⤵
PID:3200

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
72⤵
- Checks computer location settings
PID:1488

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
73⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
74⤵
PID:1120

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
74⤵
PID:3740

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
76⤵
PID:1620

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
76⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4972

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
78⤵
PID:4520

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
78⤵
- Modifies registry class
PID:700

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
80⤵
PID:1792

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
80⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2380

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
81⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
82⤵
PID:400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
82⤵
PID:3696

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
84⤵
PID:544

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
84⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3096

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
86⤵
PID:3104

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
86⤵
PID:3064

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
88⤵
PID:4920

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
88⤵
- Checks computer location settings
PID:1724

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
90⤵
PID:3952

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
90⤵
- Modifies registry class
PID:4696

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
92⤵
PID:872

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
92⤵
- Checks computer location settings
- Drops file in System32 directory
PID:812

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
94⤵
PID:2128

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
94⤵
- Checks computer location settings
PID:3124

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
96⤵
PID:1244

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1480

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
98⤵
PID:2116

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
98⤵
PID:4580

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
100⤵
PID:748

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
100⤵
- Checks computer location settings
PID:1884

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
102⤵
PID:3128

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
102⤵
- Checks computer location settings
PID:4928

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
104⤵
PID:4504

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
104⤵
- Modifies registry class
PID:5000

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
105⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
106⤵
PID:3804

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
106⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1860

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
108⤵
PID:2236

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
108⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1688

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
109⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
110⤵
PID:4168

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
110⤵
PID:3384

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
112⤵
PID:3940

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
112⤵
- Modifies registry class
PID:4060

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
114⤵
PID:1124

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
114⤵
PID:872

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
115⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
116⤵
PID:1684

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
116⤵
- Checks computer location settings
- Modifies registry class
PID:2032

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
117⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
118⤵
PID:2304

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
118⤵
- Drops file in System32 directory
PID:5016

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
120⤵
PID:5060

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
120⤵
PID:600

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
122⤵
PID:4744

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
122⤵
- Checks computer location settings
- Modifies registry class
PID:580

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
123⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
124⤵
PID:3344

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
124⤵
- Modifies registry class
PID:3732

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
125⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
126⤵
PID:392

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
126⤵
PID:4504

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
127⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
128⤵
PID:2840

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
128⤵
PID:1084

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
129⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
130⤵
PID:1384

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
130⤵
PID:3204

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
131⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
132⤵
PID:4264

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
132⤵
PID:2432

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
133⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
134⤵
PID:4956

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
134⤵
- Checks computer location settings
PID:448

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
135⤵
- Drops file in System32 directory
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
136⤵
PID:4780

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
136⤵
PID:4708

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
137⤵
- Drops file in System32 directory
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
138⤵
PID:3428

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
138⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4080

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
139⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
140⤵
PID:1680

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
140⤵
- Checks computer location settings
PID:4212

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
141⤵
- Drops file in System32 directory
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
142⤵
PID:5016

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
142⤵
- Drops file in System32 directory
PID:1788

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
143⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
144⤵
PID:1056

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
144⤵
- Drops file in System32 directory
PID:1000

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
145⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
146⤵
PID:2308

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
146⤵
- Drops file in System32 directory
- Modifies registry class
PID:3128

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
147⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
148⤵
PID:3768

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
148⤵
- Checks computer location settings
- Modifies registry class
PID:2340

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
149⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
150⤵
PID:4540

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
150⤵
PID:2516

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
151⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
152⤵
PID:4980

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
152⤵
- Checks computer location settings
PID:4420

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
153⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
154⤵
PID:3864

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
154⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
155⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
156⤵
PID:4984

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
156⤵
- Modifies registry class
PID:3924

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
157⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
158⤵
PID:448

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
158⤵
PID:3912

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
159⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
160⤵
PID:4492

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
160⤵
- Drops file in System32 directory
- Modifies registry class
PID:4400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
161⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
162⤵
PID:3400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
162⤵
PID:1336

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
163⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
164⤵
PID:3416

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
164⤵
- Modifies registry class
PID:3200

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
165⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
166⤵
PID:3856

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
166⤵
PID:5064

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
167⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
168⤵
PID:4816

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
168⤵
- Checks computer location settings
PID:4892

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
169⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
170⤵
PID:4884

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
170⤵
PID:4640

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
171⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
172⤵
PID:2356

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
172⤵
PID:2860

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
173⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
174⤵
PID:1508

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
174⤵
- Drops file in System32 directory
PID:4192

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
175⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
176⤵
PID:2236

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
176⤵
PID:2708

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
177⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
178⤵
PID:2476

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
178⤵
- Modifies registry class
PID:1444

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
179⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
180⤵
PID:3384

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
180⤵
PID:4508

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
181⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
182⤵
PID:1676

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
182⤵
- Modifies registry class
PID:2128

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
183⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
184⤵
PID:4760

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
184⤵
- Modifies registry class
PID:4552

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
185⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
186⤵
PID:260

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
186⤵
- Drops file in System32 directory
PID:8

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
187⤵
- Drops file in System32 directory
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
188⤵
PID:5016

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
188⤵
- Checks computer location settings
PID:2192

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
189⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
190⤵
PID:920

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
190⤵
PID:1056

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
191⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
192⤵
PID:1880

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
192⤵
PID:2308

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
193⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
194⤵
PID:3656

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
194⤵
- Checks computer location settings
PID:2512

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
195⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
196⤵
PID:1704

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
196⤵
- Modifies registry class
PID:2056

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
197⤵
- Drops file in System32 directory
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
198⤵
PID:2220

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
198⤵
- Checks computer location settings
PID:2176

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
199⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
200⤵
PID:3424

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
200⤵
- Checks computer location settings
- Modifies registry class
PID:636

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
201⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
202⤵
PID:3328

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
202⤵
- Drops file in System32 directory
- Modifies registry class
PID:3760

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
203⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
204⤵
PID:3524

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
204⤵
- Checks computer location settings
PID:3348

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
205⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
206⤵
PID:3400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
206⤵
PID:2112

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
207⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
208⤵
PID:4328

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
208⤵
- Checks computer location settings
- Modifies registry class
PID:3416

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
209⤵
- Drops file in System32 directory
PID:4656

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
210⤵
PID:2440

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
210⤵
- Drops file in System32 directory
- Modifies registry class
PID:3708

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
211⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
212⤵
PID:4324

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
212⤵
- Checks computer location settings
- Modifies registry class
PID:4332

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
213⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
214⤵
PID:3504

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
214⤵
- Checks computer location settings
PID:3216

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
215⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
216⤵
PID:5092

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
216⤵
- Checks computer location settings
PID:5104

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
217⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
218⤵
PID:3056

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
218⤵
- Checks computer location settings
PID:4044

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
219⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
220⤵
PID:1516

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
220⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
221⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
222⤵
PID:2052

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
222⤵
PID:3864

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
223⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
224⤵
PID:4568

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
224⤵
- Drops file in System32 directory
PID:4496

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
225⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
226⤵
PID:4820

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
226⤵
PID:1656

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
227⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
228⤵
PID:4320

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
228⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3400

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
229⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
230⤵
PID:1660

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
230⤵
- Checks computer location settings
PID:1244

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
231⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
232⤵
PID:1120

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
232⤵
PID:4656

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
233⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
234⤵
PID:696

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
234⤵
- Modifies registry class
PID:5032

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
235⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
236⤵
PID:1080

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
236⤵
- Checks computer location settings
PID:3648

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
237⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
238⤵
PID:3768

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
238⤵
PID:3916

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
239⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
240⤵
PID:392

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
240⤵
- Checks computer location settings
- Modifies registry class
PID:4160

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
241⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
242⤵
PID:3464

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
242⤵
- Checks computer location settings
PID:3340

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
243⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
244⤵
PID:5024

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
244⤵
- Modifies registry class
PID:3268

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
245⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
246⤵
PID:2160

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
246⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1464

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
247⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
248⤵
PID:2412

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
248⤵
- Modifies registry class
PID:4716

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
249⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
250⤵
PID:4636

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
250⤵
PID:3488

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
251⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
252⤵
PID:3124

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
252⤵
- Modifies registry class
PID:5108

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
253⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
254⤵
PID:3724

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
254⤵
- Drops file in System32 directory
- Modifies registry class
PID:1900

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
255⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
256⤵
PID:452

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
256⤵
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
257⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
258⤵
PID:1248

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
258⤵
- Checks computer location settings
PID:2936

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
259⤵
- Drops file in System32 directory
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
260⤵
PID:5092

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
260⤵
PID:3804

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
261⤵
- Drops file in System32 directory
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
262⤵
PID:1508

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
262⤵
- Checks computer location settings
PID:4980

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
263⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
264⤵
PID:2948

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
264⤵
- Modifies registry class
PID:1292

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
265⤵
- Drops file in System32 directory
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
266⤵
PID:1008

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
266⤵
PID:5020

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
267⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
268⤵
PID:1168

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
268⤵
- Modifies registry class
PID:3440

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
269⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
270⤵
PID:5040

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
270⤵
- Drops file in System32 directory
- Modifies registry class
PID:4692

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
271⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
272⤵
PID:4964

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
272⤵
- Checks computer location settings
- Modifies registry class
PID:4092

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
273⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
274⤵
PID:4760

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
274⤵
- Checks computer location settings
PID:4328

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
275⤵
- Drops file in System32 directory
PID:4940

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
276⤵
PID:4188

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
276⤵
- Checks computer location settings
PID:3628

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
277⤵
- Drops file in System32 directory
PID:4684

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
278⤵
PID:4704

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
278⤵
- Checks computer location settings
- Modifies registry class
PID:4724

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
279⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
280⤵
PID:2908

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
280⤵
PID:3216

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
281⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
282⤵
PID:5068

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
282⤵
PID:4880

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
283⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
284⤵
PID:2356

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
284⤵
- Drops file in System32 directory
PID:3024

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
285⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
286⤵
PID:3192

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
286⤵
- Drops file in System32 directory
- Modifies registry class
PID:1256

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
287⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
288⤵
PID:4728

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
288⤵
- Modifies registry class
PID:808

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
289⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
290⤵
PID:3420

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
290⤵
- Modifies registry class
PID:2432

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
291⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
292⤵
PID:1128

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
292⤵
- Modifies registry class
PID:2412

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
293⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
294⤵
PID:4608

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
294⤵
- Checks computer location settings
PID:4368

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
295⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
296⤵
PID:4720

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
296⤵
- Drops file in System32 directory
PID:3396

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
297⤵
- Drops file in System32 directory
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
298⤵
PID:4868

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
298⤵
- Checks computer location settings
PID:780

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
299⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
300⤵
PID:4164

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
300⤵
PID:2916

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
301⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
302⤵
PID:4296

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
302⤵
- Drops file in System32 directory
PID:4152

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
303⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
304⤵
PID:2908

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
304⤵
- Drops file in System32 directory
- Modifies registry class
PID:4132

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
305⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
306⤵
PID:1140

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
306⤵
- Modifies registry class
PID:596

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
307⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
308⤵
PID:5092

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
308⤵
- Modifies registry class
PID:4856

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
309⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
310⤵
PID:2332

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
310⤵
- Checks computer location settings
PID:3024

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
311⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
312⤵
PID:3464

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
312⤵
- Checks computer location settings
PID:2964

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
313⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
314⤵
PID:1936

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
314⤵
PID:2160

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
315⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
316⤵
PID:404

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
316⤵
- Drops file in System32 directory
PID:3444

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
317⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
318⤵
PID:4612

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
318⤵
PID:4668

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
319⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
320⤵
PID:2528

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
320⤵
- Drops file in System32 directory
- Modifies registry class
PID:4020

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
321⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
322⤵
PID:1288

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
322⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1660

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
323⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
324⤵
PID:3680

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
324⤵
- Checks computer location settings
PID:3720

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
325⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
326⤵
PID:5056

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
326⤵
- Drops file in System32 directory
- Modifies registry class
PID:4232

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
327⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
328⤵
PID:4520

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
328⤵
- Modifies registry class
PID:2080

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
329⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
330⤵
PID:2068

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
330⤵
PID:3012

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
331⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
332⤵
PID:924

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
332⤵
- Drops file in System32 directory
- Modifies registry class
PID:4460

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
333⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
334⤵
PID:4196

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
334⤵
PID:1828

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
335⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
336⤵
PID:3192

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
336⤵
- Checks computer location settings
PID:4544

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\system32\wmsrvc.exe" C:\Windows\SysWOW64\wmsrvc.exe
337⤵
- Drops file in System32 directory
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
338⤵
PID:1700

C:\Windows\SysWOW64\wmsrvc.exe
"C:\Windows\SysWOW64\wmsrvc.exe"
338⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
cmd /c u³ ErâXA1H&x€Lþ„¼¡øòÙüBŽ‹6Rþâ‚Ø
44⤵
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
C:\Windows\SysWOW64\wmsrvc.exe

Filesize
347KB

MD5
5180d37dfabb7fa22fd7f1a02fc4babb

SHA1
af3037f4c8f0300fa47c71261d70355d3ac66a9a

SHA256
d3a5ce6ad491e40495d04c7c715e927d6fd72f3b8101f8c3f8cfc6a1e4d9a043

SHA512
1c1d9ce8f9fe0b1ddac632e532acbb585fec40adc4fcab554db05b0ce4ad17dd672163d916b45e66b67cf2ad68ec018c2137da27408a328b4c28022df82f1937

Download Submit
memory/260-314-0x0000000000000000-mapping.dmp

Download
memory/380-212-0x0000000000000000-mapping.dmp

Download
memory/748-205-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/748-194-0x0000000000000000-mapping.dmp

Download
memory/876-225-0x0000000000000000-mapping.dmp

Download
memory/904-276-0x0000000000000000-mapping.dmp

Download
memory/988-183-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/988-179-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/988-177-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/988-180-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/988-174-0x0000000000000000-mapping.dmp

Download
memory/1104-320-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1104-309-0x0000000000000000-mapping.dmp

Download
memory/1120-327-0x0000000000000000-mapping.dmp

Download
memory/1404-296-0x0000000000000000-mapping.dmp

Download
memory/1404-307-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1524-418-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1544-366-0x0000000000000000-mapping.dmp

Download
memory/1664-379-0x0000000000000000-mapping.dmp

Download
memory/1680-423-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1888-374-0x0000000000000000-mapping.dmp

Download
memory/2044-149-0x0000000000000000-mapping.dmp

Download
memory/2044-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-154-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2132-220-0x0000000000000000-mapping.dmp

Download
memory/2132-231-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2160-134-0x0000000000000000-mapping.dmp

Download
memory/2244-270-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2244-261-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2244-258-0x0000000000000000-mapping.dmp

Download
memory/2252-135-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2252-139-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2260-361-0x0000000000000000-mapping.dmp

Download
memory/2260-372-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2280-396-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2280-392-0x0000000000000000-mapping.dmp

Download
memory/2280-400-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2280-395-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2280-397-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2288-226-0x0000000000000000-mapping.dmp

Download
memory/2288-235-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2288-232-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2288-230-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2288-229-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2296-281-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2296-278-0x0000000000000000-mapping.dmp

Download
memory/2296-282-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2296-286-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2372-398-0x0000000000000000-mapping.dmp

Download
memory/2440-192-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2440-181-0x0000000000000000-mapping.dmp

Download
memory/2628-298-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2628-290-0x0000000000000000-mapping.dmp

Download
memory/2628-293-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2628-295-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2656-271-0x0000000000000000-mapping.dmp

Download
memory/2656-277-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2656-283-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3020-268-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-265-0x0000000000000000-mapping.dmp

Download
memory/3020-269-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-273-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3136-403-0x0000000000000000-mapping.dmp

Download
memory/3216-353-0x0000000000000000-mapping.dmp

Download
memory/3376-328-0x0000000000000000-mapping.dmp

Download
memory/3376-332-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3376-337-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3376-331-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3376-334-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3516-340-0x0000000000000000-mapping.dmp

Download
memory/3680-301-0x0000000000000000-mapping.dmp

Download
memory/3740-186-0x0000000000000000-mapping.dmp

Download
memory/3756-335-0x0000000000000000-mapping.dmp

Download
memory/3756-346-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3768-359-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3768-348-0x0000000000000000-mapping.dmp

Download
memory/3816-191-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3816-190-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3816-187-0x0000000000000000-mapping.dmp

Download
memory/3816-196-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3816-193-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3856-199-0x0000000000000000-mapping.dmp

Download
memory/3972-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3972-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3972-146-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3972-140-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3972-137-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3972-136-0x0000000000000000-mapping.dmp

Download
memory/4128-233-0x0000000000000000-mapping.dmp

Download
memory/4128-244-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4156-252-0x0000000000000000-mapping.dmp

Download
memory/4156-260-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4156-256-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4156-255-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4192-264-0x0000000000000000-mapping.dmp

Download
memory/4224-360-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4224-363-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4224-354-0x0000000000000000-mapping.dmp

Download
memory/4224-357-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4224-358-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4272-200-0x0000000000000000-mapping.dmp

Download
memory/4272-204-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4272-203-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4272-206-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4272-209-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4304-166-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4304-155-0x0000000000000000-mapping.dmp

Download
memory/4324-160-0x0000000000000000-mapping.dmp

Download
memory/4348-315-0x0000000000000000-mapping.dmp

Download
memory/4348-318-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4348-319-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4348-321-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4348-324-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4372-289-0x0000000000000000-mapping.dmp

Download
memory/4388-251-0x0000000000000000-mapping.dmp

Download
memory/4392-302-0x0000000000000000-mapping.dmp

Download
memory/4392-311-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4392-306-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4392-308-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4392-305-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4404-257-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4404-246-0x0000000000000000-mapping.dmp

Download
memory/4416-217-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4416-207-0x0000000000000000-mapping.dmp

Download
memory/4428-385-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4428-384-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4428-383-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4428-388-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4428-380-0x0000000000000000-mapping.dmp

Download
memory/4440-294-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4440-284-0x0000000000000000-mapping.dmp

Download
memory/4464-239-0x0000000000000000-mapping.dmp

Download
memory/4464-242-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4464-248-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4464-245-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4464-243-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4484-165-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4484-164-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4484-161-0x0000000000000000-mapping.dmp

Download
memory/4484-167-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4484-170-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4500-238-0x0000000000000000-mapping.dmp

Download
memory/4524-408-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4524-410-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4576-148-0x0000000000000000-mapping.dmp

Download
memory/4620-173-0x0000000000000000-mapping.dmp

Download
memory/4624-367-0x0000000000000000-mapping.dmp

Download
memory/4624-371-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4624-370-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4624-373-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4624-376-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4720-168-0x0000000000000000-mapping.dmp

Download
memory/4720-178-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4784-386-0x0000000000000000-mapping.dmp

Download
memory/4836-350-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4836-347-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4836-344-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4836-345-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4836-341-0x0000000000000000-mapping.dmp

Download
memory/4860-142-0x0000000000000000-mapping.dmp

Download
memory/4860-153-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4904-219-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4904-213-0x0000000000000000-mapping.dmp

Download
memory/4904-216-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4904-218-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4904-222-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4964-417-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5024-391-0x0000000000000000-mapping.dmp

Download
memory/5116-333-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5116-322-0x0000000000000000-mapping.dmp

Download